How to Set Up Assessment


NAC Manager utilizes assessment servers to determine the security compliance of end-systems connecting to the network. Assessment servers assess connecting end-systems and provide details about the end-system's patch levels, running processes, anti-virus definitions, device type, operating system, and other information critical in determining security compliance. End-systems that fail assessment can then be quarantined with restricted network access to prevent security threats from entering the network. For more information on assessment and an overview of how it works, see the Assessment section of the Concepts help file.

The NAC solution requires the use of either on-board (integrated) assessment server functionality or the ability to connect to external assessment servers, in order to execute end-system assessment. Refer to the NAC Design Guide for information on determining the number of assessment servers and their location in the network, and configuring assessment server software.

In NAC Manager, you will need to configure the external assessment servers that will perform the end-system assessments in your network. Once you have configured your assessment servers, they can be added to an assessment server pool and participate in assessment server load-balancing.

NAC Manager uses assessment configurations to define the different assessment requirements for end-systems. They define how to score assessment results (determined by the selected Risk Level and Scoring Override configurations), and what assessment tests to run (determined by the selected test sets). NAC Manager provides default assessment configurations ready for you to use "as is" or allows you to create custom assessment configurations for your specific network requirements.

When you create a NAC Profile, you will select an assessment configuration that defines the assessment requirements for the end-systems using that profile.

This Help topic describes the steps that must be performed in NAC Manager when deploying assessment on your network, beginning with managing your assessment servers.

  NOTES: -- Prior to configuring assessment, you must enable the Assessment/Remediation for End-Systems option in the NAC Manager Features options accessed from Tools > Options in the NAC Manager menu bar.
-- If you are configuring Agent-based assessment, you will need to perform the steps outlined in the How to Deploy Agent-Based Assessment Help topic in addition to the steps described here.

Information and instructions on:

Managing Your Assessment Servers

The Manage Assessment Settings window is the main window used to manage and configure your assessment servers.

  1. In NAC Manager, select Tools > Management and Configuration > Assessment Settings from the menu bar or click the Manage Assessment Settings toolbar button to open the Manage Assessment Settings window.

Adding External Assessment Servers

If you are using external assessment servers, the first step in setting up assessment in NAC Manager is to add your external assessment servers to the Manage Assessment Settings window. Once you have added your assessment servers, they can participate in assessment server load-balancing, and be used in an assessment server pool, if desired.

  1. From the Manage Assessment Settings window, select the Assessment Servers tab.



  2. Click Add to open the Add Assessment Server window.



    Refer to the Add Assessment Server window Help topic for information on adding Assessment Servers. Click OK. The added assessment server will be listed in the tab.

  3. Click back to the Assessment Configurations tab and proceed to creating assessment configurations.

Creating Assessment Configurations

The next step in setting up assessment in NAC Manager is to create your assessment configurations. Assessment configurations define the different assessment requirements for end-systems connecting to your network. When you create a NAC Profile, you will select an assessment configuration that defines the assessment requirements for the end-systems using that profile.

It is recommended that you introduce assessment on your network using the phased deployment described in the NAC Assessment Phased Deployment Guide. A phased approach minimizes disruptions to your enterprise, introduces end users to remediation procedures gradually, and increases your understanding of the strengths and weaknesses in the network.

However, while the phased deployment is the recommended approach, NAC Manager does provide a default assessment configuration that is already set up with default assessment parameters and is ready to use in your NAC Profiles.

The following steps discuss how to access the default assessment configuration and edit it, if desired. (For more information on the phased assessment deployment, see the NAC Assessment Phased Deployment Guide and How to Configure Assessment.)

  1. From the Manage Assessment Settings window, select the Assessment Configurations tab. Select the Default configuration and click Edit to open the Edit Assessment Configuration window.



  2. The window displays the assessment parameters configured in the Default configuration, and allows you to edit the assessment parameters, if desired.
    1. Scoring Override Configuration:
      Scoring overrides let you override the scoring mode and test result scores for a particular assessment test. The default scoring override configuration provided by NAC Manager specifies no overrides, but can be edited to contain overrides, if desired.

      Scoring overrides let you create overrides to the test scoring system and assign a higher or lower score to specific assessment tests. For example, Nessus assessment checks to see if Limewire is installed on an end-system, and assigns a low risk score of "2" for that test result if it is found. Using a scoring override, you can assign a high risk score of "10" to that result instead of "2".

      Scoring overrides also allow you to override the scoring mode for specific assessment tests. For example, you may set a test set scoring mode of "Informational Only" and then configure a scoring override so that a specific test counts towards a quarantine decision ("Apply Score"). Or, you may select a test set scoring mode of "Apply Score" (quarantine), and then create a scoring override that sets specific tests to be "Warning."

      To edit the default configuration, click the configuration menu button to the right of the field and select Edit. For more information, refer to the Add/Edit Scoring Override Configuration Window Help topic.

    2. Risk Level Configuration:
      Risk level configurations determine how assessment results are classified into one of three risk levels: high risk, medium risk, or low risk. To edit the default risk level configuration, click the configuration menu button to the right of the field and select Edit. For more information, refer to the Add/Edit Risk Level Configuration window Help topic.

    3. Test Sets:
      Select one or more test sets for the assessment configuration to run. Test sets define which type of assessment to launch against the end-system, what parameters to pass to the assessment server, and what assessment server resources to use. NAC Manager provides three default test sets and also lets you create new custom test sets. To create a new test set, use the configuration menu button in the test set section to select the type of test set you want to add. For instructions on creating a new test set, refer to the following Help topics:

      If you select multiple agent-based test sets, the first test set you select is called the Master test set. A Master test set includes the Agent Configuration settings, the Advanced Settings, and all the specified test cases. Each subsequent agent-based test set that you select for the configuration will be a "supporting" test set. For supporting test sets, only the "Application" test cases will be used; all other configuration values will be ignored. In the list of Test Sets, Master test sets have a "(Master)" designation after them.

      For example, you might want to use multiple agent-based test sets if you are managing multiple networks, and you have a unique agent-based test set for each network as well as secondary test sets for specific application tests that all the networks would use. In the assessment configuration for each network, you would select the unique test set as the Master test set and then select any number of secondary test sets to be included in the configuration as well.

      If the Master test set is deselected, then a new master is automatically selected. If this is not the specific test set that you would like to have as Master, then you must deselect all test sets, select the desire Master test set first, and then select the additional supporting test sets.

    4. Click OK to save your changes.

  3. Proceed to enabling assessment for your NAC profiles.

Enabling Assessment for NAC Profiles

After you have created your assessment configuration, you must enable assessment for the NAC Profiles used by the rules in your NAC Configuration and specify the assessment configuration to use.

  1. In NAC Manager, click the Manage NAC Profiles button Manage NAC Profiles on the toolbar to open the Manage NAC Profiles window.
  2. Select a NAC Profile and click the Edit Profile button .
  3. In the Edit NAC Profile window, check the Enable Assessment checkbox, and select the desired assessment configuration.
  4. Click OK to close the window.
  5. You must enforce the updated NAC Configuration to your NAC appliances. Click the Enforce button in the NAC Manager toolbar.

Top