Security Solutions
3-62
Designing Access Controls
Choose Endpoint Integrity Testing Methods
Note This rule has one exception. You must open port 1500 on an endpoint that
meets these three conditions:
■ Is unmanaged
■ Runs Windows XP
■ Uses a non-SP2 firewall such as Norton
Advantages and Disadvantages of NAC Agent Testing
The NAC agent can be installed on any Windows endpoint capable of being
tested (Windows 98 or later). Once installed, the NAC EI agent allows the
NAC 800 to test the endpoint in the background at any time. In addition,
the NAC EI agent automatically receives updates from the NAC 800. Finally,
the NAC 800 can test an endpoint through its firewall, generally opening the
necessary ports automatically.
However, the NAC
EI
agent does require the initial setup and user interaction.
ActiveX
When using the ActiveX method, the NAC 800 automatically downloads and
installs the ActiveX agent on the endpoint to be tested. Unlike the NAC agent,
the ActiveX agent is removed from the endpoint after the testing is completed.
Requirements for ActiveX Testing
The ActiveX agent uses ActiveX content and JavaScript. The endpoint’s
browser security settings must allow such content from the NAC 800.
ActiveX testing requires the endpoint’s Web browser to be open for every test.
The Web browser must be IE version 5.0 or 6.0.
If a router lies between the NAC 800 and the endpoints, it must keep port 1500
open. In most cases, the NAC 800 can automatically open the correct ports
through the endpoints’ firewall.
Note This rule has one exception. You must open port 1500 on an endpoint that
meets these three conditions:
■ Is unmanaged
■ Runs Windows XP
■ Uses a non-SP2 firewall such as Norton