Filter
Top Products
464 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
NAC Appliance Manager
A policy on the NAC Appliance Manager must be created to check for the
following two requirements:
The Security Compliance Manager Client is running as a service.
The c:\Program Files\IBM\SCM\Client\NACApplianceCompliance.properties
file exists.
Considerations for designing a production solution
Once the existing prototype components have been integrated in a
non-production environment, several facts should become evident that should be
considered before designing a production-class solution based on this design.
The following is a list of these issues, but it is not to be considered a complete
list. Every deployment will have different factors that must be considered, but
these items should be common to most deployments.
Security concerns - Several of the prototype components store sensitive
information such as passwords in plain text. This is an advantage for training
and discovery but it is also a security vulnerability. Even if the sensitive data is
passed to the client in Collector parameters, these are still entered and stored
in plain text in the Security Compliance Manager console. In addition, several
of the files that are used to capture state on the client are not protected and
could be manipulated by users. We recommend that these files be set to
hidden, with administrative privileges required to access them.
Timing - With the current version of the prototype policy collector, there are
several possible timing issues that introduce potential vulnerabilities in the
solution. Features that are expected in upcoming releases of software should
be able to address these vulnerabilities. Most of these are related to
post-admission processing.
Post-admission processing - With post-admission processing, the Security
Compliance Manager Client will periodically rescan the endpoint for
violations. The normal behavior when a violation is found is to present the
remediation handler Interface to the user and proceed as normal. In contrast,
the prototype policy collector provided for this integration does not present
this interface in this situation. Instead, it marks the endpoint as noncompliant
by deleting the compliance semaphore file and then terminates the user’s
network session, forcing the user to restart the admission process. During this
second admission process, the non-existence of the compliance semaphore
file will cause the NAC Appliance to quarantine the endpoint, at which point
the client will enter the same state as in pre-admission. The prototype version
uses the kickrich.html form to initiate the termination of the user’s current
session, but this situation leaves the user’s session active until he responds to
the HTML form.