Enterasys-networks 9034385 Manual de usuario Pagina 60
- Pagina / 98
- Tabla de contenidos
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
Survey the Network
4-8 Design Planning
authenticatedtothenetworkandinteractwithEnterasysNACforauthentication,assessment,
authorization,andremediation.Notehowever,thatthisconfigurationmaynotbepossibleif
trustedusersarealsobeingMACauthenticatedtothenetworkinthesameSecurityDomain.
Inthiscase,MACoruseroverrideswouldneedtobe
configuredforthetrustedusers,andthe
defaultNACconfigurationoftheSecurityDomainwouldspecifytheNACimplementation
forguestusers.
•Ifguestaccess isimplementedwithweb‐basedauthenticationusingtheguestnetworking
featureonEnterasyspolicy‐capableswitches(supplyingdefaultcredentialsintheweblogin
pageforguest
users),theguestnetworkingfeaturemustbeconfiguredtosendthedefault
credentialstoabackendRADIUS serverandnotlocallyauthenticatethem.Thisisbecausein
theout‐of‐bandNACconfiguration,theNACGatewaymustreceivetheauthentication
attemptviaRADIUSinordertodetecttheconnectingend‐
systems.ARADIUSserverwith the
guestnetworkingcredentialsmustbedeployedonthenetworksotheNACGatewaycan
proxytheRADIUSrequeststotheupstreamRADIUSserver.IfaRADIUSFilter‐IDorVLAN
Tunnelattributeisnotconfiguredfortheguestnetworkingcredentialsontheupstream
RADIUSserver,
EnterasysNACcanbeconfiguredtoincludeaFilter‐IDorVLANTunnel
attributeintheRADIUSAccess‐Acceptpacketreturnedtotheswitchbyimplementingauser
overridefortheguestnetworkingusername.
3. Identify the Strategic Point for End-System Authorization
Inthisstep,youwillidentifythestrategicpointinthenetworkwhereend‐systemauthorization
shouldbeimplemented.
Themostsecureplaceforimplementingauthorizationisdirectlyatthepointofconnectionatthe
edgeofthenetwork,assupportedbyEnterasyspolicy‐capableswitches.Inthisconfiguration,the
implementation
ofout‐of‐bandNACusingtheNACGatewayapplianceleveragespolicyon
Enterasysswitchestosecurelyauthorizeconnectingend‐systems.
RFC3580‐capableswitchescanbeusedforauthenticationandauthorizationbyassigningend‐
systemstoparticularVLANsbasedontheauthenticationandassessmentresults.However,thisis
not
assecureasusingEnterasyspolicy‐capableswitches,forthetwofollowingreasons:
•VLANsauthorizeend‐systemsbyplacingthemintothesamecontainer,withthetraffic
enforcementpointimplementedattheingress/egresspointtotheVLANontheVLANʹs
routedinterface.Be causeauthorizationisnotimplementedbetweenend‐systems
withinthe
sameVLAN,anend‐system inaVLANisopentolaunchattacksorbeattackedbyother
deviceswithinthesameVLAN.Forexample,ifend‐systemAwithvirusXandend‐systemB
withvirusYarequarantinedintothesameVLAN,thenend‐systemA
andBmaybecome
infectedwithvirusXandY.Enterasyspolicyuniquelyauthorizesconnectingend‐systems
independentoftheirVLANassignmentbypermitting,denying,andprioritizingtrafficon
ingresstothenetworkattheportlevel.
•BecauseRFC3580‐capableswitchesimplementthetrafficenforcementpointforaVLANat
theVLAN’sroutedinterface,malicioustrafficisallowedontothenetworkandmayconsume
bandwidth,memory,andCPUcyclesoninfrastructuredevicesbeforebeingdiscarded
possiblyseveralhopsdeepwithinthenetwork.Thisisespeciallydetrimentaltotheoperation
ofthenetworkifasingleinter‐switchlinkconnectingthe
accesslayertodistributionlayeris
usedtotransmittrafficfromboththequarantineVLANandtheproductionVLAN(suchasan
802.1QVLANtrunkedlink).Trafficfromquarantinedend‐systems(forexample,worms
scanningforvulnerablehosts)canconsumetheentirebandwidthavailableontheinter‐switch
linkandaffect
networkconnectivityforend‐systemsontheproductionVLAN.Incontrast,
sincethetrafficenforcementpointforEnterasyspolicyisattheportofconnection,malicious
trafficneveringressesthenetworktocauseanydisruptiontonetworkconnectivity.
- Enterasys 1
- Contents 5
- Chapter 3: Use Scenarios 6
- Chapter 4: Design Planning 6
- Chapter 5: Design Procedures 6
- About This Guide 9
- Getting Help 10
- Overview 11
- Deployment Models 12
- NAC Solution Overview 13
- NAC Solution Components 14
- NAC Gateway Appliance 15
- NAC Controller Appliance 15
- 1-6 Overview 16
- Appliance Comparison 17
- 1-8 Overview 18
- NetSight Management 19
- RADIUS Server 20
- Assessment Server 20
- 1-12 Overview 22
- NAC Deployment Models 23
- Features and Value 24
- Implementation 26
- User-Based Authorization 28
- MAC Registration 28
- Inline NAC 31
- Remediation 34
- 2-16 NAC Deployment Models 38
- Use Scenarios 39
- Policy-Enabled Edge 40
- RFC 3580 Capable Edge 41
- Scenario 1 Implementation 42
- Thin Wireless Edge 43
- 3-6 Use Scenarios 44
- Thick Wireless Edge 45
- Scenario 2 Implementation 46
- 3-10 Use Scenarios 48
- Scenario 4: VPN Remote Access 49
- Scenario 4 Implementation 50
- 3-14 Use Scenarios 52
- Design Planning 53
- Survey the Network 54
- 4-4 Design Planning 56
- End-System Capabilities 58
- Authentication Considerations 59
- 4-8 Design Planning 60
- Wired LAN 61
- Wireless LAN 61
- Remote Access WAN 62
- Site-to-Site VPN 62
- Remote Access VPN 63
- 4-12 Design Planning 64
- Design Procedures 65
- 5-2 Design Procedures 66
- NAC Configurations 67
- Authentication 68
- Assessment 68
- Authorization 69
- 5-6 Design Procedures 70
- 5-8 Design Procedures 72
- 5-10 Design Procedures 74
- MAC Overrides 76
- 5-14 Design Procedures 78
- User Overrides 80
- Assessment Design Procedures 81
- 5-18 Design Procedures 82
- 5-20 Design Procedures 84
- 5-22 Design Procedures 86
- 6. VLAN Configuration 88
- 7. Policy Role Configuration 88
- 8. Define NAC Access Policies 88
- Assessment Policy 90
- Quarantine Policy 91
- Inline NAC Design Procedures 92
- 7S4280-19-SYS Up to 2000 94
- 2S4082-25-SYS Up to 2000 94
- 5-32 Design Procedures 96
- Additional Considerations 97
- 5-34 Design Procedures 98
Relacionado con productos y manuales para Herramientas Enterasys-networks 9034385
(34 paginas)© 2020, manymanuals.es. Todos los derechos reservados | 0.077 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales