Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Assessment Design Procedures

5-18 Design Procedures

2. Determine Assessment Server Location

Whendeterminingthelocationoftheassessmentserversonthenetwork,thefollowingfactors

shouldbeconsidered:

•Thetypeofassessment:agent‐lessoragent‐based.

Agent‐lessassessmentconsumesmorebandwidththanagent‐basedassessmentduringthe

scanofanend‐system.However,itisimportanttounderstandthattheamount

ofbandwidth

consumedbyagent‐lessassessmentshouldonlybeconsideredwhenalargenumberofend‐

systemsarebeingassessedoveraseverelybandwidth‐restrictedlink.Forexample,if1000

end‐systemsareconnectedtoabranchofficeovera512Kbpsconnectionthatisalsocarrying

latency‐sensitive

VoIPandotherreal‐timeapplications,itisrecommendedtopositionan

assessmentserveratthebranchofficetoexecuteassessmentforconnectingdevicesandavoid

congestiononthebandwidthrestrictedlink.

•End‐systemconfigurationfortheassociatedSecurityDomain.

Ifagent‐lessassessmentisimplementedandconnectingend‐systemsare

runningpersonal

firewalls,theassessmentserverlocationmayberelevanttotheeffectivenessofthe

assessments.Forexample,MicrosoftXPSP2isenabledbydefaultwithapersonalfirewallthat

deniesallunsolicitedinboundconnectionattempts.Therefore,aMicrosoftXPSP2personal

firewallwillpreventthesuccessfulexecutionofanend

‐systemassessmentunlessthefirewall

isconfiguredtoallowspecifictypesofunsolicitedinboundconnections,suchasfromspecific

IPaddressesoroverspecificprotocolsasdefinedintheExceptionslist.Thismaybe

configuredbytheenduserviaweb‐basedremediationorthroughaWindowsdomain

controllergroup

policydefinition.

3. Identify Assessment Server Configuration

Anassessmentserverutilizesthird‐partyassessingsoftwaretoexecutescansagainstconnecting

end‐systems,andthissoftwaremustbelocal ly configuredwiththesecurityassessment

parameters.Thethird‐partyassessingsoftwareonallassessmentserversbelongingtothesame

SecurityDomainmustbeconfiguredidenticallysothatconsistencyismaintained

inthe

assessmentofallconnectingend‐systemswithinthatdomain.Theselectionofthevulnerabilities

assessedbytheassessmentserversisbasedsolelyontheenterprisesecuritypolicy.Herearesome

examplesofvulnerabilityassessmentconfiguration:

•Remotescansthatutilizealocallyconfiguredaccountontheend‐systemcanevaluate



virtuallyanyconfigurationdetailsoftheend‐systemwithintherightsoftheaccount.Foran

administrativeaccount,anyend‐systemparameterscanbecheckedincludingtheregistry

settingsandtherunningservices.Examplesincludethedateofantivirusdefinitionfiles,

installationofantivirussoftware,statusofantivirusprotection,installed

patches,and

personalfirewallstatusandconfigurationinformation.

•Remotescansthatdonotutilizealocallyconfiguredaccountontheend‐systemcanevaluatea

morelimitedsetofvulnerabilitiesthroughtheassessmentofremotelyaccessibleserviceson

theend‐system.ExamplesincludeOS‐specificvulnerabilitiesaccessedthroughopenTCP/

UDPports

andvulnerabilitiesofremotely‐accessibleservicesrunningontheend‐system(FTP

server,HTTPserver).

TheSANSTop20securityvulnerabilitiesprovideasuggestedbaseguidelineconfigurationfor

enterprisesinitiallydeployingNACwithend‐systemassessment(http://www.sans.org/top20/).

Third‐partyassessingsoftwareregularlyreleasesupdatestoassessnewlyidentifiedsecurity

vulnerabilities.Asubscriptiontosuchaserviceisrecommendedtomaintainanup‐to‐date

assessmentengineonthenetwork.Newvulnerabilitiesonlyneedtobeincludedintheassessment

previous next