Enterasys Networks 9034385 User Manual

Procedures for Out-of-Band and Inline NAC

5-10 Design Procedures

The following table provides network scenarios from an assessment standpoint that should be 
taken into account when identifying the number and configuration of Security Domains.

Table 5-2 Security Domain Configuration Guidelines for Assessment

Network Scenario

Examples

Security Domain Configuration

Area of the network, or a group
of end-systems or users, that
require end-system assessment
with either the same set of
assessment parameters, or a
distinct set of parameters
different from other areas of the
network

• Switches that provide open access to the

network, such as guest access areas. This
requires that the Security Domain be
associated to an Assessment Configuration
that deeply scans connecting end-systems,
since untrusted users are allowed access to
the network.

• Switches that provides access to trusted users

on the network. This requires that the Security
Domain be associated to an Assessment
Configuration that scans for vulnerabilities
common to applications and platforms utilized
by trusted users, such as Windows XP and
Microsoft Internet Explorer.

• Switches that provide access to a specific

group of devices (for example, IP phones and
printers), devices running a specific set of
applications (such as e-mail servers, web
servers), or PCs running a specific OS
(Microsoft 2003 Server, Microsoft XP, RedHat
Linux, MAC OS). This requires that the
Security Domain be associated to an
Assessment Configuration that scans the
connecting end-systems for vulnerabilities
specific to the type of end-system.

• A group of devices identified by MAC address,

that are running a specific OS. This requires
that a MAC override identifying these devices
be associated to an Assessment Configuration
that scans these connecting end-systems for
vulnerabilities specific to the type of OS.

• A group of devices identified by MAC address,

that are a specific device type, such as
printers or IP phones. This requires that a
MAC override identifying these devices be
associated to an Assessment Configuration
that scans for vulnerabilities specific to the
type of end-system, such as web servers with
default login credentials.

• Users, identified by username, that are

identified as high risk personnel on the
network. This requires that a user override
identifying these users is associated to an
Assessment Configuration that deeply scans
these connecting end-systems for potentially
malicious tools, applications, malware, and
vulnerabilities.

Create an Assessment Configuration
specifically configured to validate
these security compliance parameters.
In NAC Manager, create a Security
Domain that uses this Assessment
Configuration and leverages
assessment servers configured to
validate these security compliance
parameters.