Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Assessment Design Procedures

Enterasys NAC Design Guide 5-17

Managerwillnotmatchthisend‐systemandtheend‐systemisassignedtheSecurityDomain’s

defaultNACconfiguration.Inaddition,theLayer3NACControllerisnotabletodeterminethe

usernameassociatedtothedownstreamend‐systemformatchingagainstuseroverrides,andthe

end‐systemisassignedthe

SecurityDomain’sdefaultNACconfiguration.

Assessment Design Procedures

ThefollowingsectionprovidesthedesignproceduresforimplementingassessmentinyourNAC

deployment.

1. Determine the Number of Assessment Servers

AssessmentserversareusedtoimplementassessmentfunctionalityinNACdeployments.Usethe

followingparameterstodeterminethenumberofrequiredassessmentserversforyour

deployment:

•Load‐sharingrequirements.

Morethanoneassessmentservermayberequiredtohandlethenumberofend‐systemsbeing

assessedatanyonetime.Thenumber

ofend‐systemsthatcanbeassessedatthesametime

andtheamountoftimerequiredtocompleteanassessmentisdeterminedbythenumberof

vulnerabilitiesbeingassessed,throughputlimitationsonthenetwork,andthehardware

specificationsoftheassessmentservermachine.Load‐sharingofend‐systemassessment

is

implementedinaroundrobinfashionbetweentheassessmentserversavailableinthe

assessmentresourcepool.

• Assessmentserverredundancy.

Toprovideredundancy,atleasttwoassessmentserversshouldbeconfiguredperNAC

deployment,withadditionalassessmentserversaddedforload‐balancingandscalability

purposes.

Thesameassessmentservercanbeused

formultipleSecurityDomains,andeachassessment

servercanassessend‐systemsusingdifferentsetsofassessmentparameters,dependingonthe

device,user,orlocationisinthenetwork.Herearesomeexamples:

•Ifguestsandotheruntrustedusersaretobeassessedforadifferentsetofsecurity

vulnerabilitiesthan

trustedusers,aSecurityDomaincanbeassociatedtotheareasofthe

networkwhereuntrustedusersconnect,andcanspecifyanAssessmentConfigurationthat

usesassessmentserversconfiguredfortheassessmentofuntrustedusers.Iftrustedusers

connecttothissameSecurityDomain,anotherAssessmentConfigurationthatleverages

assessment

serversconfiguredtoassessvulnerabilitiesoftrusteduserscanbeutilized.Note

thatifseveralSecurityDomainsrequirethesameassessmentparameters,thentheseSecurity

DomainscanbeconfiguredtousethesameAssessmentConfiguration.

•Ifacertaintypeofend‐system(forexample,anend‐systemofaparticularmodel,

havinga

particularOS,andrunningspecificservices)connectstothenetworkinacertainarea,oris

identifiedbyMACaddress,aSecurityDomainandMACoverridecanbeassociatedtothis

areaofthenetworkthatusesanAssessmentConfigurationthatleveragesassessmentservers

thatassessvulnerabilitiesspecificto

thattypeofend‐system.Forexample,anareaofthe

networkwhereMicrosoftIASserversconnectorwherePolycomIPphonesconnectcanbe

configuredtoutilizeanassessmentserverconfiguredtoscanforMicrosoftIASwebserver‐

relatedvulnerabilitiesorPolycomIPphonedefaultsettings.

previous next