Out-of-Band NAC Design Procedures
5-26 Design Procedures
Figure 5-6 Policy Role Configuration in NetSight Policy Manager
Assessment Policy
TheAssessmentPolicymaybeusedtotemporarilyallocate asetofnetworkresourcestoend‐
systemswhiletheyarebeingassessed.ForEnterasyspolicy‐enabledswitches,acorresponding
policyrole(createdinPolicyManager)shouldallocatetheappropriatesetofnetworkresources
neededbytheassessmentservertosuccessfullycomplete
itsend‐systemassessment,while
restrictingtheend‐systemʹsaccesstothenetwork.Forexample,iftheassessmentserveris
configuredtoscanforFTPvulnerabilities,andtheAssessmentPolicydoesnotallowFTPtr affic
fromtheend‐systemontothenetwork,thentheassessmentserverwillnotdetect
theFTP
vulnerabilitiesontheend‐system.
Toachievethistradeoff,theAssessingpolicyrolecanbeconfiguredbydefaulttodenyalltraffic,
andbeassociatedtoclassificationrulesthatpermittraffictoallassessmentservers,using
destinationIPaddressPermitclassificationrules,asshowninFigure5‐7.
Therefore,alltraffic
involvedwiththeend‐systemʹsassessmentisallowedontothenetwork.Inaddition,otherbasic
networkservicessuchasARP,DHCP,andDNSareallowedontothenetworksotheend‐system
canestablishIPconnectivityinthenetworkwhilebeingassessed.
TheAssessmentPolicycanalso
beconfiguredtoimplementwebnotificationduringtheexecution
oftheassessment,toinformtheenduserthataccesstothenetworkhasbeentemporarily
restrictedwhiletheassessmenttakesplace.ThisisimplementedbyallowingHTTPtrafficontothe
networkinadditiontotheotherservicespreviouslydescribe d.