Filter
Top Products
Chapter 5. Solution design 103
with the Web Gateway component to allow for automated remediation at the
workstation level without need of having Tivoli Framework endpoint installed.
Again referencing Figure 5-3 on page 102, note that the total solution is
comprised of three major subsystems: the compliance subsystem, the Network
Admission Control subsystem, and the remediation subsystem. The
implementation of these subsystems is described in the following three chapters.
In logical terms, we can span both the Network Admission Control subsystem
and the compliance subsystem into a logical
network admission policy. This
collective network admission policy is comprised of the establishment and
enforcement of compliance criteria.
Establishing compliance criteria
In this section we describe the process of establishing the compliance criteria
based on the security policy for desktops described in 5.2.1, “Security
compliance requirements” on page 96.
Configuring the compliance server
Let us create the compliance criteria, the policy, that is used to evaluate the client
posture. Chapter 6, “Compliance subsystem implementation” on page 125,
describes the detailed flow of the overall installation and configuration, including
the assignment of the policy to the client groups. Additionally, administrative
Security Compliance Manager information, such as importing and modifying
policies, can be found in the Tivoli Security Compliance Manager Version 5.1:
Administration Guide, SC32-1594. Our focus here is to show how to manage the
policy versioning needed for policy life cycle management.
The IISSCN_TCM_v2.00_WinXP.pol policy bundle, which is available from the
IBM Tivoli Security Compliance Manager 5.1 Utilities Web page (see “Online
resources” on page 484), is used as our initial reference policy. This policy
bundle contains the posture collectors that are used to make client-side
compliance decisions. This policy is imported into the IBM Security Compliance
Manager environment and modified to meet ABBC’s functional requirements.
Note: This solution is still being developed, so it is likely that the specific
version of the referenced posture policy, IISSCN_TCM_v2.00_WinXP.pol, may
not be publicly available by the time you read this book. However, we expect
that the general contents of the default posture policy will be fairly consistent.
Thus, the procedures for setting up policies as outlined in this book most likely
can be followed using the policies that IBM has available.