Enterasys-networks 9034385 Bedienungsanleitung PDF herunterladen (Seite 61)

Survey the Network

Enterasys NAC Design Guide 4-9

Ifthenetworkinfrastructuredoesnotcontainintelligentdevicesattheedgeordistributionlayer,

theninlineNACusingtheNACControllerastheauthorizationpointforconnectingend‐systems

mustbeimplemented.Thisisnotassecureasout‐of‐bandNACbecausetheauthorizationpoint

forend‐sy stemsis

locateddeeperintothenetworkattheNACController.WithinlineNAC,a

quarantinedend‐system,whilerestrictedfromnetworkaccesstoresourcesupstreamfromthe

NACController,isstillabletointeractopenlywithresourcesandassetsonthenetwork

downstreamfromtheNACController.However,anadvantageof

theNACControlleristhatit

providesnetworkaccesscontrolwithoutrequiringtheupgradeoftheaccesslayerordistribution

layerofthenetwork.

Furthermore,itisimportanttonotethattheNACControllerandNACGatewaycanbedeployed

concurrentlyinthenetworkforthesimultaneousimplementationofinlineand

out‐of‐bandNAC,

allcentrallymanagedfromtheNetSightNACManager.TheNACGatewaycanbeutilizedfor

areasofthenetworkwhereintelligentswitchesreside,whiletheNACControllercanbe

positionedinlineforsegmentsofthenetworkwherenon‐intelligentdevicesexist.

Ifthedeploymentofout‐of

‐bandNACisdesiredforanetworkwithnon‐intelligentaccesslayer

devices,thefollowingoptionsshouldbeconsidered:

• DistributionlayerinfrastructuredevicescanbestrategicallyupgradedtoEnterasysMatrixN‐

Seriesdevicesthatarecapableofindividuallyauthenticatinganduniquelyauthorizing

multipledevicesconnectedtoasingleport.Mostof

thesecuritybenefitsofout‐of‐bandNAC

usingEnterasyspolicycanbeobtainedbyimplementingauthorizationatthedistribution

layerinsteadofatthe portofconnectionintheaccesslayer.

• AccesslayerinfrastructuredevicescanbeupgradedtoEnterasyspolicy‐capableswitchesor

RFC3580‐capableswitches to

obtainthesecuritybenefitsofout‐of‐bandNAC.

4. Identify Network Connection Methods

ThepreviousstepshavebeenconcernedwithimplementingNACfortheinternalLAN.Inthis

step,varioustypesofnetworkconnectionmethodsarediscussed,alongwiththeirimpactonNAC

deployment.

Wired LAN

Out‐of‐bandorinlineNACcanbeimplemented,dependingonthecapabilitiesoftheaccessedge

infrastructuredevices.

Wireless LAN

WirelessLANdeploymentsmaybecategorizedintoeitherthickwirelessdeploymentswhere

accesspoints(APs)operateind e pend entlyonthenetwork,orthinwirelessdeploymentswhere

APscommunicatebacktocentrallydeployedwirelessswitchesthatfacilitatecommunication

betweenAPs.

Thick Wireless Deployments

Thickwirelessdeploymentsmayconsistoffull‐featuredAPsthatsupportauthenticationand

authorization.Full‐featuredthickAPsfallintotheintelligentedgecategoryandhavethesame

NACimplicationsasanintelligentwirededge.Inthiscase,intelligentAPsinathickwireless

deploymentcanbeconfiguredwithout‐of

‐bandNACusingtheNACGateway,with

authenticationandauthorizationimplementedonthethickAPs.

OtherthickAPdeploymentsmayconsistofAPsthatdonotsupportauthenticationand/or

authorizationandmerelyactasamediaconverterbetweenthewirelessandwirednetworks.In

1 2 ... 56 57 58 59 60 61 62 63 64 65 66 ... 97 98

Kommentare zu diesen Handbüchern

Keine Kommentare

Enterasys-networks 9034385 Bedienungsanleitung Seite 61

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Werkzeug Enterasys-networks 9034385