Enterasys Networks 9034385 - Manual

Enterasys NAC Design Guide vii About This Guide The   NAC   Design   Guide   describes   the   technical   considerations   for   the   planning   and   design   of   the   Enterasys   Network   Access   Control   (NAC)   solution.   The   guide   includes   the   following   information: Intended A...

Getting Help viii About This Guide • Enterasys   NAC   Manager   Online   Help.   Explains   how   to   use   NAC   Manager   to   configure   your   NAC   appliances,   and   to   put   in   place   authentication   and   assessment   requirements   for   the   end ‐ systems   accessing   your   ne...

Enterasys NAC Design Guide 1-1 1 Overview This   chapter   provides   an   overview   of   the   Enterasys   Network   Access   Control   (NAC)   solution,   including   a   description   of   key   NAC   functions   and   deployment   models.   It   also   introduces   the   required   and   option...

NAC Solution Overview 1-2 Overview Assessment Determine   if   the   device   complies   with   corporate   security   and   configuration   requirements,   such   as   operating   system   patch   revision   levels   and   antivirus   signature   definitions.   Other   security   compliance   requi...

NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and Tracking This   NAC   deployment   model   implements   the   detection   piece   of   NAC   functionality.   It   supports   the   ability   to   track   users   and   end ‐ systems   over   time   by   identifyi...

NAC Solution Components 1-4 Overview NAC Solution Components This   section   discusses   the   required   and   optional   components   of   the   Enterasys   NAC   solution,   beginning   with   the   following   table   that   summarizes   the   component   requirements   for   each   of   the   ...

NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys   offers   two   types   of   NAC   appliances:   the   NAC   Gateway   appliance   implements   out ‐ of ‐ band   network   access   control,   and   the   NAC   Controller   appliance   implements   inline   network   access   contro...

NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comparison The   following   table   compares   how   the   two   NAC   appliance   types   implement   the   five   NAC   functions. Table 1-2 Comparison of Appliance Functionality NAC Function NAC Gateway NAC Controller Detection RAD...

NAC Solution Components 1-8 Overview Table 1 ‐ 3   outlines   the   advantages   and   disadvantages   of   the   two   appliance   types   as   they   pertain   to   network   security,   scalability,   and   configuration/implementation. Table 1-3 Comparison of Appliance Advantages and Disadvantag...

NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The   NAC   appliances   are   configured,   monitored,   and   managed   through   management   applications   within   the   Enterasys   NetSight   Suite.   NetSight   is   a   family   of   products   comprised   of   NetS...

Summary 1-10 Overview NetSight Console NetSight   Console   is   used   to   monitor   the   health   and   status   of   infrastructure   devices   in   the   network,   including   switches,   routers,   Enterasys   NAC   appliances   (NAC   Gateways   and   NAC   Controllers)   as   well   as   o...

Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This   chapter   describes   the   four   NAC   deployment   models   and   how   they   build   on   each   other   to   provide   a   complete   NAC   solution.   The   first   model   implements   a   subset   of   the   five   key   NAC   fu...

Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS   Access ‐ Accept   or   Access ‐ Reject   message   received   from   the   upstream   RADIUS   server,   is   returned   without   modification   to   the   access   edge   switch,   to   permit   end ‐ system   access   t...

Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and   information   on   the   network.   Enterasys   NAC   can   be   leveraged   to   provide   information   to   SIM   solutions,   by   mapping   an   IP   address   to   an   identity,   such   as   a   MAC   address   or   usern...

Model 2: End-System Authorization 2-4 NAC Deployment Models device   identity,   user   identity,   and/or   location   information   is   used   to   authorize   the   connecting   end ‐ system   with   a   certain   level   of   network   access.   It   is   important   to   note   that   in   thi...

Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The   NAC   Controller   may   either   deny   the   end ‐ system   access   to   the   network   or   assign   the   end ‐ system   to   a   particular   set   of   network   resources   by   specifying   a   particular   policy. Feat...

Model 2: End-System Authorization 2-6 NAC Deployment Models is   only   provisioned   by   the   Enterasys   NAC   solution   when   the   devices   connect   to   switches   in   the   Network   Operations   Center   (NOC).   This   level   of   granularity   in   provisioning   access   to   conne...

Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a   password   in   the   registration   web   page.   This   sponsor   username   and   password   can   be   validated   against   an   existing   database   on   the   network   to   authenticate   the   sponsor ʹ s   identity.   Sp...

Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A   RADIUS   server   is   only   required   if   out ‐ of ‐ band   network   access   control   using   the   NAC   Gateway,   or   inline   network   access   control   using   the   Layer   2   NAC   Controller,   is   im...

Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server   is   running   or   if   the   HTTP   server   is   out ‐ of ‐ date)   and   client ‐ side   checks   (running   applications,   software   configurations,   installed   operating   system   patches)   provided...

Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and Value In   addition   to   the   features   and   values   found   in   Model   1   and   Model   2,   the   following   are   key   pieces   of   functionality   and   value   propositions   supported   by   M...

Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-11 • Application   configuration The   NAC   solution   can   determine   which   services   and   applications   are   installed   and   enabled   on   the   end ‐ system.   Certain   applications   should   be   removed...

Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Components This   section   summarizes   the   required   and   optional   components   for   Model   3. . The   NAC   Gateway   and   NAC   Controller   are   the   NAC   appliances   ...

Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For   inline   Enterasys   NAC   deployments   utilizing   the   Layer   2   or   Layer   3   NAC   Controller,   the   NAC   functions   are   implemented   in   the   following   way: Detection ...

Summary 2-16 NAC Deployment Models Summary Enterasys   supports   all   of   the   five   key   NAC   functions:   detection,   authentication,   assessment,   authorization,   and   remediation.   However,   not   all   five   functions   need   to   be   implemented   concurrently   in   a   NAC  ...

Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within   the   same   Quarantine   VLAN   because   the   authorization   point   is   usually   implemented   at   the   exit   point   of   the   VLAN   via   Access   Control   Lists   (ACLs). Policy-Enabled Edge The   following   figure...

Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In   the   intelligent   wired   edge   use   scenario,   the   five   NAC   functions   are   implemented   in   the   following   manner: 1.   Detection  ‐  The   user ʹ s   end ‐ system   connects   to   the   n...

Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intelligent   edge   on   the   network.   The   Matrix   N ‐ series   switch   is   capable   of   authenticating   and   authorizing   multiple   devices   connected   to   a   single   port   for   a   variety   of   netw...

Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In   a   thick   wireless   deployment,   access   points   forward   wireless   end ‐ system   traffic   directly   onto   the   wired   infrastructure   without   the   use   of   a   wireless   switch....

Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In   the   intelligent   wireless   access   edge   use   scenario,   the   five   NAC   functions   are   implemented   in   the   following   manner: 1.   Detection  ‐  The   user ʹ s   end ‐ system   connects...

Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It   is   important   to   note   that   if   the   wireless   edge   of   the   network   is   non ‐ intelligent   and   not   capable   of   authenticating   and   authorizing   wireless   end ‐ systems,   ...

Scenario 3: Non-intelligent Access Edge (Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (Wired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= ...

Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3-11 Scenario 3 Implementation In   the   non ‐ intelligent   access   edge   use   scenario,   the   five   NAC   functions   are   implemented   in   the   following   manner: 1.   Detection  ‐  The   user ʹ s   end ‐ system   connects   to ...

Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In   the   VPN   remote   access   use   scenario,   the   five   NAC   functions   are   implemented   in   the   following   manner   with   the   deployment   of   the   NAC   Controller   for ...

Summary Enterasys NAC Design Guide 3-13 5.   Remediation  ‐  When   the   quarantined   end   user   opens   a   web   browser   to   any   web   site,   its   traffic   is   dynamically   redirected   to   a   Remediation   web   page   that   describes   the   compliance   violations   and   provi...

Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunnels into the enterprise network. Appliance Requirement: NAC Controller Inline network access control is implemented by deploying the NAC Controller appliance to lo...

Survey the Network 4-2 Design Planning access   to   a   web   browser   to   safely   remediate   their   quarantined   end ‐ system   without   impacting   IT   operations. Once   a   deployment   model   is   selected,   the   current   network   infrastructure   must   be   examined   to   ident...

Survey the Network Enterasys NAC Design Guide 4-3 The   network   shown   in   Figure 4 ‐ 1   below,   illustrates   the   following   three   examples   of   how   the   intelligent   edge   can   be   implemented   in   a   network. • Policy ‐ enabled   Enterasys   devices   at   the   physical   ...

Survey the Network 4-4 Design Planning For   the   inline   implementation   of   the   Enterasys   NAC   solution,   the   NAC   Controller   authenticates   and   authorizes   end ‐ systems   locally   on   the   appliance,   and   does   not   rely   on   the   capabilities   of   downstream   in...

Survey the Network Enterasys NAC Design Guide 4-5 to   locally   authorize   all   MAC   authentication   requests   for   connecting   end ‐ systems,   thereby   not   requiring   a   list   of   known   MAC   addresses.   In   fact,   Enterasys   NAC   can   be   configured   in   a   “learning   ...

Survey the Network 4-6 Design Planning Similar   to   802.1X,   web ‐ based   authentication   requires   the   input   of   credentials   and   is   normally   used   on   user ‐ centric   end ‐ systems   that   have   a   concept   of   an   associated   user,   such   as   a   PC.   Therefore,   ...

Survey the Network Enterasys NAC Design Guide 4-7 system   at   a   time,   then   it   is   suggested   that   MAC   locking   (also   known   as   Port   Security)   be   enabled   on   the   edge   switches   to   restrict   the   number   of   connecting   devices.   If   multiple   end ‐ system...

Survey the Network 4-8 Design Planning authenticated   to   the   network   and   interact   with   Enterasys   NAC   for   authentication,   assessment,   authorization,   and   remediation.   Note   however,   that   this   configuration   may   not   be   possible   if   trusted   users   are   a...

Survey the Network Enterasys NAC Design Guide 4-9 If   the   network   infrastructure   does   not   contain   intelligent   devices   at   the   edge   or   distribution   layer,   then   inline   NAC   using   the   NAC   Controller   as   the   authorization   point   for   connecting   end ‐ sys...

Survey the Network 4-10 Design Planning this   case,   the   thick   AP   deployment   falls   into   the   category   of   non ‐ intelligent   edge   devices   with   the   same   NAC   implementations   as   a   non ‐ intelligent   wired   edge.   These   non ‐ intelligent   APs   must   be   conf...

Identify Inline or Out-of-band NAC Deployment Enterasys NAC Design Guide 4-11 Remote Access VPN In   many   enterprise   environments,   a   VPN   concentrator   located   at   the   main   site   connects   to   the   Internet   to   provide   VPN   access   to   remote   users.   In   this   scena...

Enterasys NAC Design Guide 5-1 5 Design Procedures This   chapter   describes   the   design   procedures   for   Enterasys   NAC   deployment   on   an   enterprise   network.   The   first   section   discusses   procedures   for   both   out ‐ of ‐ band   and   inline   NAC   deployments.   The  ...

Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Policy   Manager   is   not   required   for   out ‐ of ‐ band   NAC   that   utilizes   RFC   3580 ‐ compliant   switches   (Enterasys   and   third ‐ party   switches).   In   this   case,   a   VLAN   is   specified   in   NAC   Mana...

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Security Domain NAC Configurations Each   Security   Domain   has   a   default   “NAC   configuration”   that   defines   the   authentication,   assessment,   and   authorization   parameters   for   all   end ‐ sy...

Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The   Authentication   settings   define   how   RADIUS   requests   are   handled   for   authenticating   end ‐ systems   (this   does   not   apply   to   Layer   3   NAC   Controllers.)   ...

Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The   following   figure   shows   the   NAC   Manager   window   used   to   create   or   edit   a   NAC   Configuration   and   define   its   authentication,   assessment,   and   authorization   attributes. Figure 5-3 NAC Configura...

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The   following   table   provides   examples   of   various   network   scenarios   that   should   be   considered   when   identifying   the   number   and   configuration   of   Security   Domains   in   your   NAC   deploy...

Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentially high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. ...

Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The   following   table   provides   network   scenarios   from   an   assessment   standpoint   that   should   be   taken   into   account   when   identifying   the   number   and   configuration   of   Security   Domains. Table 5-2...

Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC   and   user   overrides   are   used   to   handle   end ‐ systems   that   require   a   different   set   of   authentication,   assessment,   and   authorization   parameters   from  ...

Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-13 The   following   figure   displays   the   windows   used   for   MAC   and   user   override   configuration   in   NAC   Manager.   Notice   that   either   an   existing   NAC   Configuration   can   be   used   or   a   c...

Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The   following   table   describes   scenarios   where   a   MAC   override   may   be   configured   for   a   particular   end ‐ system. Table 5-3 MAC Override Configuration Guidelines Network Scenario Examples Security Domain Confi...

Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A   user   override   lets   you   create   a   configuration   for   a   specific   end   user,   based   on   the   user   name.   For   example,   you   could   create   a   user   override   that   gives   a   truste...

Assessment Design Procedures Enterasys NAC Design Guide 5-17 Manager   will   not   match   this   end ‐ system   and   the   end ‐ system   is   assigned   the   Security   Domain’s   default   NAC   configuration.   In   addition,   the   Layer   3   NAC   Controller   is   not   able   to   deter...

Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessment Server Location When   determining   the   location   of   the   assessment   servers   on   the   network,   the   following   factors   should   be   considered: • The   type   of   assessment:   agent ‐ less   or   agent ...

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5-19 configuration   if   the   security   vulnerability   is   considered   a   risk   for   the   organization.   For   more   information   on   Nessus,   refer   to   http://nessus.org/ . Out-of-Band NAC Design Procedures The   followi...

Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The   number   of   NAC   Gateways   to   be   deployed   on   the   network   is   a   function   of   the   following   parameters: • The   number   of   Security   Domains   configured   on   the   ne...

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5-21 Figure 5-5 NAC Gateway Redundancy It   is   important   that   the   secondary   NAC   Gateway   does   not   exceed   maximum   capacity   if   the   primary   NAC   Gateway   fails   on   the   network.   For   example,   let’s   sa...

Out-of-Band NAC Design Procedures 5-22 Design Procedures primary   NAC   Gateway,   the   transition   to   the   secondary   NAC   Gateway   will   not   exceed   maximum   capacity.   To   support   redundancy   within   a   Security   Domain   for   either   approach,   one   additional   NAC   G...

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5-23 It   is   important   to   note   that   only   the   NAC   Gateways   that   are   configured   with   remediation   and   registration   functionality   need   to   be   positioned   in   such   a   manner.   All   other   NAC   Gat...

Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This   step   is   for   NAC   deployments   that   use   RFC ‐ 3580 ‐ compliant   switches   in   the   intelligent   edge   of   the   network   to   implement   dynamic   VLAN   assignment   of   connecting   devices. ...

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5-25 previously   specified   in   the   NAC   configuration   must   be   defined   in   NetSight   Policy   Manager   to   ensure   the   consistent   allocation   of   network   resources   to   connecting   end ‐ systems. Failsafe Poli...

Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment Policy The   Assessment   Policy   may   be   used   to   temporarily   allocate   a   set   of   network   resources   to   end ‐ systems   while   they   are   being ...

Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5-27 Figure 5-7 Service for the Assessing Role Note   that   it   is   not   mandatory   to   assign   the   Assessment   Policy   to   a   connecting   end ‐ system   while   it   is   being   assessed.   NAC   can   be   configured   to ...

Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore,   the   Quarantine   Policy   and   other   network   infrastructure   devices   must   be   configured   to   implement   HTTP   traffic   redirection   for   quarantined   end ‐ systems   to...

Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Number of NAC Controllers The   number   of   NAC   Controllers   to   be   deployed   on   the   network   is   a   function   of   the   following   parameters: • The   network   topology. Because   the   NAC   Controller   is   ...

Inline NAC Design Procedures Enterasys NAC Design Guide 5-31 Figure 5-9 Layer 2 NAC Controller Redundancy For   a   Layer   3   NAC   Controller,   redundancy   is   achieved   by   implementing   redundant   Layer   3   NAC   Controllers   on   adjacent,   but   separate   networks   as   shown   i...

Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer   2   NAC   Controllers   detect   downstream   end ‐ systems   via   authentication:   MAC,   web ‐ based,   or   802.1X.   If   web ‐ based   or   802.1X   authentication   is   implemented,   t...

Additional Considerations Enterasys NAC Design Guide 5-33 assessment   servers   to   reach   the   end ‐ system   while   it   is   being   assessed,   regardless   of   whether   the   Assessing   policy,   Enterprise   User   policy,   or   any   other   policy   role   is   utilized   for   asse...