Assessment Design Procedures
5-18 Design Procedures
2. Determine Assessment Server Location
Whendeterminingthelocationoftheassessmentserversonthenetwork,thefollowingfactors
shouldbeconsidered:
•Thetypeofassessment:agent‐lessoragent‐based.
Agent‐lessassessmentconsumesmorebandwidththanagent‐basedassessmentduringthe
scanofanend‐system.However,itisimportanttounderstandthattheamount
ofbandwidth
consumedbyagent‐lessassessmentshouldonlybeconsideredwhenalargenumberofend‐
systemsarebeingassessedoveraseverelybandwidth‐restrictedlink.Forexample,if1000
end‐systemsareconnectedtoabranchofficeovera512Kbpsconnectionthatisalsocarrying
latency‐sensitive
VoIPandotherreal‐timeapplications,itisrecommendedtopositionan
assessmentserveratthebranchofficetoexecuteassessmentforconnectingdevicesandavoid
congestiononthebandwidthrestrictedlink.
•End‐systemconfigurationfortheassociatedSecurityDomain.
Ifagent‐lessassessmentisimplementedandconnectingend‐systemsare
runningpersonal
firewalls,theassessmentserverlocationmayberelevanttotheeffectivenessofthe
assessments.Forexample,MicrosoftXPSP2isenabledbydefaultwithapersonalfirewallthat
deniesallunsolicitedinboundconnectionattempts.Therefore,aMicrosoftXPSP2personal
firewallwillpreventthesuccessfulexecutionofanend
‐systemassessmentunlessthefirewall
isconfiguredtoallowspecifictypesofunsolicitedinboundconnections,suchasfromspecific
IPaddressesoroverspecificprotocolsasdefinedintheExceptionslist.Thismaybe
configuredbytheenduserviaweb‐basedremediationorthroughaWindowsdomain
controllergroup
policydefinition.
3. Identify Assessment Server Configuration
Anassessmentserverutilizesthird‐partyassessingsoftwaretoexecutescansagainstconnecting
end‐systems,andthissoftwaremustbelocal ly configuredwiththesecurityassessment
parameters.Thethird‐partyassessingsoftwareonallassessmentserversbelongingtothesame
SecurityDomainmustbeconfiguredidenticallysothatconsistencyismaintained
inthe
assessmentofallconnectingend‐systemswithinthatdomain.Theselectionofthevulnerabilities
assessedbytheassessmentserversisbasedsolelyontheenterprisesecuritypolicy.Herearesome
examplesofvulnerabilityassessmentconfiguration:
•Remotescansthatutilizealocallyconfiguredaccountontheend‐systemcanevaluate
virtuallyanyconfigurationdetailsoftheend‐systemwithintherightsoftheaccount.Foran
administrativeaccount,anyend‐systemparameterscanbecheckedincludingtheregistry
settingsandtherunningservices.Examplesincludethedateofantivirusdefinitionfiles,
installationofantivirussoftware,statusofantivirusprotection,installed
patches,and
personalfirewallstatusandconfigurationinformation.
•Remotescansthatdonotutilizealocallyconfiguredaccountontheend‐systemcanevaluatea
morelimitedsetofvulnerabilitiesthroughtheassessmentofremotelyaccessibleserviceson
theend‐system.ExamplesincludeOS‐specificvulnerabilitiesaccessedthroughopenTCP/
UDPports
andvulnerabilitiesofremotely‐accessibleservicesrunningontheend‐system(FTP
server,HTTPserver).
TheSANSTop20securityvulnerabilitiesprovideasuggestedbaseguidelineconfigurationfor
enterprisesinitiallydeployingNACwithend‐systemassessment(http://www.sans.org/top20/).
Third‐partyassessingsoftwareregularlyreleasesupdatestoassessnewlyidentifiedsecurity
vulnerabilities.Asubscriptiontosuchaserviceisrecommendedtomaintainanup‐to‐date
assessmentengineonthenetwork.Newvulnerabilitiesonlyneedtobeincludedintheassessment