Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008 User Manual page 153

How endpoints are quarantined and
Enforcement Mode redirected to Novell ZENworks Network
Access Control
DHCP Network DHCP server (Novell ZENworks
mode enforcement Network Access Control) gives the
endpoint:
Switches must be configured for
multinetting (
there can be two networks on the same
physical device (or devices) that
cohabitate, but they should not be able
to talk to one another as enforced by
the switch (using ACLs). Each port on
the switch will be allowed to be on
either the production or quarantine
network, and the switch will have a
secondary IP address assigned to the
gateway port (so there will be different
gateway IP addresses for the
production and quarantine networks).
Quarantine range IP address
Appropriate netmask for
quarantine subnet
Appropriate default gateway
Novell ZENworks Network Access
Control server's IP as DNS server
(will resolve everything except
Accessible services to the
Novell ZENworks Network Access
Control IP address)
The switch is configured with
additional IP helper addresses to
forward broadcast DHCP
requests to ESs as well as
production DHCP servers.
multinetting segment
How quarantined endpoints reach
accessible devices
Novell ZENworks Network Access
Control (fake root) DNS — As in
endpoint enforcement (for access to
names in Accessible services). The
DNS server forwards requests for
accessible services to a real DHCP
server for resolution.
ACLs on the switch prevent
quarantined systems from talking to
production systems, but allow for the
following specific traffic:
Quarantine --> Novell ZENworks
Network Access Control (OK)
Production --> Quarantine (OK)
Quarantine -|-> Production (NO)
Quarantine -?-> Internet (Maybe*)
) so
Endpoint Activity 153