Manuel d'utilisation / d'entretien du produit 9034385 du fabricant Enterasys Networks
Aller à la page of 98
Enterasys ® Network Access Control Design Guide P/N 9034385.
.
i Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web si te without prior notice.
ii.
iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. .
iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ... ............. ...........
v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........................... ............. ................ .....
vi.
Enterasys NAC Design Gu ide vii About This Guide The NAC Design Guide describes the technical considerations for the planning and design of the Enterasys Netw ork Access Contr ol (NAC) solution.
Getting Help viii About This Guide •E n t e r a s y s NA C Manager Online Help. Explains how to use NAC Manager to configure you r NAC app.
Enterasys NAC Design Guide 1-1 1 Overview This chapter provides an overview of the Enterasys Network Access Control (NAC) solution, including a descripti on of key NAC functions and deployment models.
NAC Solution Overview 1-2 Overview Assessment Determine if th e device complies with corporate security and configuration requirements, such as operating system patch revision levels and anti virus signature definitions.
NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This NAC deployment model implements the detection piece of NAC functionality .
NAC Solution Components 1-4 Overview NAC Solution Component s This section discusses the required and optional components of the Enterasys NAC solution,.
NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys offers two types of NA C appliances: the NAC Gatew ay appliance implements out ‐ of .
NAC Solution Components 1-6 Overview of supporting authentication and/or authorization. The NAC Controller is also required in IPSec and SSL VPN deployments.
NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The following table compares how the two NA C appliance types implement the five NAC functions.
NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3 outlines the adv antages and disadv antages of the tw o appliance types as they pertain to network securi ty , scalabilit y , and configuration/implementation.
NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The NAC appliances are configured, monit ored, and managed through management applications within the Enterasys NetSight Suite.
Summary 1-10 Overview NetSight Console NetSight Console is used to monitor the health and status of infrastructure devices in the netw ork, .
Summary Enterasys NAC Design Guide 1 -11 •M o d e l 3: End ‐ Syst em Authorization with Assessment ‐ Implements detection , authentication , assessment , .
Summary 1-12 Overview.
Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This chapter descri bes the four NAC deployment models and how they build on each other to provide a complete NAC solution.
Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS Access ‐ Accept or Access ‐ Reject message received from the upstream RADIUS ser.
Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and information on the network. Enteras ys NAC can be leveraged to provide information .
Model 2: End-System Authorization 2-4 NAC Deployment Models device ide ntity , us er identity , and/or location information is used to authorize the connecting end ‐ system with a certain level of netw ork access.
Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The NAC Controller may eithe r deny the end ‐ system access to the network or ass.
Model 2: End-System Authorization 2-6 NAC Deployment Models is only provisioned by the Enterasys NAC sol ution when the devices connect to switches in the Network Operations Center (NOC).
Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a password in the registration web page. This sponsor username and passw ord can be.
Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A RADIUS serv er is only required if out ‐ of ‐ band netw ork access control .
Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server is running or if the HTTP server is out ‐ of ‐ date) and client .
Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In addition to the features and val u e s found in Model 1 .
Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n configuration The NAC solution can determine which services and applications are installed and enabled on the end ‐ system.
Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This section summarizes the required and optional components for Mod el 3.
Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted remediation informs end users when their end ‐ systems ha.
Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For inline Enterasys NAC deployments utilizing the Lay er 2 .
Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic with specific source and destination cha racteristics as well as specific app lication identifiers (UDP/TCP ports).
Summary 2-16 NAC Deployment Models Summary Enterasys supports all of the five key NAC functions: detection, authentication, assessment, authorization, and remediation.
Enterasys NAC Design Guide 3-1 3 Use Scenarios This chapter describes four NAC use scenarios that illustrate how the type of NAC deployment is directly dependent on the infrastructure devices deployed in the netw ork.
Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within the same Quarantine VLAN because the authorization point is usually implemented at the exit point of the VLAN via Access Control Lists (ACL s).
Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In this figure the NAC Gatew ay and the other Enterasys NAC .
Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In the intelligent wi red edge use scenario, the five NAC functions are implemented in the following manner: 1.
Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent edge on the network. The Mat rix N ‐ series switch is capable of .
Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Int.
Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In a thick wireless deployment, access points forward wirele ss end ‐ system traffic directly onto the wired infrastructure without the use of a wireless switch.
Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In the intelligent wireless access edge use scen ario, the five NAC functions are implemented in the following manner: 1.
Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It is important to note that if the wireless edge of the net.
Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inli.
Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In the non ‐ intelligent access edge use scenario, the five NAC functions are implemented in the following manner: 1.
Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In the VPN remote access use scenario, the five NAC func.
Summary Enterasys NAC Design Guide 3 -13 5. Remediation ‐ When the quarantined end user opens a web browser to any web site, its tr.
Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems.
Enterasys NAC Design Guide 4-1 4 Design Planning This chapter descri bes the steps yo u should take as yo u begin planning yo ur NAC deployment.
Survey the Network 4-2 Design Planning access to a web browser to safely remediate their quarantined end ‐ syst em without impacting IT operations.
Survey the Network Enterasys NAC Design Guide 4-3 The network shown in Figure 4 ‐ 1 below , illustrates the following three examples of how the intellig ent edge can be implemented in a networ k.
Survey the Network 4-4 Design Planning For the inline implementation of the Enterasys NAC solution, the NAC Controller authenticates and authori.
Survey the Network Enterasys NAC Design Guide 4-5 to locally authorize all MAC authentication reque sts for connecting end ‐ systems, thereby not requiring a li st of known MAC addre sses.
Survey the Network 4-6 Design Planning Similar to 802.1X, web ‐ based authentication requires the input of credentials and is normally use d on user ‐ centric end ‐ systems that hav e a concept of an associated user , such as a PC.
Survey the Network Enterasys NAC Design Guide 4-7 system at a time, then it is sugg ested that MAC locking (also known as Po r t Secu rity) be enabled on the edge switches to restrict the number of connecting devi ces.
Survey the Network 4-8 Design Planning authenticated to the netw ork and interact with Enter asys NAC for authenticati on, assessment, authorization, and remediation.
Survey the Network Enterasys NAC Design Guide 4-9 If the network infrastructure does not contain intelligent devices at the edg e or distributi on .
Survey the Network 4-10 Design Planning this case, the thick AP deployment falls into the category of non ‐ intelligent ed ge devices with the same NAC implementations as a non ‐ intelligent wired edge.
Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In many enterprise environments, a VPN concentrator located at the main site connects to the Internet to provide VPN access to remote users.
Summary 4-12 Design Planning server . In addi tion, NAC can also be configured to locally authorize MA C authentication requests. 3. Identify the strategic point in the network where end ‐ system authorization should be implemented.
Enterasys NAC Design Guide 5-1 5 Design Procedures This chapter descri bes the design procedures for Enterasys NAC deployment on an ente rprise network. The first section discusses procedures for both out ‐ of ‐ band and inline NAC deployments.
Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y Manager is not required for out ‐ of ‐ band NAC that utilizes RFC 3580 ‐ compliant switches (Enterasys and third ‐ party switches).
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each Security Domain has a default “NAC configurat.
Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The Authenticati on settings define how RADIUS requests are handled for au thenticating end ‐ systems (this does not apply to Layer 3 NAC Controllers.
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w health results are processed. When an assessment is performed on an end ‐ syste m, a “health result” is generated.
Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The following figure shows the NAC Manager window used to create or edit a NAC Configuration and defi ne its authentication, assessment, and a uthorization attributes.
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The following table provides examples of var i o u s network scenarios that should .
Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network.
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks.
Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The following table provides network scenarios from an as sessment standpoint that should be taken into account when identifying the number and configuration of Security Domains.
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment.
Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC and user overr ides are used to handle end ‐ syste ms.
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The following figure display s the windows used for MAC and user override configura tion in NAC Manager .
Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The following table describes scenarios where a MAC ov erride may be configured for a particular end ‐ system.
Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains.
Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A user ov erride lets you create a configuration for a specific end user , based on the user name.
Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager will not match this end ‐ system and the end ‐ sy stem is assigned the Security Domain’ s default NAC config uration.
Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When determining the location of the assessme nt servers on th e ne.
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration if the security vul nerability is considered a risk for the organization. For more information on Nessus, ref er to http://nessus.
Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The number of NAC Gatew ays to be depl oyed on the netw ork .
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It is important that the secondary NAC Gatew ay does not exceed maximum capacity if the primary NAC Gatew ay fails on the network.
Out-of-Band NAC Design Procedures 5-22 Design Procedures primary NAC Gatew ay , the transition to the secondary NAC Gateway wi ll not exceed maximum capacity .
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It is important to not e that only the NAC Gateways that are configured with remediation and registration functionality need to be positioned in such a manner .
Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This step is for NA C deployments tha t use RFC ‐ 3580 ‐ compliant switches i.
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously specified in the NAC configuration must be def ined in NetSight Pol i c y Manager to ensure the consistent allocation of network resources to co nnecting end ‐ systems.
Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The Assessment Pol ic y ma y be used .
Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note that it is not mandatory to assign the Assessment Pol i cy to a connecting end ‐ system while it is being assessed.
Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore, the Quarantine Po l i c y and other network infrastructure d.
Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r , the closer the NAC Controller is placed to the edge of the network, the.
Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The number of NAC Controllers to be deploy ed on the network is a function of the following parameters: •T h e network topology .
Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For a Layer 3 NAC Controller , redundancy is achieved by .
Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer 2 NAC Controllers detect downs tream end ‐ systems via authentication: MAC, web ‐ based, or 802.
Additional Considerations Enterasys NAC Design Guide 5 -33 assessment server s to reach the end ‐ system while it is being assessed, regardless of .
Additional Considerations 5-34 Design Procedures.
Un point important après l'achat de l'appareil (ou même avant l'achat) est de lire le manuel d'utilisation. Nous devons le faire pour quelques raisons simples:
Si vous n'avez pas encore acheté Enterasys Networks 9034385 c'est un bon moment pour vous familiariser avec les données de base sur le produit. Consulter d'abord les pages initiales du manuel d'utilisation, que vous trouverez ci-dessus. Vous devriez y trouver les données techniques les plus importants du Enterasys Networks 9034385 - de cette manière, vous pouvez vérifier si l'équipement répond à vos besoins. Explorant les pages suivantes du manuel d'utilisation Enterasys Networks 9034385, vous apprendrez toutes les caractéristiques du produit et des informations sur son fonctionnement. Les informations sur le Enterasys Networks 9034385 va certainement vous aider à prendre une décision concernant l'achat.
Dans une situation où vous avez déjà le Enterasys Networks 9034385, mais vous avez pas encore lu le manuel d'utilisation, vous devez le faire pour les raisons décrites ci-dessus,. Vous saurez alors si vous avez correctement utilisé les fonctions disponibles, et si vous avez commis des erreurs qui peuvent réduire la durée de vie du Enterasys Networks 9034385.
Cependant, l'un des rôles les plus importants pour l'utilisateur joués par les manuels d'utilisateur est d'aider à résoudre les problèmes concernant le Enterasys Networks 9034385. Presque toujours, vous y trouverez Troubleshooting, soit les pannes et les défaillances les plus fréquentes de l'apparei Enterasys Networks 9034385 ainsi que les instructions sur la façon de les résoudre. Même si vous ne parvenez pas à résoudre le problème, le manuel d‘utilisation va vous montrer le chemin d'une nouvelle procédure – le contact avec le centre de service à la clientèle ou le service le plus proche.