Enterasys-networks 9034385 Manual de usuario

Enterasys®Network Access ControlDesign GuideP/N 9034385

Getting Helpviii About This Guide•EnterasysNACManagerOnlineHelp.ExplainshowtouseNACManagertoconfigureyourNACappliances,andtoputinp

Enterasys NAC Design Guide 1-11OverviewThischapterprovidesanoverviewoftheEnterasysNetworkAccessControl(NAC)solution,includingadescripti

NAC Solution Overview1-2 OverviewAssessmentDetermineifthedevicecomplieswithcorporatesecurityandconfigurationrequirements,suchasoperating

NAC Solution OverviewEnterasys NAC Design Guide 1-3Model 1: End-system Detection and TrackingThisNACdeploymentmodelimplementsthedetectionpiece

NAC Solution Components1-4 OverviewNAC Solution ComponentsThissectiondiscussestherequiredandoptionalcomponentsoftheEnterasysNACsolution,b

NAC Solution ComponentsEnterasys NAC Design Guide 1-5EnterasysofferstwotypesofNACappliances:theNACGatewayapplianceimplementsout‐of‐bandne

NAC Solution Components1-6 Overviewofsupportingauthenticationand/orauthorization.TheNACControllerisalsorequiredinIPSecandSSLVPNdeploym

NAC Solution ComponentsEnterasys NAC Design Guide 1-7Appliance ComparisonThefollowingtablecompareshowthetwoNACappliancetypesimplementthefi

NAC Solution Components1-8 OverviewTable 1‐3outlinestheadvantagesanddisadvantagesofthetwoappliancetypesastheypertaintonetworksecurity,

NAC Solution ComponentsEnterasys NAC Design Guide 1-9NetSight ManagementTheNACappliancesareconfigured,monitored,andmanagedthroughmanagementa

Summary1-10 OverviewNetSight ConsoleNetSightConsoleisusedtomonitorthehealthandstatusofinfrastructuredevicesinthenetwork,includingswit

SummaryEnterasys NAC Design Guide 1-11•Model3:End‐SystemAut horization withAssessment‐Implementsdetection,authentication,assessment,andaut

Summary1-12 Overview

Enterasys NAC Design Guide 2-12NAC Deployment ModelsThischapterdescribesthefourNACdeploymentmodelsandhowtheybuildoneachothertoprovide

Model 1: End-System Detection and Tracking2-2 NAC Deployment ModelsRADIUSAccess‐AcceptorAccess‐RejectmessagereceivedfromtheupstreamRADIUSser

Model 2: End-System AuthorizationEnterasys NAC Design Guide 2-3andinformationonthenetwork.EnterasysNACcanbeleveragedtoprovideinformationt

Model 2: End-System Authorization2-4 NAC Deployment Modelsdeviceidentity,useridentity,and/orlocationinformationisusedtoauthorizetheconnect

Model 2: End-System AuthorizationEnterasys NAC Design Guide 2-5TheNACControllermayeitherdenytheend‐systemaccesstothenetworkorassignthee

Model 2: End-System Authorization2-6 NAC Deployment ModelsisonlyprovisionedbytheEnterasysNACsolutionwhenthedevicesconnecttoswitchesinth

Model 2: End-System AuthorizationEnterasys NAC Design Guide 2-7apasswordintheregistrationwebpage.Thissponsorusernameandpasswordcanbevali

iNoticeEnterasys Networksreservestherighttomakechangesinspecificationsandotherinformationcontainedinthisdocumentanditswebsitewitho

Model 3: End-System Authorization with Assessment2-8 NAC Deployment ModelsARADIUSserverisonlyrequiredifout‐of‐bandnetworkaccesscontrolusing

Model 3: End-System Authorization with AssessmentEnterasys NAC Design Guide 2-9serverisrunningoriftheHTTPserverisout‐of‐date)and client‐sid

Model 3: End-System Authorization with Assessment2-10 NAC Deployment ModelsFeatures and ValueInadditiontothefeaturesandvaluesfoundinModel1a

Model 3: End-System Authorization with AssessmentEnterasys NAC Design Guide 2-11•ApplicationconfigurationTheNACsolutioncandeterminewhichservice

Model 4: End-System Authorization with Assessment and Remediation2-12 NAC Deployment ModelsRequired and Optional ComponentsThissectionsummarizesthe

Model 4: End-System Authorization with Assessment and RemediationEnterasys NAC Design Guide 2-13Assistedremediationinformsenduserswhentheirend‐

Model 4: End-System Authorization with Assessment and Remediation2-14 NAC Deployment ModelsInline NACForinlineEnterasysNACdeploymentsutilizingth

Model 4: End-System Authorization with Assessment and RemediationEnterasys NAC Design Guide 2-15trafficwithspecificsourceanddestinationcharacter

Summary2-16 NAC Deployment ModelsSummaryEnterasyssupportsallofthefivekeyNACfunctions:detection,authentication,assessment,authorization,an

Enterasys NAC Design Guide 3-13Use ScenariosThischapterdescribesfourNACusescenariosthatillustratehowthetypeofNACdeploymentisdirectlyd

ii

Scenario 1: Intelligent Wired Access Edge3-2 Use ScenarioswithinthesameQuarantineVLANbecausetheauthorizationpointisusuallyimplementedatth

Scenario 1: Intelligent Wired Access EdgeEnterasys NAC Design Guide 3-3RFC 3580 Capable EdgeInthisfiguretheNACGatewayandtheotherEnterasysNAC

Scenario 1: Intelligent Wired Access Edge3-4 Use ScenariosScenario 1 ImplementationIntheintelligentwirededgeusescenario,thefiveNACfunctions

Scenario 2: Intelligent Wireless Access EdgeEnterasys NAC Design Guide 3-5intelligentedgeonthenetwork.TheMatrixN‐seriesswitchiscapableofau

Scenario 2: Intelligent Wireless Access Edge3-6 Use ScenariosFigure 3-3 Intelligent Wireless Access Edge - Thin APs with Wireless Switch143 2Wireless

Scenario 2: Intelligent Wireless Access EdgeEnterasys NAC Design Guide 3-7Thick Wireless EdgeInathickwirelessdeployment,accesspointsforwardwir

Scenario 2: Intelligent Wireless Access Edge3-8 Use ScenariosScenario 2 ImplementationIntheintelligentwirelessaccessedgeusescenario,thefiveN

Scenario 3: Non-intelligent Access Edge (Wired and Wireless)Enterasys NAC Design Guide 3-9Itisimportanttonotethatifthewirelessedgeofthenet

Scenario 3: Non-intelligent Access Edge (Wired and Wireless)3-10 Use ScenariosFigure 3-5 Non-intelligent Access Edge (Wired and Wireless)23334513Ente

Scenario 4: VPN Remote AccessEnterasys NAC Design Guide 3-11Scenario 3 ImplementationInthenon‐intelligentaccessedgeusescenario,thefiveNACfun

iiiContentsAbout This GuideIntended Audience ...

Scenario 4: VPN Remote Access3-12 Use ScenariosFigure 3-6 VPN Remote AccessScenario 4 ImplementationIntheVPNremoteaccessusescenario,thefiveN

SummaryEnterasys NAC Design Guide 3-135.Remediation‐Whenthequarantinedenduseropensawebbrowsertoanywebsite,itstrafficisdynamicallyr

Summary3-14 Use ScenariosScenario 4:VPN remote accessSummary:VPN concentrators act as a termination point for remote access VPN tunnels into the enter

Enterasys NAC Design Guide 4-14Design PlanningThischapterdescribesthestepsyoushouldtakeasyoubeginplanningyourNACdeployment.Thefirstst

Survey the Network4-2 Design Planningaccesstoawebbrowsertosafelyremediatetheirquarantinedend‐systemwithoutimpactingIToperations.Oncead

Survey the NetworkEnterasys NAC Design Guide 4-3ThenetworkshowninFigure 4‐1below,illustratesthefollowingthreeexamplesofhowtheintelligent

Survey the Network4-4 Design PlanningFortheinlineimplementationoftheEnterasysNACsolution,theNACControllerauthenticatesandauthorizesend‐

Survey the NetworkEnterasys NAC Design Guide 4-5tolocallyauthorizeallMACauthenticationrequestsforconnectingend‐systems,therebynotrequiring

Survey the Network4-6 Design PlanningSimilarto802.1X,web‐basedauthenticationrequirestheinputofcredentialsandisnormallyusedonuser‐centri

Survey the NetworkEnterasys NAC Design Guide 4-7systematatime, thenitissuggestedthatMAClocking(alsoknownasPortSecurity)beenabledont

iv Chapter 3: Use ScenariosScenario 1: Intelligent Wired Access Edge ...

Survey the Network4-8 Design PlanningauthenticatedtothenetworkandinteractwithEnterasysNACforauthentication,assessment,authorization,andr

Survey the NetworkEnterasys NAC Design Guide 4-9Ifthenetworkinfrastructuredoesnotcontainintelligentdevicesattheedgeordistributionlayer,

Survey the Network4-10 Design Planningthiscase,thethickAPdeploymentfallsintothecategoryofnon‐intelligentedgedeviceswiththesameNACimp

Identify Inline or Out-of-band NAC DeploymentEnterasys NAC Design Guide 4-11Remote Access VPNInmanyenterpriseenvironments,aVPNconcentratorlocat

Summary4-12 Design Planningserver.Inaddition,NACcanalsobeconfiguredtolocallyauthorizeMACauthenticationrequests.3. Identifythestrategic

Enterasys NAC Design Guide 5-15Design ProceduresThischapterdescribesthedesignproceduresforEnterasysNACdeploymentonanenterprisenetwork.Th

Procedures for Out-of-Band and Inline NAC5-2 Design ProceduresPolicyManagerisnotrequiredforout‐of‐bandNACthatutilizesRFC3580‐compliantswit

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-3Figure 5-1 Security DomainNAC ConfigurationsEachSecurityDomainhasadefault

Procedures for Out-of-Band and Inline NAC5-4 Design ProceduresFigure 5-2 NAC ConfigurationAuthenticationTheAuthenticationsettingsdefinehowRADIUS

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-5•Howhealthresultsareprocessed.Whenanassessmentisperformedonanend‐sys

vUnregistered Policy ... 5-28In

Procedures for Out-of-Band and Inline NAC5-6 Design ProceduresThefollowingfigureshowstheNACManagerwindowusedtocreateoreditaNACConfigura

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-7Thefollowingtableprovidesexamplesofvariousnetworkscenariosthatshould

Procedures for Out-of-Band and Inline NAC5-8 Design ProceduresArea of the network that provides access to a group of users or devices that pose a pote

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-9Area of the network that is configured to allow access only to specific end-sys

Procedures for Out-of-Band and Inline NAC5-10 Design ProceduresThefollowingtableprovidesnetworkscenariosfromanassessmentstandpointthatshoul

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-11Area of the network, or a group of end-systems or users, that require assessme

Procedures for Out-of-Band and Inline NAC5-12 Design Procedures3. Identify Required MAC and User OverridesMACanduseroverridesareusedtohandleen

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-13ThefollowingfiguredisplaysthewindowsusedforMACanduseroverrideconfi

Procedures for Out-of-Band and Inline NAC5-14 Design ProceduresThefollowingtabledescribesscenarioswhereaMACoverridemaybeconfiguredforapa

Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide 5-15A device or class of devices needs to be restricted network access (“blacklist

vi

Procedures for Out-of-Band and Inline NAC5-16 Design ProceduresUser OverridesAuseroverrideletsyoucreateaconfigurationforaspecificenduser,

Assessment Design ProceduresEnterasys NAC Design Guide 5-17Managerwillnotmatchthisend‐systemandtheend‐systemisassignedtheSecurityDomain’s

Assessment Design Procedures5-18 Design Procedures2. Determine Assessment Server LocationWhendeterminingthelocationoftheassessmentserversonth

Out-of-Band NAC Design ProceduresEnterasys NAC Design Guide 5-19configurationifthesecurityvulnerabilityisconsideredariskfortheorganization.

Out-of-Band NAC Design Procedures5-20 Design Procedures2. Determine the Number of NAC GatewaysThenumberofNACGatewaystobedeployedonthenetwork

Out-of-Band NAC Design ProceduresEnterasys NAC Design Guide 5-21Figure 5-5 NAC Gateway RedundancyItisimportantthatthesecondaryNACGatewaydoes

Out-of-Band NAC Design Procedures5-22 Design ProceduresprimaryNACGateway,thetransitiontothesecondaryNACGatewaywillnotexceedmaximumcapaci

Out-of-Band NAC Design ProceduresEnterasys NAC Design Guide 5-23Itisimportanttonotethatonly theNACGatewaysthatareconfiguredwithremediati

Out-of-Band NAC Design Procedures5-24 Design Procedures6. VLAN ConfigurationThisstepisforNACdeploymentsthatuseRFC‐3580‐compliantswitchesint

Out-of-Band NAC Design ProceduresEnterasys NAC Design Guide 5-25previouslyspecifiedintheNACconfigurationmustbedefinedinNetSightPolicyManag

Enterasys NAC Design Guide viiAbout This GuideTheNACDesignGuidedescribesthetechnicalconsiderationsfortheplanninganddesignoftheEnterasys

Out-of-Band NAC Design Procedures5-26 Design ProceduresFigure 5-6 Policy Role Configuration in NetSight Policy ManagerAssessment PolicyTheAssessment

Out-of-Band NAC Design ProceduresEnterasys NAC Design Guide 5-27Figure 5-7 Service for the Assessing RoleNotethatitisnotmandatorytoassignthe

Inline NAC Design Procedures5-28 Design ProceduresFigure 5-8 Service for the Quarantine RoleFurthermore,theQuarantinePolicyandothernetworkinfr

Inline NAC Design ProceduresEnterasys NAC Design Guide 5-29However,theclosertheNACControllerisplacedtotheedgeofthenetwork,themoreNACC

Inline NAC Design Procedures5-30 Design Procedures2. Determine the Number of NAC ControllersThenumberofNACControllerstobedeployedonthenetwor

Inline NAC Design ProceduresEnterasys NAC Design Guide 5-31Figure 5-9 Layer 2 NAC Controller RedundancyForaLayer3NACController,redundancyisac

Inline NAC Design Procedures5-32 Design Procedures3. Identify Backend RADIUS Server InteractionLayer2NACControllersdetectdownstreamend‐systemsv

Additional ConsiderationsEnterasys NAC Design Guide 5-33assessmentserverstoreachtheend‐systemwhileitisbeingassessed,regardlessofwhethert

Additional Considerations5-34 Design Procedures