Additional Considerations
Enterasys NAC Design Guide 5-33
assessment
servers
to
reach
the
end
‐
system
while
it
is
being
assessed,
regardless
of
whether
the
Assessing
policy,
Enterprise
User
policy,
or
any
other
policy
role
is
utilized
for
assessment.
The
Quarantine
Policy
is
used
to
restrict
network
access
to
end
‐
systems
that
have
failed
assessment.
The
Quarantine
policy
role
is
configured
by
default
on
the
NAC
Controller
to
be
used
as
the
Quarantine
Policy
in
NAC
Manager.
This
policy
is
restrictive,
allowing
DNS
and
DHCP,
and
redirecting
web
traffic
to
serve
back
a
web
page
stating
the
end
‐
system
has
been
restricted
access
because
it
is
deemed
noncompliant.
All
other
types
of
traffic
are
discarded.
If
it
is
desired
to
open
network
access
when
an
end
‐
system
fails
the
assessment,
the
use
of
the
Quarantine
Policy
can
be
disabled
in
the
NAC
Configuration
or
the
Enterprise
User
policy
role
can
be
selected
as
the
Quarantine
Policy.
Unregistered Policy
If
MAC
(network)
registration
is
to
be
configured
on
Layer
2
NAC
Controllers,
the
Unregistered
policy
role
configured
by
default
on
the
NAC
Controller
can
be
used
for
the
Accept
Policy
of
unregistered
devices.
This
policy
is
restrictive,
allowing
DNS
and
DHCP,
and
redirecting
web
traffic
to
serve
back
a
registration
web
page
stating
the
end
‐
system
has
been
restricted
access
because
it
has
not
yet
registered.
All
other
types
of
traffic
are
discarded.
Additional Considerations
This
section
presents
additional
design
considerations
for
both
inline
and
out
‐
of
‐
band
NAC
deployments.
NAC Deployment With an Intrusion Detection System (IDS)
NAC
deployments
that
implement
end
‐
system
assessment
complement
networking
environments
with
IDS
technologies
that
detect
real
‐
time
security
events
on
the
network.
While
end
‐
system
assessment
determines
the
security
posture
of
connecting
devices
and
mitigates
threats
posed
by
vulnerable
end
‐
systems,
it
does
not
determine
the
end
user
ʹ
s
intentions,
whether
malicious
or
benevolent.
Therefore,
IDS
technologies
can
monitor
how
an
end
‐
system
utilizes
network
resources
after
NAC
has
validated
the
security
posture
compliance
of
the
end
‐
system.
However,
end
‐
system
assessments
utilized
in
NAC
may
be
classified
by
an
IDS
(depending
on
its
configuration)
as
an
attack.
Therefore,
if
the
traffic
from
the
assessment
server
traverses
a
network
link
that
is
monitored
by
an
IDS
sensor,
the
IDS
must
be
configured
to
not
generate
security
events
for
traffic
sourced
from
the
assessment
server’s
IP
address.
The
same
applies
for
IPS
systems.
NAC Deployment With NetSight ASM
NetSight
ASM
can
be
configured
to
notify
the
locally
installed
NAC
Manager
to
dynamically
configure
a
MAC
override
for
a
threat
MAC
address
on
the
network.
When
a
security
threat
is
detected
on
the
network,
either
through
Enterasys
Dragon
IDS
or
a
third
‐
party
device,
and
the
security
threat
is
communicated
to
NetSight
ASM
for
an
automated
response,
ASM
can
then
quarantine
the
source
of
the
attack
at
the
port
of
connection
using
policy,
and
also
communicate
this
quarantine
action
to
NAC.
If
the
end
‐
system
sourcing
the
security
threat
moves
to
a
different
port
on
the
network,
the
end
‐
system
will
remain
quarantined,
due
to
a
dynamically
configured
MAC
override,
to
protect
the
network
from
the
possibility
of
future
attacks.
Therefore,
the
deployment
of
NAC
not
only
proactively
protects
the
network
from
security
threats
posed
by
vulnerable
end
‐
systems,
but
it
also
empowers
the
network
ʹ
s
dynamic
response
characteristics
to
real
‐
time
threats
detected
from
end
‐
systems.
Содержание 9034385
Страница 1: ...Enterasys Network Access Control Design Guide P N 9034385...
Страница 2: ......
Страница 4: ...ii...
Страница 8: ...vi...
Страница 22: ...Summary 1 12 Overview...
Страница 98: ...Additional Considerations 5 34 Design Procedures...
