Assessment Design Procedures
Enterasys NAC Design Guide 5-17
Manager
will
not
match
this
end
‐
system
and
the
end
‐
system
is
assigned
the
Security
Domain’s
default
NAC
configuration.
In
addition,
the
Layer
3
NAC
Controller
is
not
able
to
determine
the
username
associated
to
the
downstream
end
‐
system
for
matching
against
user
overrides,
and
the
end
‐
system
is
assigned
the
Security
Domain’s
default
NAC
configuration.
Assessment Design Procedures
The
following
section
provides
the
design
procedures
for
implementing
assessment
in
your
NAC
deployment.
1. Determine the Number of Assessment Servers
Assessment
servers
are
used
to
implement
assessment
functionality
in
NAC
deployments.
Use
the
following
parameters
to
determine
the
number
of
required
assessment
servers
for
your
deployment:
•
Load
‐
sharing
requirements.
More
than
one
assessment
server
may
be
required
to
handle
the
number
of
end
‐
systems
being
assessed
at
any
one
time.
The
number
of
end
‐
systems
that
can
be
assessed
at
the
same
time
and
the
amount
of
time
required
to
complete
an
assessment
is
determined
by
the
number
of
vulnerabilities
being
assessed,
throughput
limitations
on
the
network,
and
the
hardware
specifications
of
the
assessment
server
machine.
Load
‐
sharing
of
end
‐
system
assessment
is
implemented
in
a
round
robin
fashion
between
the
assessment
servers
available
in
the
assessment
resource
pool.
•
Assessment
server
redundancy.
To
provide
redundancy,
at
least
two
assessment
servers
should
be
configured
per
NAC
deployment,
with
additional
assessment
servers
added
for
load
‐
balancing
and
scalability
purposes.
The
same
assessment
server
can
be
used
for
multiple
Security
Domains,
and
each
assessment
server
can
assess
end
‐
systems
using
different
sets
of
assessment
parameters,
depending
on
the
device,
user,
or
location
is
in
the
network.
Here
are
some
examples:
•
If
guests
and
other
untrusted
users
are
to
be
assessed
for
a
different
set
of
security
vulnerabilities
than
trusted
users,
a
Security
Domain
can
be
associated
to
the
areas
of
the
network
where
untrusted
users
connect,
and
can
specify
an
Assessment
Configuration
that
uses
assessment
servers
configured
for
the
assessment
of
untrusted
users.
If
trusted
users
connect
to
this
same
Security
Domain,
another
Assessment
Configuration
that
leverages
assessment
servers
configured
to
assess
vulnerabilities
of
trusted
users
can
be
utilized.
Note
that
if
several
Security
Domains
require
the
same
assessment
parameters,
then
these
Security
Domains
can
be
configured
to
use
the
same
Assessment
Configuration.
•
If
a
certain
type
of
end
‐
system
(for
example,
an
end
‐
system
of
a
particular
model,
having
a
particular
OS,
and
running
specific
services)
connects
to
the
network
in
a
certain
area,
or
is
identified
by
MAC
address,
a
Security
Domain
and
MAC
override
can
be
associated
to
this
area
of
the
network
that
uses
an
Assessment
Configuration
that
leverages
assessment
servers
that
assess
vulnerabilities
specific
to
that
type
of
end
‐
system.
For
example,
an
area
of
the
network
where
Microsoft
IAS
servers
connect
or
where
Polycom
IP
phones
connect
can
be
configured
to
utilize
an
assessment
server
configured
to
scan
for
Microsoft
IAS
web
server
‐
related
vulnerabilities
or
Polycom
IP
phone
default
settings.
Содержание 9034385
Страница 1: ...Enterasys Network Access Control Design Guide P N 9034385...
Страница 2: ......
Страница 4: ...ii...
Страница 8: ...vi...
Страница 22: ...Summary 1 12 Overview...
Страница 98: ...Additional Considerations 5 34 Design Procedures...
