Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Out-of-Band NAC Design Procedures

5-26 Design Procedures

Figure 5-6 Policy Role Configuration in NetSight Policy Manager

Assessment Policy

TheAssessmentPolicymaybeusedtotemporarilyallocate asetofnetworkresourcestoend‐

systemswhiletheyarebeingassessed.ForEnterasyspolicy‐enabledswitches,acorresponding

policyrole(createdinPolicyManager)shouldallocatetheappropriatesetofnetworkresources

neededbytheassessmentservertosuccessfullycomplete

itsend‐systemassessment,while

restrictingtheend‐systemʹsaccesstothenetwork.Forexample,iftheassessmentserveris

configuredtoscanforFTPvulnerabilities,andtheAssessmentPolicydoesnotallowFTPtr affic

fromtheend‐systemontothenetwork,thentheassessmentserverwillnotdetect

theFTP

vulnerabilitiesontheend‐system.

Toachievethistradeoff,theAssessingpolicyrolecanbeconfiguredbydefaulttodenyalltraffic,

andbeassociatedtoclassificationrulesthatpermittraffictoallassessmentservers,using

destinationIPaddressPermitclassificationrules,asshowninFigure5‐7.

Therefore,alltraffic

involvedwiththeend‐systemʹsassessmentisallowedontothenetwork.Inaddition,otherbasic

networkservicessuchasARP,DHCP,andDNSareallowedontothenetworksotheend‐system

canestablishIPconnectivityinthenetworkwhilebeingassessed.

TheAssessmentPolicycanalso

beconfiguredtoimplementwebnotificationduringtheexecution

oftheassessment,toinformtheenduserthataccesstothenetworkhasbeentemporarily

restrictedwhiletheassessmenttakesplace.ThisisimplementedbyallowingHTTPtrafficontothe

networkinadditiontotheotherservicespreviouslydescribe d.

previous next