Figure 5-6 Policy Role Configuration in NetSight Policy Manager
Assessment Policy
The Assessment Policy may be used to temporarily allocate a set of network resources to end‐ systems while they are being assessed. For Enterasys policy‐enabled switches, a corresponding policy role (created in Policy Manager) should allocate the appropriate set of network resources needed by the assessment server to successfully complete its end‐system assessment, while restricting the end‐systemʹs access to the network. For example, if the assessment server is configured to scan for FTP vulnerabilities, and the Assessment Policy does not allow FTP traffic from the end‐system onto the network, then the assessment server will not detect the FTP vulnerabilities on the end‐system.
To achieve this trade off, the Assessing policy role can be configured by default to deny all traffic, and be associated to classification rules that permit traffic to all assessment servers, using destination IP address Permit classification rules, as shown in Figure 5‐7. Therefore, all traffic involved with the end‐systemʹs assessment is allowed onto the network. In addition, other basic network services such as ARP, DHCP, and DNS are allowed onto the network so the end‐system can establish IP connectivity in the network while being assessed.
The Assessment Policy can also be configured to implement web notification during the execution of the assessment, to inform the end user that access to the network has been temporarily restricted while the assessment takes place. This is implemented by allowing HTTP traffic onto the network in addition to the other services previously described.