|
DHCP mode |
Endpoint enforcement |
DHCP server (Novell ZENworks Network Access Control) gives the endpoint:
-
Quarantine range IP address (*)
-
255.255.255.255 netmask (effectively blocks outgoing traffic from the endpoint)
-
No default gateway
-
Novell ZENworks Network Access Control server's IP as DNS server (will resolve everything except accessible devices to the Novell ZENworks Network Access Control IP address)
-
The switch is configured with additional IP helper addresses to forward broadcast DHCP requests to ESs as well as production DHCP servers.
|
DHCP server (Novell ZENworks Network Access Control) also sends:
NOTE:Windows update does not honor autoproxy. Workarounds include:
-
Adding Windows update hostnames AND IP addresses to Accessible services, or
-
Manually setting Novell ZENworks Network Access Control as the proxy (this would require reversing this setting it once a system was out of quarantine).
|
|
DHCP mode |
Network enforcement |
DHCP server (Novell ZENworks Network Access Control) gives the endpoint:
-
Quarantine range IP address
-
Appropriate netmask for quarantine subnet
-
Appropriate default gateway
-
Novell ZENworks Network Access Control server's IP as DNS server (will resolve everything except Accessible services to the Novell ZENworks Network Access Control IP address)
-
The switch is configured with additional IP helper addresses to forward broadcast DHCP requests to ESs as well as production DHCP servers.
Switches must be configured for multinetting (multinetting segment) so there can be two networks on the same physical device (or devices) that cohabitate, but they should not be able to talk to one another as enforced by the switch (using ACLs). Each port on the switch will be allowed to be on either the production or quarantine network, and the switch will have a secondary IP address assigned to the gateway port (so there will be different gateway IP addresses for the production and quarantine networks). |
-
Quarantine --> Novell ZENworks Network Access Control (OK)
-
Production --> Quarantine (OK)
-
Quarantine -|-> Production (NO)
-
Quarantine -?-> Internet (Maybe*)
|
|
Inline / Gateway |
VPN split tunnel
(multihomed endpoint) |
Novell ZENworks Network Access Control acts as the man-in-the-middle, iptables rewrites packets, and forwards traffic to the Novell ZENworks Network Access Control system itself.
The production network is protected from VPN users by iptables acting as a firewall. VPN users can only get through iptables by becoming compliant with a Novell ZENworks Network Access Control policy, after which a hole is opened for their VPN IP address.
NOTE:In this configuration, the user has to try and access an internal site in order to be redirected to Novell ZENworks Network Access Control (unless they have the Novell ZENworks Network Access Control Agent installed)
|
No need to allow public sites (endpoint can get there directly, without going through VPN and Novell ZENworks Network Access Control).
iptables does NOT rewrite traffic destined for (internal) IP addresses in Accessible services.
The names listed in Accessible services are not used.
|
|
Inline / Gateway |
VPN not split tunnel
(all traffic through VPN) |
Novell ZENworks Network Access Control acts as the man-in-the-middle, iptables rewrites packets, and forwards traffic to the Novell ZENworks Network Access Control system itself.
The production network is protected from VPN users by iptables acting as a firewall. VPN users can only get through iptables by becoming compliant with a Novell ZENworks Network Access Control policy, after which a hole is opened for their VPN IP address. |
iptables(?) does NOT rewrite traffic destined for IP addresses in Accessible services.
The names listed in Accessible services are not used.
|
|
802.1X |
|
DHCP server (MS DHCP server, and so on) gives the endpoint:
-
Quarantine range IP address
-
Appropriate netmask for quarantine subnet
-
Appropriate default gateway
-
Novell ZENworks Network Access Control server's IP as DNS server (will resolve everything except Accessible services to the Novell ZENworks Network Access Control IP address)
-
Very low DHCP lease time (~3 minutes)
ACLs on network devices must be configured to limit where endpoints on the quarantine VLAN can go.
Iptables prerouting chains rewrite traffic coming from quarantine subnets (as defined in the user interface) and destined for Novell ZENworks Network Access Control (due to Novell ZENworks Network Access Control DNS) so that:
Novell ZENworks Network Access Control:80 --> Novell ZENworks Network Access Control:88
Novell ZENworks Network Access Control:443 --> Novell ZENworks Network Access Control:89
Traffic coming from non-quarantine ranges will not be rewritten, so that users can get to the Novell ZENworks Network Access Control user interface on port 443. |
-
Quarantine --> Novell ZENworks Network Access Control (OK)
-
Production -?-> Quarantine (Maybe*)
-
Quarantine -|-> Production (NO)
-
Quarantine -?-> Internet (Maybe**)
|
|
NOTES:
-
(*) The gateway does not have to be in the broadcast domain (which is good, since the netmask gives the endpoint on real broadcast domain), as long as it is in the same (Layer 2) subnet—the router will get you there.
-
(**) Allowing access to the Internet is up to the customer, but is necessary for access to any IP addresses in Accessible services ().
|