Enterasys Policy Framework Whitepaper There is nothing more important than our customers.Page Table of Contents Abstract ...................................................................................3 What Does the Enterasys Policy Framework Provide? ...................3 How Does the Policy Framework Help to Deliver Secure Networks™? ...................................................3 What are the Attributes of the Enterasys Policy Framework? .........4 How does the Enterasys Policy Framework Work? ........................4 What Makes the Enterasys Policy Framework Better than Competitors’ Methods? ......................................................6 Why are Policy Filters are More Effective than Access Control Lists? .................................................................7 Summary ..................................................................................8Page Abstract The ability to administer and enforce policy rules governing network usage and the security of the network environment is a principle aspect of the Enterasys Secure Networks™ architecture. The Enterasys Policy Framework consists of a unique set of embedded features in security-enabled infrastructure devices along with innovative visibility and control using a management software suite to ensure only the right users have access to the right information from the right place at the right time. With this advanced policy framework in the Secure Networks™ architecture, Enterasys is able to deliver a network communications infrastructure aligned with the business and security policies of an organization. This document is intended to provide a basic understanding of the Enterasys Policy Framework and its advantages over competing approaches. What Does the Enterasys Policy Framework Provide? The Enterasys Policy Framework provides an organization with the ability to tightly align their usage of the network and its related services, with the business and its operation processes. Leveraging a centralized visibility and control point to deliver enterprise-wide policy administration, an IT organization can quickly and effectively adapt to any security or business policy change with a simple operational action. With a single “click” of a mouse, policy change can be administered throughout the enterprise. The Enterasys Policy Framework can dynamically provision network communications for any user or connected device based on specific policy rules defining the users’ organizational business role and security requirements in the computing environment. A user will be able to use the network to do their job while being restricted from misuse and out-ofcompllianc activities. No matter where or when a user-based or machine-centric device connects to an Enterasys secure network, they will be governed by the business operation and security rules of the organization. Enterasys delivers the industry’s most advanced network communication policy technologies. The Enterasys Policy Framework is the underpinning of the Secure Networks™ architecture. How Does the Policy Framework Help to Deliver Secure Networks™? The Enterasys Secure Networks™ architecture has three core components: 1. A Security-Enabled Infrastructure 2. Centralized Visibility and Control 3. Advanced Security Applications It is the integration of these three core components that delivers a comprehensive solution of both proactive and reactive posture to automatically sense and respond to security threats. The Enterasys Policy Framework plays a principle role in the integration of these 3 core components of the Secure Networks™ architecture. Security-Enabled Infrastructure • Switches, Routers, Wireless Advanced Security Applications • Intrusion Detection/Prevention • Network Access Control • Security Information Management Centralized Visibility and Control • Automated Security Management • Asset & Change Management • Element Management • Policy ManagementPage The Security-Enabled Infrastructure must have embedded policy features allowing for the enforcement of network communications rules; and the administration of these embedded features must be abstracted through Centralized Visibility and Control in order to operate and maintain an effective and secure business communications network. Additionally, Advanced Security Applications which focus on identifying specific threats in the enterprise network environment must be able to leverage embedded policy features in the infrastructure to alter network communications in defense of the threat. It is the design and implementation of the Enterasys Policy Framework that provides the integration of these three key components. Security is delivered through the knowledge of threats to the business environment, and the administration of network communications rules in defense of the threat. Without the appropriate policy framework in place, security rules are difficult to manage and enforce. The Enterasys Policy Framework provides an ability to centrally manage a comprehensive set of network communication and security rules and enforce them throughout the enterprise communications environment. What are the Attributes of the Enterasys Policy Framework? Central Role-Based Administration For a set of policy rules to be meaningful they must tightly align with the business and operational processes of a company. In addition, because there are many different organizations within a typical company, all having different business and operational responsibilities, network communication policy rules must be enforced in accordance to the role of the user or device in the business. Role-based administration is the modeling and alignment of network technology, information services, and business processes. The Enterasys NetSight® Policy Manager application provides the operational interface for role-based administration of policy. Authentication /Authorization In order to effectively enforce the appropriate network communication policy rules for the business role of the user or device connecting to the network, an identity must be established for that user or device. User-centric and machine-centric authentication technologies at the access-layer of the network infrastructure must be employed to identify the user and/or device such as a printer, phone, camera, storage device, etc. Authentication then allows for the authorization of the appropriate network usage by the association of the user or device to an appropriate organizational role. Various access control and authentication types are provided in Enterasys access-layer and distribution-layer Matrix™, SecureSwitch™ and SecureStack™ switches, and also in Enterasys RoamAbout® wireless access-layer products. Authentication types include user-based 802.1x, device-based MAC, and guest-based web authentication. These authentication types work in conjunction with industry standard AAA services such as RADIUS servers and Directory Services (LDAP) to authenticate users and end-systems in the network environment. Intelligent Network Infrastructure Without a network infrastructure that can distinguish various traffic classes, applications, and threats, a meaningful network communications policy cannot be enforced. The network infrastructure where the policy rules will be enforced must be intelligent meaning that the communications products themselves must classify and manipulate traffic in a manner that aligns with the granularity of the business policy. If a policy rule says that MS Blaster should not be introduced into the network, then the access-layer products must be able to recognize the specific traffic associated with MS-Blaster and filter only that specific traffic in order to enforce the policy rule defined. Intelligent Network Infrastructure is provided with Enterasys Matrix, SecureSwitch and SecureStack switches, and RoamAbout wireless products. How does the Enterasys Policy Framework Work? Central policy administration occurs through the use of the NetSight® Policy Manager application. This application enables an IT administrator/operator to maintain a single configuration point for an enterprise-wide policy profile that reflects the various rules associated with the differing business and security roles of the company. NetSight® Policy Manager is designed with an administrative interface depicting the role-based policy model that aligns the creation of a policy rule supporting a particular network service, with the business roles requiring the service.Page Supply Chain IT Operations Sales High Priority SAP Rule 3 Rule 2 Rule 1 Rule 3 Rule 2 Rule 1 Rule 3 Rule 2 Rule 1 Rule 3 Rule 2 Rule 1 Administrative Protocols Internet Access Streaming Video Roles Services Rules From this centralized management platform, the administrator can configure policy rules for each business role in the environment and distribute the entire policy profile to the intelligent network infrastructure where policies are then enforced based upon the identification and authorization of the connected end point. In order to enforce the appropriate policy rules to an individual user or device when it connects to the network, authentication and authorization take place to identify the user or device and associate the appropriate policy role. Both user-centric and machine-centric authentication is possible through the use of various methodologies (EAP-802.1X, Web-Based, and MAC-Based authentication). When a user or device connects to the network the infrastructure product initiates access control through an authentication challenge. The appropriate credentials are passed from the user or device to the enterprise Directory Services through RADIUS communications standards. Here the user or device is authenticated and associated to the appropriate business policy role. A RADIUS Return Attribute, identifying the correct role is used to communicate the appropriate set of network communication policy rules to be enforced by the infrastructure product (network switch) where the user and device has connected. Directory Services End-System (User) NetSight™ Policy Manager Matrix™ Switch (RADIUS Client) RADIUS Server Access Control & Policy Enforcement Based Upon Returned Role 802.1X /Web /MAC Authentication RADIUS Policy Profile Distribution Authentication (Access Control) Policy Role Matching Policy Configuration The specific Policy Enforcement Point (PEP) is the actual intelligent network infrastructure device where the end-system and user is connecting – the Matrix, SecureSwitch or SecureStack switch, or the RoamAbout wireless access point or switch. It is at this point where the appropriate policy rules will be enforced based upon the user’s or device’s role in the business that was mapped during the authentication and authorization process. The specific role identity is received from the RADIUS Server upon successful authentication of the end-system and/or user. Using this role identification (in the form of a standard “Filter-ID” RADIUS Return Attribute), the intelligent network infrastructure product can now apply all of the appropriate policy rules that are mandated for that specific user and end-system. This is done by manipulating the advanced policy features of the Enterasys Matrix, SecureSwitch, SecureStack and RoamAbout products. Traffic classifiers for Layers 2 through 4 of the OSI Model are used in the intelligent network infrastructure product to identify specific traffic by source and destination, protocol types, and even specific applications. Filter, rate shape, and priority policy actions can be enforced against specifically identified traffic to precisely determine how the network communications system will be used and what the specific user and end-system can do in the environment.Page Directory Services Enterasys Secure Networks Switch Network Attached EndPoint (Device /System) AAA Server Policy Manager (Administration) Policy Definition VLAN Definition Permit Deny Contain Rate Limiting Priority Queuing L2 Controls MAC Addr Ether Type L3 Controls IP Addr, TOS IP Protocol L4 Controls TCP Port UDP Port Broadcast Limits Embedded Authentication Support Policy Engine What Makes the Enterasys Policy Framework Better than Competitors’ Methods? There are several key advantages of the Enterasys Policy Framework over other vendors’ methods of managing and enforcing policy. Leveraging the industry’s most advanced policy administration application (NetSight® Policy Manager) and the most capable intelligent network infrastructure products (Matrix, SecureSwitch and SecureStack series switches, and RoamAbout wireless switches and access points), Enterasys delivers a policy framework and Secure Networks™ architecture that far exceeds competitors’ solutions. Below are some of the benefits of the Enterasys Policy Framework. Enterasys Policy Framework Other Frameworks Enterasys Benefit Common policy features across many network infrastructure products and product families Inability to enforce the same policy rules across a large variety of network infrastructure products Enterprise-wide enablement of policy allowing for a true relationship with business operations and security requirements – one policy configuration enforced anywhere a user or device connects throughout the network Centralized policy administration for the entire enterprise environment Multiple management applications for policy definition, enforcement, and containment Less time to introduce a critical policy rule to the entire enterprise environment Single point and click static policy enforcement to any port in the enterprise network Multiple steps required to apply a static policy to a port in the network infrastructure Significantly reduced time and resources required to configure static policy parameters at a moment’s notice anywhere in the enterprise network Full policy rule enforcement while inheriting any existing topology configuration (no need to alter VLAN configuration) Topology (VLAN) dependency when assigning policy rules Ease of deployment /reduced risk -no requirement to introduce complex changes to the existing network topology Individual and differentiated policy rules for users even contained within the same VLAN Policy rules must be the same for users contained within the same VLAN The ability to align a user with the exact appropriate business role policy no matter where the user connects to the network -unencumbered user mobility Comprehensive options for user /end-system identity (Digital Certificates, Biometrics, 2-Factor, MAC-Based, Web-Based, Convergence End-Point Detection) Limited user /end-system identity capabilities Faster deployment of dynamic policy enforcement through user authentication -reduced expense in deployment of authentication methodologyPage Why Policy Filters are More Effective than Access Control Lists Enterasys NetSight Policy Manager is faster and more efficient than using ACLs to enforce network security. Using ACLs you have to: 1. Telnet to switch 2. Display ACL configuration file 3. Highlight ACL text and copy 4. Paste ACL text into Notepad 5. Evaluate ACL order and insert new packet filter (ACL) 6. Re-order remaining ACLs 7. Copy text in Notepad 8. Paste into switch telnet session 9. Repeat—for each switch on the network Observed time to deploy one change = 1 hour Using Enterasys Policy you only have to: 1. Create classification rule (packet filter) in NetSight Policy Manager 2. Link classification rule to user/device/application role(s) desired for packet filter 3. Deploy change to entire network with single click Observed time to deploy one change = 3 minutes The Enterasys Policy Framework automatically orders the packet filter policies, eliminating the potential for human error in the configuration file. Packet filters are structured and sequenced automatically and the result is a very scalable packet filtering architecture. Enterasys NetSight Policy Manager is a global deployment tool. Entering a change request once makes the change appear throughout the entire network. Assignment of a packet filter to more than a single role or port type is just a matter of linking that filter with multiple Enterasys policy groups (Roles). The bottom line is that you can save time and avoid errors by using NetSight Policy Manager instead of ACLs to enforce security in your network.Contact Us © 2007 Enterasys Networks, Inc. All rights reserved. Enterasys is a registered trademark. Secure Networks is a trademark of Enterasys Networks. All other products or services referenced herein are identified by the trademarks or service marks of their respective companies or organizations. NOTE: Enterasys Networks reserves the right to change specifications without notice. Please contact your representative to confirm current specifications. 000000 8/07 Delivering on our promises. On-time. On-budget. For more information, call Enterasys Networks toll free at 1-877-801-7082, or +1-978-684-1000 and visit us on the Web at enterasys.com Page Summary The Enterasys Policy Framework provides a key foundation for the Secure Networks™ architecture. It is the policy framework that enables critical integration of security-enabled infrastructure and centralized visibility and control. An Enterasys solution allows customers to efficiently and effectively administer business communication and security policies, and ensure that the policies will be correctly enforced at the right location and time, and for the right person and end system. No other policy framework is as easy to deploy and comprehensive in ability as the Enterasys solution. Customers around the world and in every industry rely on Enterasys policy solutions to enable convergence, deliver security, and ensure compliance.