Designing Access Controls
Finalize Security Policies
■
■ User groups (or any other criteria used by
a. Instead of creating a single test access profile and a single quarantine access profile (as explained in “Access Group Policies with IDM” on page
b. Set different VLAN IDs in each profile.
c. In each access policy group, create a rule that matches Unknown, Quarantine, and Infected postures to the appropriate test and quar- antine profiles. Now, unknown and quarantined endpoints receive different VLAN assignments (and IP addresses on different subnets) according to the users’ group.
d. Match each NAC policy to the appropriate subnet addresses. Because an endpoint might be tested in a test VLAN (Unknown posture, pre- connect testing), quarantine VLAN (Quarantine posture,
| Design NAC Policies |
| Chapter 2: “Customer Needs Assessment” and “Comprehensive Security Pol- |
| icy” on page |
| you must translate those policies into NAC policies. |
| The sections below help you list the tests required to make your NAC policies |
| enforce your security policies. |
|
|
N o t e | The NAC 800 comes |
| and high). Before configuring a new policy, check whether one of these |
| policies is suitable for your system. |
| Tests for Minimal Endpoint Integrity. All endpoints should be free of |
| |
| malware and have all current patches. These minimal requirements ensure |
| that endpoints are not currently infected and are also protected against known |
| vulnerabilities. |
