Filter
Top Products
458 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
Interested parties can use this design and the prototypes of these components to
perform this integration in labs, for demos, and training purposes.
Integration design
The fundamental premise of this integration is for Security Compliance Manager
to validate the compliance posture of the endpoint and indicate the state of the
client by managing the state of a well-known file on the client and for NAC
Appliance to admit an endpoint to the network based on the existence of this file.
In addition, NAC Appliance will verify that the Security Compliance Manager
client is running on the endpoint.
NAC Appliance is inherently capable of checking for services running on clients
and for the existence of specific files on clients. These capabilities are used to
validate that the Tivoli Security Compliance Manager Client is running and check
that a special compliance semaphore file indicating the compliance state of the
endpoint exists in order to admit the endpoint. A special NAC Appliance Agent is
installed on the client for this integration, and if either of the requirements is not
met, it will run a specific executable on the client.
Security Compliance Manager can have a prototype version of the policy
collector installed that will manage the existence of the compliance semaphore
file based on the client’s compliance status. This special version of the policy
collector updates this file whenever a posture scan is performed. In addition, if
the client is connected to the protected network and a compliance violation
occurs, this special policy collector will initiate an HTTPS request to the NAC
Appliance Manager that terminates the client’s admission session and forces the
client to restart the admission process.
Note: The NAC Appliance Version 4.1 (availability date September 19, 2006)
will have a
Qualified Executable Launch that will eliminate the need for the
special agent in this scenario.