Transcription
DATA SHEETExtreme Access Control(Formerly Network Access Control) End-to-end security and superior user experience.HIGHLIGHTSBUSINESS ALIGNMENT Protect corporate data by proactivelypreventing unauthorized users,compromised endpoints, and othervulnerable systems from network access Effectively balance security andavailability for users, contractorsand guests Proactively control the security postureof all devices, including employee owned(BYOD), on the network Efficiently address regulatory compliancerequirements Cost-efficient protection for enterpriseremote officesOPERATIONAL EFFICIENCY Complete solution featuring both physical and virtual appliancesRange of policy configuration options enables a uniquely fine-grained networkcontrol and flexibility Comprehensive dashboard reporting and advanced notification engine Managed guest access control with sponsorshipLeverage existing assessment servers,authentication servers, software agentsand identity sources avoiding forkliftupgradesProduct Overview Enable business staff to easily sponsorguests and validate guest registrationpre-connect and post-connect solution for wired and wireless LAN and VPN users. Protect physical and virtualizedenvironments with flexible deployment-physical and virtual appliancesSECURITY Enable the strongest security with finegrained access control based on user,device, time, location and authenticationtypeAssess end systems of anytype for vulnerabilities orthreats with agent-based or agent-lessassessmentAutomate endpoint isolation, quarantine,and remediation, plus ongoing threatanalysis, prevention, and containmentSERVICE AND SUPPORTExtreme Access Control is a complete standards-based, multi-vendor interoperableUsing Extreme Networks Identity and Access appliances and/or Identity and AccessVirtual Appliance with Extreme Control management configuration and reportingsoftware, IT administrators can deploy a leading-edge solution to ensure only theright users have access to the right information from the right place at the righttime. Access Control is tightly integrated with the Extreme Networks IntrusionPrevention System (IPS) and Extreme Networks Security Information and EventManager (SIEM) to deliver best-in-class post-connect access control.The Access Control advantage is business-oriented visibility and control overindividual users and applications in multi-vendor infrastructures, and protectsexisting infrastructure investments since it does not require the deployment ofnew switching hardware or that agents be installed on all end systems. AccessControl performs multi-user, multi-method authentication, vulnerability assessmentand assisted remediation. It offers the flexibility to choose whether or not to restrict access for guests/contractors to public Internet services only—and how tohandle authenticated internal users/devices that do not pass the security postureassessment. Businesses have the flexibility to balance user productivity and Industry-leading first call resolutionrates and customer satisfaction ratessecurity. The assessment warning capability alerts users that they need to upgrade Personalized services, including sitesurveys, network design, installationand trainingAccess Control policies permit, deny, prioritize, rate-limit, tag, redirect, and audittheir system but can allow a grace period before they are quarantined.network traffic based on user identity, time and location, device type, and otherenvironmental variables. Access Control supports RFC 3580 port and VLAN-basedquarantine for Extreme Networks and third-party switches, plus more powerfulShareExtreme Access Control – Data Sheet1
isolation policies (which prevent compromised endpoints fromRegistration capabilities are also available for automatic contactlaunching attacks while in the quarantine state) on Extremeverification through SMS or email, secure wireless guest accessNetworks switches. Access Control is adapt-able to any deviceproviding access to the secured wireless network withoutusing RADIUS for authorization with configurable RADIUSan 802.1X certificate or involving any IT intervention. LDAPattributes such as Login-LAT or Filter ID. Enterprises can applyintegration allows dynamic role assignment for authenticateddifferent policies depending on the RADIUS reject attribute.registration. Authenticated registration allows enterpriseFor example a different policy may be applied to user with annetwork users to register devices and receive the proper role forexpired password than to a user who did not have an account.non-802.1X capable devices. Multiple registration groups allowThe solution offers unmatched interoperability, provides theadministrators to give different levels of access to different typeswidest number of authentication options, and supports Layer 2,of guests. Location based registration allows guest access toLayer 3 and VPN access technologies.Access Control enables the homogeneous configuration ofpolicies across multiple switch and wireless access point vendors.be limited to specific connection points (SSID, port, switch) orgroup of connection points.This capability significantly reduces the burden of policy lifecycleIdentity-Aware Networkingmanagement and eases deployment in wired and wirelessIn an identity-aware network a user’s capabilities are controlledheterogeneous infrastructuresbased on the user’s identity and the access policies attributedWith Extreme Access Control’s flexibility, organizations haveto the user. Access Control provides user identity functionalityphased deployment options enabling immediate networkprotection and business value.For example, an organization can start with simple endpointdetection and location directory information, then addauthentication/authorization and/ or assessment, and thenautomate remediation.Fine-Grained Configuration Optionsincluding discovery, authentication and role based accesscontrols. Access Control integrates with identity sources suchas Siemens Enterprise Communications HiPath DirX Identityand Microsoft Active Directory leveraging and extending theorganization’s existing directory investments. Users are managedcentrally in the identity system for the network and all connectedapplications. The process of managing the user’s lifecycle (e.g.enrollment, role changes, termination) can be automated andlinked to other business processes with LDAP and RADIUSAccess Control configuration options provide an unparalleledintegration. Users can be automatically added or deleted whenrange of choices for fine grained network control. Thesethey join or leave the organization. Extreme Networks identity-configuration options include time, location, authenticationaware networking capabilities provide stronger network securitytypes, device and OS type, and end system and user groups.and lower operational cost.For example, enterprises can write and enforce policies thatgrant a precise level of network access based on the type ofsystem connecting, an employee’s role in the organization, thelocation of a user at the time the user is connecting, or the timeof day. Device and OS type rules are particularly important inenvironments where users bring their own devices (BYOD). Theenterprise can give these devices network access that is differentthan the access permitted corporate devices.Endpoint Baselining and MonitoringAll end systems in the network infrastructure should beincorporated in the network access control system for controlto be most effective. Access Control provides agent-based oragent-less endpoint assessment capabilities to determine thesecurity posture of connecting devices. Aligned with industrystandards, the system works with multiple assessment servers,An enterprise’s network is more secure with tighter control overauthentication servers and security software agents to matchwho gains access, when and from what location. The granularitythe needs of organizations who may have existing assessmentof these configuration options also provides flexibility fortechnology. The agentless capability does not require theefficient deployment in large heterogeneous infrastructures.installation of a software security agent on the end system andGuest Account Services IncludedIP cameras or printers. The agent-less assessment scans forAccess Control includes automated guest registration accesscontrol features to assure secure guest networking withoutburdening IT staff. Features such as expiration and accountvalidity time control the guest account without any ITinvolvement. Access Control provides a self-registration portalfor users to register multiple devices themselves offers advancedsponsorship capabilities such as email sponsorship and ais typically used for end systems such as guest PCs, IP phones,operating system and application vulnerabilities. The agentbased capability requires the installation of a software agent onthe end system. The endpoint agent scans for anti-virus status,firewall status, operatingsystem patches and peer-to-peer file sharing applications.The agent can look for any process or registry entry andautomatically remediate.simple portal for sponsors to use to validate guest registration.ShareExtreme Access Control – Data Sheet2
Notifications and ReportingThe advanced notification engine provides comprehensivefunctionality and integrates with the workflows of other alertingtools already in place. Enterprises can leverage and extend theirexisting automated processes to further reduce operational costs.Notifications occur for end-system additions or state changes,guest registration, any custom field change, and end-systemhealth results. Notification is delivered through traps, syslog, emailor web service. The notification engine has the ability to run aprogram triggered by a notification event. For example, integratedwith the help desk application, notifications can be used toExtremeControl provides additional value through its integrationwith other Extreme Networks NetSight capabilities and ExtremeNetworks security products. For example, NAC managementseamlessly integrates with NetSight policy management toenable “one click” enforcement of role-based access controls.The IP-to-ID Mapping feature binds together the User, Hostname,IP address, MAC and location (switch and port or wireless APand SSID) along with timestamps for each endpoint—a keyrequirement for auditing and forensics. IP-to-ID Mapping is alsoused by NetSight Automated Security Manager to implementlocation-independent distributed intrusion prevention and byExtreme Networks Security Information and Event Managerautomatically map changes in the infrastructure to actions.(SIEM) or other third party SIEM/IPS solutions to pinpoint theEnd-system reporting is simple with Access Control web-basedsource of a threat. NAC management in Extreme Control Centerend-system data views. The system provides easy-to-useprovides centralized visibility and highly efficient anytime,dashboards and detailed views of the health of the end systemsanywhere control of enterprise wired and wireless networkattached or trying to attach to the network. Analysts responsibleresources. OneView, the unified control interface, enablesfor monitoring endsystem compliance can easily tailor the viewssimplified troubleshooting, help desk support tasks, problemto present the information in their preferred format. The reportssolving and reporting. Users of any of the popular mobile devicescan be generated as PDF files.can use their smart phone or tablet to access NAC end-systemIn addition, the end-system monitoring and management playsa key role in understanding the network. It allows administratorsto understand the “who, what, when, where, and how” forthe end-systems on the network providing better visibility,troubleshooting, and security. Now, tracking end-systems to findall information about them, including the NetFlow data is foundby simply searching for a username, hostname, or address.Integrationsview, system location and tracking information and much more,anytime anywhere.Extreme Networks Identity andAccess ApplianceThe Identity and Access appliance controls endpointauthentication, security posture assessment and networkauthorization. For authentication services, the Identity andAccess appliance acts as a RADIUS proxy, or RADIUS serverThe Extreme Connect API provides a simple, open, programmablefor MAC Authentication, which communicates with theand centrally managed way to implement Software Definedorganization’s RADIUS authentication services (e.g. interfacesNetworking (SDN) for any network. With Extreme Connect,with Microsoft Active Directory or another LDAP-based directorybusiness applications can be directly controlled from Extremeservice). The Identity and Access appliance supports 802.1XControl Center. The result is a complete SDN solution including(Extensible Authentication Protocol), MAC, Web-based andintegrations with the solution such as MDM integrations withKerberos Snooping (with certain restrictions) authentication.vendors such as Airwatch, Mobile Iron, JAMF Software, and more,For endpoint assessment, the Identity and Access applianceas well as datacenter management, integrations with iBoss webconnects to multiple security assessment servers.filters and many other products.Extreme Control ManagementExtreme Control software provides secure, policy-basedFor authorization services, the Identity and Access appliancecommunicates RADIUS attributes to the authenticating switch.This allows the switch to dynamically authorize and allocatenetwork resources to the connecting endpoint based onmanagement. From one centralized location, IT staff canauthentication and assessment results.configure and control the solution, simplifying deploymentThe Identity and Access appliance also stores configurationand ongoing administration. Access Control management alsoinformation and the physical location of each endpoint. It easilyaggregates network connectivity and vulnerability statistics,scales to support redundancy and large deployments. Identityaudits network access activities, and provides detailed reportsand Access appliance models are available to meet the needs ofon vulnerabilities in the network. Management is simplifieddifferent-sized implementations.with a hierarchical structure that places end systems intoadministrative zones.Assessment is separately licensed and includes both agentbased and agent-less assessment.ShareExtreme Access Control – Data Sheet3
Extreme Networks Identity andAccess Virtual Applianceallows NAC administrator to define High Risk, Medium Risk,The Identity and Access Virtual Appliance provides all theand concerns.powerful endpoint authentication, security posture assessmentand network authorization capabilities built on VMware .Deploying Identity and Access Virtual Appliance, enterprises gainall the benefits of net-work access control with the advantagesof a virtual environment — cost savings from using existinghardware and reduced time to value. Available with differentsizing options for central locations as well as remote sites.Additional Features “Bring your own device” (BYOD) control features includingmobile device registration and session-based user login. Proven interoperability with Microsoft NAP and TrustedRADIUS request from access switches.Support for Layer 2 deployment modes and support for allfive deployment models: intelligent wired edge, intelligentwireless edge, non-intelligent wired edge, non-intelligentwire-less edge, and VPN. Access Control provides VPN support and, with an ExtremeNetworks SSA switch in distribution, provides moreflexibility through policy.Frequency 47- 63HzEnvironmental SpecificationsOperating Temperature: 10 to 35 C (50 to 95 F)Storage Temperature: -40 to 70 C (-40 to 158 F)Operating Humidity: 5% to 90% (noncondensing)Standards ComplianceRegulatory/Safety:UL60950 - CSA 60950 (USA/Canada)EN60950 (Europe)IEC60950 (International)CB Certificate and Report, IEC60950GS Certification (Germany)GOST R 50377-92 - Certification (Russia)Ukraine Certification (Ukraine)servicing authentication requests and configuring switches2006/95/EC (Europe)across a group of Access Control Appliances.IRAM Certification (Argentina)Management options can be tailored to existing networkEmissions/Immunity:management schemes and security requirements.FCC/ICES-003 - Emissions (USA/Canada)Support for multiple RADIUS and LDAP server groupsCISPR 22 - Emissions (International)EN55022 - Emissions (Europe)EN55024 - Immunity (Europe)EN61000-3-2 - Harmonics (Europe)Macintosh agent support for agent-based assessment.EN61000-3-3 - Voltage Flicker (Europe)Open XML API’s support integration with IT workflows forCE - EMC Directive 2004/108 EC (Europe) Web-service based API simplifies integration with thirdparty applications. Voltage:110/240 VAC;CE - Low Voltage Directiveautomated streamlined operations Weight 31.8 lbs (14.4 kg)external load balancer to evenly distribute the load forrequest is directed. Length: 27.95” (70.9 cm)Width 16.93” (43 cm)Support for external RADIUS Load Balancers allows theallows administrators to identify the server to which a Physical SpecificationsHeight: 1.75” (4.45 cm) - 1UPoweridentifying new MAC addresses, new IP addresses, new EXTREME NETWORKS IDENTITY ANDACCESS APPLIANCESWattage: 750 Watt (max), each power supply802.1X / Web-based authentication sessions, or Kerberos or System Requirementsand SpecificationsIPv6 support for implementation in networks with Automatic endpoint discovery and location tracking by and Low Risk thresholds based on local security policiesIPv6 end systems.Computing Group TNC. threat presented by the end system. Fine grained controlVCCI Emissions (Japan)AS/NZS 3548 Emissions (Australia/New Zealand)BSMI CNS13438 Emissions (Taiwan)GOST R 29216-91 Emissions (Russia)1 1 Redundancy for Layer 2 deployment modes: providesGOST R 50628-95 Immunity (Russia)high-availability and eliminates the Identity and AccessUkraine Certification (Ukraine)appliance as a single point of failureKC Certification (Korea)Risk level configuration allows flexibility in determiningShareExtreme Access Control – Data Sheet4
Extreme Networks Identity andAccess Virtual Appliance(64-bit and 32-bit)A virtual appliance is a software image that runs on a virtual ma-SuSE Linux versions 10, 11, and 12.3 (64-bit and 32-bit)LinuxRed Hat Enterprise Linux WS and ES v5 and v6chine. The Identity and Access Virtual Appliance is packaged inUbuntu 11.10 Desktop version (32-bit , remote NetSightthe .OVA file format defined by VMware and must be deployedclient only)on a VMware ESXTM 4.0, 4.1, 5.0, or 5.1 server or ESXiTM 4.0, 4.1,Ubuntu 11.10, 12.04, and 13.04 (64-bit)5.0, or 5.1 server with a vSphere(TM) 4.0, 4.1, 5.0, or 5.1 client.Mac OS X 64-bit (remote client only) Leopard , Snow Leopard ,Virtual appliance requires 12 GB of memory, four CPUs, two net-Lion , Mountain Lion ,, or Mavericks work adapters, and 40 GB of thick-provisioned hard drive space.Assessment Agent OS RequirementsVMware (64-bit Virtual Appliance) VMware ESXi 4.0, 4.1, 5.0, 5.1,or 5.5 serverServer and Client Hardware RequirementsSupported operating systems for end systems connecting toThese are the hardware requirements for the Serverthe network through an Extreme Networks Access Controland client machines:deployment that is implementing Extreme Networks agentbased assessment. Windows 2000 Windows 2003 Windows 2008 Windows XP Windows Vista Windows 7 Windows 8ExtremeControl ServerMinimum - 32-bit Windows 7; Dual-Core 2.4 GHz Processor, 2 GBRAM, 10 GB Free Disk SpaceMedium - 64-bit Desktop, Windows 2008 R2 or Linux; QuadCore 2.66 GHz Processor, 8 GB RAM, 40 GB Free Disk SpaceLarge - 64-bit Server Linux; Dual Quad-Core Intel Xeon CPUE5530 2.4 GHz Processors,12 GB RAM, 100 GB Free Disk SpaceExtremeControl ClientRecommended-Dual-Core2.4 GHz Processor,2 GB RAM FreeDisk Space-100MB (User’s home directory requires50MB for Windows 8.1file storage) Mac
as well as datacenter management, integrations with iBoss web filters and many other products. Extreme Control Management Extreme Control software provides secure, policy-based management. From one centralized location, IT staff can configure and control the solution, simplifying deployment a
