Filter
Top Products
Chapter 2. Architecting the solution 33
2.3.4 Network design discussion
In this section we discuss the following network design factors for the IBM
Integrated Security Solution for Cisco Networks:
Network segmentation via VLANs and downloadable IP ACLs
Performance
Adding new components that may not have been required previously
The IBM Integrated Security Solution for Cisco Networks introduces new zoning
terminology for intranet networks:
Default network These are the network segments or virtual LANs
(VLANs) to which clients are connected. Each client will
be placed in a default network when they have been
successfully admitted to the network.
Quarantine access This defines the resources that quarantined clients can
access. These resources may be placed anywhere
within the network but must be reachable by hosts that
are in quarantine. Typical resources that are available
while in quarantine are the remediation server, the
compliance server, and public internet. In general,
access to trusted networks is not allowed while in
quarantine except in cases where the remediation or
compliance servers are deployed within trusted
networks.
Trusted network These are the parts of the network where the corporate
resources are placed — domain servers, application and
database servers, print servers, and so on. These
network segments typically are not NAC-enabled as
separate business processes govern the security
compliance and configuration changes for servers.
These segments are also not considered to be the
serious source of threats to the rest of the network.
Default network
With Layer 3 NAC only networks connected to NAC-enabled routers can be
isolated from other parts of the network. If existing network equipment has to be
reused it may limit the number of possible untrusted network segments.
It is also important to realize that it is possible for a noncompliant client to
connect to (and possibly harm) other clients connected to the same network
segment. This limitation is addressed by Layer 2 NAC that can operate at
network protocol layer 2 on switches, wireless access points (WAP), and virtual
private network (VPN) concentrators.