Filter
Top Products
34 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
In the reference architecture described later in this book, there are several
untrusted networks that are the default networks to which users are assigned
based on their identity-based authentication. When clients are in a healthy state,
they should be placed in the default network based on the user’s identity.
Quarantine access
We use this term to refer to the necessary network resources that a quarantined
client needs to access. Network access is governed by the content of an
access
control list
(ACL) applied to the router or switch port to which the client is
connected, and this ACL may include several particular IP addresses required for
remediation.
Depending on the solution design, remediation resources may include:
Remediation server
Compliance server
Software distribution depot
Internet access proxy
Trusted network
In a real world scenario this term is used for static, internal network segments
where no clients are physically connected. In this book, we consider as trusted
any network segment that is excluded from the NAC. Of course, other security
means such as firewalls may still apply, but this outside the scope of this book.
Performance controls
Network admission control introduces the two timing parameters used to control
solution behavior:
Revalidation period Defines how often the whole NAC procedure will be
repeated for clients that are already connected.
Status query period Defines how often the posture agent is asked by the
NAC router for changes in the posture. This second
type of polling enables us to initiate a revalidation
process if the client posture changes significantly (for
example, if the user stops or disables an essential
service required in the policy).
Depending on those settings the policy enforcement may be more or less rigid,
but they also influence the end-user experience and network performance.
The revalidation process enables the client to pick up changes in a security policy
version if no other distribution way is defined. However, as a result of the NAC
process, a user connecting to the network is presented a pop-up window with the
current status (Healthy, Quarantined, Checkup, Infected, or Unknown). If the