Security Solutions
3-121
Designing Access Controls
Finalize Security Policies
■ Workgroups—Set the appropriate NetBios names in each policy in the
group.
■ User groups (or any other criteria used by IDM)—IDM gives you the
opportunity to apply different NAC policies according to any criteria used
by IDM to differentiate network access. You simply create rules that place
endpoints to be tested in different VLANs. For example, follow these steps
to apply different policies to different user groups:
a. Instead of creating a single test access profile and a single quarantine
access profile (as explained in “Access Group Policies with IDM” on
page 3-107), create different test and quarantine profiles for different
user groups.
b. Set different VLAN IDs in each profile.
c. In each access policy group, create a rule that matches Unknown,
Quarantine, and Infected postures to the appropriate test and quar-
antine profiles. Now, unknown and quarantined endpoints receive
different VLAN assignments (and IP addresses on different subnets)
according to the users’ group.
d. Match each NAC policy to the appropriate subnet addresses. Because
an endpoint might be tested in a test VLAN (Unknown posture, pre-
connect testing), quarantine VLAN (Quarantine posture, pre-connect
retesting), or normal user VLAN (Healthy posture, post-connect test-
ing), you should specify the IP addresses for each of the subnets
corresponding to those VLANs.
Design NAC Policies
Chapter 2: “Customer Needs Assessment” and “Comprehensive Security Pol-
icy” on page 3-5 helped you to define your security policies for endpoints. Now
you must translate those policies into NAC policies.
The sections below help you list the tests required to make your NAC policies
enforce your security policies.
Note The NAC 800 comes pre-configured with three NAC policies (low, medium,
and high). Before configuring a new policy, check whether one of these
policies is suitable for your system.
Tests for Minimal Endpoint Integrity. All endpoints should be free of
malware and have all current patches. These minimal requirements ensure
that endpoints are not currently infected and are also protected against known
vulnerabilities.