Enterasys-networks 9034385 Manuel d'utilisateur télécharger pdf (Page 97)

Additional Considerations

Enterasys NAC Design Guide 5-33

assessmentserverstoreachtheend‐systemwhileitisbeingassessed,regardlessofwhetherthe

Assessingpolicy,EnterpriseUserpolicy,oranyotherpolicyroleisutilizedforassessment.

TheQuarantinePolicyisusedtorestrictnetworkaccesstoend‐systemsthathavefailed

assessment.TheQuarantinepolicyroleis

configuredbydefaultontheNACControllertobeused

astheQuarantinePolicyinNACManager.Thispolicyisrestrictive,allowingDNSandDHCP,and

redirectingwebtraffictoservebackawebpagestatingtheend‐systemhasbeenrestrictedaccess

becauseitisdeemednoncompliant.Allothertypes

oftrafficarediscarded.Ifitisdesiredtoopen

networkaccesswhenanend‐systemfailstheassessment,theuseoftheQuarantinePolicycanbe

disabledintheNACConfigurationortheEnterpriseUserpolicyrolecanbeselectedasthe

QuarantinePolicy.

Unregistered Policy

IfMAC(network)registrationistobeconfiguredonLayer2NACControllers,theUnregistered

policyroleconfiguredbydefaultontheNACControllercanbeusedfortheAcceptPolicyof

unregistereddevices.Thispolicyisrestrictive,allowingDNSandDHCP,and redirectingweb

traffictoservebackaregistration

webpagestatingtheend‐systemhasbeenrestrictedaccess

becauseithasnotyetregistered.Allothertypesoftrafficarediscarded.

Additional Considerations

Thissectionpresentsadditionaldesignconsiderationsforbothinlineandout‐of‐bandNAC

deployments.

NAC Deployment With an Intrusion Detection System (IDS)

NACdeploymentsthatimplementend‐systemassessmentcomplementnetworking

environmentswithIDStechnologiesthatdetectreal‐timesecurityeventsonthenetwork.While

end‐systemassessmentdeterminesthesecuritypostureofconnectingdevicesand mitigates

threatsposedbyvulnerableend‐systems,itdoesnotdeterminetheenduserʹsintentions,whether



maliciousorbenevolent.Therefore,IDStechnologiescanmonitorhowanend‐systemutilizes

networkresourcesafterNAChasvalidatedthesecurityposturecomplianceoftheend‐system.

However,end‐systemassessmentsutilizedinNACmaybeclassifiedbyanIDS(dependingonits

configuration)asanattack.Therefore,ifthe

trafficfromtheassessmentservertraversesanetwork

linkthatismonitoredbyanIDSsensor,theIDSmustbeconfiguredtonotgeneratesecurityevents

fortrafficsourcedfromtheassessmentserver’sIPaddress.ThesameappliesforIPSsystems.

NAC Deployment With NetSight ASM

NetSightASMcanbeconfiguredtonotifythelocallyinstalledNACManagertodynamically

configureaMACoverrideforathreatMACaddressonthenetwork.Whenasecuritythreatis

detectedonthenetwork,eitherthroughEnterasysDragonIDSorathird‐partydevice,andthe

securitythreatiscommunicated

toNetSightASMforanautomatedresponse,ASMcanthen

quarantinethesourceoftheattackat theportofconnectionusingpolicy,andalsocommunicate

thisquarantineactiontoNAC.Iftheend‐systemsourcingthesecuritythreatmovestoadifferent

portonthenetwork,theend‐system

willremainquarantined,duetoadynamicallyconfigured

MACoverride,toprotectthenetworkfromthepossibilityoffutureattacks.Therefore,the

deploymentofNACnotonlyproactivelyprotectsthenetworkfromsecuritythreatsposedby

vulnerableend‐systems,butitalsoempowersthenetworkʹsdynamicresponsecharacteristicsto

real

‐timethreatsdetectedfromend‐systems.

1 2 ... 92 93 94 95 96 97 98

Commentaires sur ces manuels

Pas de commentaire

Enterasys-networks 9034385 Manuel d'utilisateur Page 97

Commentaires sur ces manuels

Produits connexes et manuels pour Outils Enterasys-networks 9034385