Features and value, Features and value -5 – Enterasys Networks 9034385 User Manual
Page 27
Model 2: End-System Authorization
Enterasys NAC Design Guide 2-5
The NAC Controller may either deny the end‐system access to the network or assign the end‐
system to a particular set of network resources by specifying a particular policy.
Features and Value
In addition to the features and values found in Model 1, the following are key pieces of
functionality and value propositions supported by Model 2, End‐System Authorization:
Location-Based Authorization
In addition to providing visibility into who, what, when, and where devices and users are
connecting to the network, this deployment model allows IT operations to control access to
the network with different levels of authorization based on these parameters. For location‐
based authorization, the Enterasys NAC solution can assign a level of access to a connecting
end user or device based on which area of the network the end‐system is connected, through
the configuration of Security Domains. For example, when an engineer connects to the
network from a controlled area of the network such as the lab, or a faculty member connects to
the network from a physically secured faculty office, the engineer and faculty member are
appropriately authorized to access sensitive information residing on internal servers.
However, if the same users connect to the network from an unsecured area of the network
such as the open wireless LAN available in the enterpriseʹs lobby or campus, or in a student
dormitory, then these end‐systems can be authorized with a different level of network access,
possibly restricting communication to the internal servers and other resources on the network.
Furthermore, the NAC solution can also lock a device to a specific switch or switch port, using
the “Lock MAC” feature. If the device is moved to any other switch port on the network, it
will not be able to connect. For example, a printer or a server containing sensitive data may be
connected to the network at a specific location, such as behind a firewall or on a particular
VLAN for security reasons. Physically moving the connection of these devices to an open area
of the network increases the risk of these devices being attacked and compromised because
they would no longer be protected by the security mechanisms that were put in place on the
network. The “Lock MAC” feature can be used to limit the mobility of specific devices and
avoid malicious or unintentional misconfigurations on the network, thereby reducing risk.
Device-Based Authorization
With this NAC deployment model, end‐systems are authorized with access to a specific set of
network resources based on the end‐systemʹs MAC address. For initial implementation, the
Enterasys NAC solution is configured in a mode where all MAC addresses of connecting end‐
systems are permitted onto the network and dynamically learned. The Enterasys NAC
solution is then configured to allow only known MAC addresses onto the network, assigning
each end‐system a particular authorization level. Any new MAC address connecting to the
network is assigned a different authorization level, such as denied access, restricted access, or
allowed access if the user is able to properly register their device to the network.
The Enterasys NAC solution is able to authorize specific devices or classes of devices (based
on MAC address OUI prefix) with access to a specific set of network resources through the
configuration of MAC overrides. For example, an end‐system that is known to be infected
with a worm, a publicly accessible machine, or a machine belonging to guest user may be
authorized with a restrictive set of network resources or completely denied network access,
regardless of where and when this device connects. In contrast, an end‐system belonging to
the IT operations group may be permitted unrestricted access to network resources for
infrastructure troubleshooting and maintenance purposes, regardless of where and when the
device connects to the network. If you add location‐based authorization (as discussed above)
to this example, then unrestricted access for end‐systems belonging to the IT operations group