Enterasys-networks 9034385 Manuale Utente Scaricare il pdf (Pagina 90)

Out-of-Band NAC Design Procedures

5-26 Design Procedures

Figure 5-6 Policy Role Configuration in NetSight Policy Manager

Assessment Policy

TheAssessmentPolicymaybeusedtotemporarilyallocate asetofnetworkresourcestoend‐

systemswhiletheyarebeingassessed.ForEnterasyspolicy‐enabledswitches,acorresponding

policyrole(createdinPolicyManager)shouldallocatetheappropriatesetofnetworkresources

neededbytheassessmentservertosuccessfullycomplete

itsend‐systemassessment,while

restrictingtheend‐systemʹsaccesstothenetwork.Forexample,iftheassessmentserveris

configuredtoscanforFTPvulnerabilities,andtheAssessmentPolicydoesnotallowFTPtr affic

fromtheend‐systemontothenetwork,thentheassessmentserverwillnotdetect

theFTP

vulnerabilitiesontheend‐system.

Toachievethistradeoff,theAssessingpolicyrolecanbeconfiguredbydefaulttodenyalltraffic,

andbeassociatedtoclassificationrulesthatpermittraffictoallassessmentservers,using

destinationIPaddressPermitclassificationrules,asshowninFigure5‐7.

Therefore,alltraffic

involvedwiththeend‐systemʹsassessmentisallowedontothenetwork.Inaddition,otherbasic

networkservicessuchasARP,DHCP,andDNSareallowedontothenetworksotheend‐system

canestablishIPconnectivityinthenetworkwhilebeingassessed.

TheAssessmentPolicycanalso

beconfiguredtoimplementwebnotificationduringtheexecution

oftheassessment,toinformtheenduserthataccesstothenetworkhasbeentemporarily

restrictedwhiletheassessmenttakesplace.ThisisimplementedbyallowingHTTPtrafficontothe

networkinadditiontotheotherservicespreviouslydescribe d.

1 2 ... 85 86 87 88 89 90 91 92 93 94 95 96 97 98

Nessun commento

Enterasys-networks 9034385 Manuale Utente Pagina 90