Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

191

192

193

194

195

196

197

198

199

200

Policy Overview

May 18, 2009 Page 3 of 32

Standard and Enhanced Policy on Enterasys Platforms

Therearetwosetsofpolicycapabilitiessupported,dependingupontheEnterasysplatform.

Standardpolicyissupportedonallplatforms.Standardpolicyrepresentsthebasepolicysupport

forEnterasysplatforms.Enhancedpolicyisanadditionalsetofpolicycapabilitiessupportedon

theN‐Seriesplatforms.Unlessapolicycapabilityorfunction

iss pecifiedasbeingamemberofthe

enhancedpolicysetorotherwisequalified,inthisdiscussion,standardpolicyisassumed,andthe

capabilityappliestoallEnterasysplatforms tha tsupportpolicy.

The Enterasys NetSight Policy Manager

EnterasysNetSightPolicyManagerisamanagementGUIthatautomatesthedefinitionand

enforcementofnetwork‐widepolicyrules.Iteliminatestheneedtoconfigurepoliciesona

device‐by‐devicebasisusingcomplexCLIcommands.ThePolicyManager’sGUIprovideseaseof

classificationruleandpolicyrolecreation,becauseyou

onlydefinepoliciesonceusinganeasyto

understandpointandclickGUI—andregardlessofthenumberofmoves,addsorchangestothe

policyrole,PolicyMa nager automaticallyenforcesrolesonEnterasyssecurity‐enabled

infrastructuredevices.

Thisdocumentpresentspolicyconfigurationfromthe perspectiveoftheCLI.Though

itispossible

toconfigurepolicyfromtheCLI,CLIpolicyconfigurationinevenasmallnetworkcanbe

prohibitivelycomplexfromanoperationalpointofview.Itishighlyrecommendedthatpolicy

configurationbeperformedusingtheNetSightPolicyManager.TheNetSightPolicyManager

provides:

• Easeofruleandpolicy

rolecreation

•Theabilitytostoreandandretrieverolesandpolicies

•Theability,withasingleclick,toenforcepolicyacrossmultipledevices

TheofficialPolicyManagerdocumentationisaccessedusingonlinehelpfromwithinthe

application.ThisonlinedocumentationcompletelycoverstheconfigurationofpolicyinaPolicy

Managercontext.

ForaccesstothePolicyManagerdatasheetortosetupademooftheproduct,

seehttp://www.enterasys.com/products/visibility‐control/netsight‐policy‐manager.aspx.

Understanding Roles in a Secure Network

ThecapacitytodefinerolesisdirectlyderivedfromtheabilityoftheMatrixN‐Series,SecureStack,

andstandalonedevicestoisolatepacketflowsby inspectingLayer2,Layer3,andLayer4packet

fieldswhilemaintaininglinerate.Thiscapabilityallowsforthegranularapplicationofapolicyto



•Specificuser(MAC,IPaddressorinterface)

•Groupofusers(maskedMACorIPaddress)

•System(IPaddress)

•Service(suchasTCPorUDP)

•Port(physicalorapplication)

Becauseusers,devices,andapplicationsareallidentifiablewithinaflow,anetworkadministrator

hasthecapacitytodefineandcontrolnetworkaccessandusage

bytheactualroletheuseror

deviceplaysinthenetwork.Thenatureofthesecuritychallenge,applicationaccess,oramountof

networkresourcerequiredbyagivenattacheduserordevice,isverymuchdependentuponthe

“role”thatuserordeviceplaysintheenterprise.Definingand

applyingeachroleassuresthat