Assessment Design Procedures
Enterasys NAC Design Guide 5-17
Managerwillnotmatchthisend‐systemandtheend‐systemisassignedtheSecurityDomain’s
defaultNACconfiguration.Inaddition,theLayer3NACControllerisnotabletodeterminethe
usernameassociatedtothedownstreamend‐systemformatchingagainstuseroverrides,andthe
end‐systemisassignedthe
SecurityDomain’sdefaultNACconfiguration.
Assessment Design Procedures
ThefollowingsectionprovidesthedesignproceduresforimplementingassessmentinyourNAC
deployment.
1. Determine the Number of Assessment Servers
AssessmentserversareusedtoimplementassessmentfunctionalityinNACdeployments.Usethe
followingparameterstodeterminethenumberofrequiredassessmentserversforyour
deployment:
•Load‐sharingrequirements.
Morethanoneassessmentservermayberequiredtohandlethenumberofend‐systemsbeing
assessedatanyonetime.Thenumber
ofend‐systemsthatcanbeassessedatthesametime
andtheamountoftimerequiredtocompleteanassessmentisdeterminedbythenumberof
vulnerabilitiesbeingassessed,throughputlimitationsonthenetwork,andthehardware
specificationsoftheassessmentservermachine.Load‐sharingofend‐systemassessment
is
implementedinaroundrobinfashionbetweentheassessmentserversavailableinthe
assessmentresourcepool.
• Assessmentserverredundancy.
Toprovideredundancy,atleasttwoassessmentserversshouldbeconfiguredperNAC
deployment,withadditionalassessmentserversaddedforload‐balancingandscalability
purposes.
Thesameassessmentservercanbeused
formultipleSecurityDomains,andeachassessment
servercanassessend‐systemsusingdifferentsetsofassessmentparameters,dependingonthe
device,user,orlocationisinthenetwork.Herearesomeexamples:
•Ifguestsandotheruntrustedusersaretobeassessedforadifferentsetofsecurity
vulnerabilitiesthan
trustedusers,aSecurityDomaincanbeassociatedtotheareasofthe
networkwhereuntrustedusersconnect,andcanspecifyanAssessmentConfigurationthat
usesassessmentserversconfiguredfortheassessmentofuntrustedusers.Iftrustedusers
connecttothissameSecurityDomain,anotherAssessmentConfigurationthatleverages
assessment
serversconfiguredtoassessvulnerabilitiesoftrusteduserscanbeutilized.Note
thatifseveralSecurityDomainsrequirethesameassessmentparameters,thentheseSecurity
DomainscanbeconfiguredtousethesameAssessmentConfiguration.
•Ifacertaintypeofend‐system(forexample,anend‐systemofaparticularmodel,
havinga
particularOS,andrunningspecificservices)connectstothenetworkinacertainarea,oris
identifiedbyMACaddress,aSecurityDomainandMACoverridecanbeassociatedtothis
areaofthenetworkthatusesanAssessmentConfigurationthatleveragesassessmentservers
thatassessvulnerabilitiesspecificto
thattypeofend‐system.Forexample,anareaofthe
networkwhereMicrosoftIASserversconnectorwherePolycomIPphonesconnectcanbe
configuredtoutilizeanassessmentserverconfiguredtoscanforMicrosoftIASwebserver‐
relatedvulnerabilitiesorPolycomIPphonedefaultsettings.