Filter
Top Products
32 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
This means that for each desired change in the configuration settings, there must
be an appropriate configuration change process in place to perform the changes
on the afflicted systems. For example, if there is a security policy stating that
each workstation must have antivirus software installed, there has to be a
corresponding software installation process to distribute it to clients consistent
with this policy.
Depending on the size of the environment, this can be achieved in a number of
ways: fully automated, manually, or in some way in between. Depending on the
type of policy, a different grace period for the implementation may be granted.
Enforcement
Before introducing the IBM Integrated Security Solution for Cisco Networks to the
corporate environment, the only way to enforce the security policy as a client
connected to the network was to perform a periodic audit of the configurations on
individual user PC workstations. This was very ineffective and costly, the process
was resource-intensive, and the results were not satisfactory. With the
introduction of the IBM Integrated Security Solution for Cisco Networks, any
noncompliant clients trying to connect to the network can be denied access to
corporate resources or quarantined (that is, they are allowed to connect to only
one designated network for remediation) until the workstation regains a
compliant state according to the policies.
Review and update
As the IT environment and business requirements may change frequently, the
security policy should be reviewed periodically and updated to reflect current
security threats and business goals.
Updating the policy requires special attention because a
policy version is the first
value checked by the posture validation server in the IBM Integrated Security
Solution for Cisco Networks. It is an important architectural decision whether
clients with an outdated policy version should be admitted access to the
compliance server to be updated or if first they should be updated using a
remediation process and then, only if compliant, allowed to further access the
network. This second approach is more secure, but it requires the automated
remediation process to be operational.
2.3.3 Solution objectives
Several business drivers for the IBM Integrated Security Solution for Cisco
Networks were described in 1.2, “Why we need this” on page 5. Each particular
implementation may require all drivers to be in place or just a subset, so the
selected objectives should be documented. The solution objectives will
eventually drive most of the architectural decisions in the design process.