Enterasys-networks 9034385 Manual do Utilizador descarregar pdf (Página 12)

NAC Solution Overview

1-2 Overview

Assessment

Determineifthedevicecomplieswithcorporatesecurityandconfigurationrequirements,suchas

operatingsystempatchrevisionlevelsandantivirussignaturedefinitions.Othersecurity

compliancerequirementsmightincludethephysicallocationofthedeviceandthetimeofdaythe

connectionattemptismade.

Authorization

Determinetheappropriatenetworkaccessfortheconnectingdevicebasedontheauthentication

and/orassessmentresults,andenforcethisauthorizationleveltotheend‐system.The

authorizationlevelcanbedeterminedbasedonthedeviceʹslocation,MACaddress,andsecurity

posture(asdeterminedbytheassessmentresults),inadditionto

theidentityoftheuser/device

validatedthroughauthentication.

Theend‐systemcanbeauthorizedfornetworkaccessusingdifferenttechniques,suchas

reconfiguringaccessedgeswitchesorleveragingaspecializedNACappliancedeployedinthe

transmissionpathofend‐systemdatatraffic.Inlineandout‐of‐bandNACimplementationsuse

differenttechniquesforauthorizingend‐systemsonthenetwork,eachwithuniqueadvantages

anddisadvantagesasdiscussedlaterinthischapter.

Remediation

Enableenduserstosafelyremediatetheirnon‐compliantend‐systemswithoutimpactingIT

operations.Withremediation,userscanbenotifiedwhentheirsystemisquarantinedfornetwork

securitypolicynon‐compliance,andtheycanbedirectedtoperformself‐serviceremediation

techniquesspecifictothe detectedcomplianceviolation.Notificationmethods

includeweb

redirectionviaacaptiveportal,emailnotification,pop‐upmessages,andmessengerservice

integration,amongothers.

Theremediationprocessincludesupdatingthedevicetomeetcorporatesecurityrequirements

(forexample,updatingoperatingsystempatchesandantivirussignatures)and reinitiatingthe

networkaccessprocess.Networkresourcescanbeautomaticallyreallocated

toend‐systemsthat

havesuccessfullyperformedtheremediationsteps,withouttheinterventionofIToperations.

Deployment Models

ThefivekeyNACfunctionsdescribedabovedonotneedtobeimplementedconcurrentlyina

NACdeployment.Forexample,tosupportMACregistrationfor guests andotherusersonthe

network,thedetection,authentication,andauthorizationfunctionalitiescanbeimplemented

withouttheassessmentfunctionality.ThisallowsanITdepartmentto

gainvisibilityintowhois

usingwhichdevicesonthenetworkwhileallowingonlyvaliduserstoenterthenetwork.

Asanotherexample,theassessmentfunctionalitycanbeaddedtothedetection,authentication,

andauthorizationofend‐systemswithouttheremediat ion functionality,allowingfortheauditing,

butnotquarantining,ofconnecting

end‐systems.Thisprovidesvisibilityintothesecurityposture

andconfigurationofconnectingend‐systemswithoutimpactingdevicenetworkconnectivity,and

canbeusedforauditingandsoftwareupdatepurposesbytheITdepartment.

ThefourNACdeploymentmodelsdescribedbelowbuildoneachotherbyimplementingsubsets

ofthe

fivekeyNACfunctions.EachmodelprovidesparticularaspectsofNACfunctionality,

supportingtherequirementsofdiverseenterpriseenvironments.Witheachsubsequentmodel,

theadditionalNACfunctionalitycanbeenabledwithouttheneedtoreplacepiecesofthe

EnterasysNACsolution.

1 2 ... 7 8 9 10 11 12 13 14 15 16 17 ... 97 98

Comentários a estes Manuais

Sem comentários

Enterasys-networks 9034385 Manual do Utilizador Página 12

Comentários a estes Manuais

Manuais e produtos relacionados com Ferramentas Enterasys-networks 9034385