Filter
Top Products
Chapter 3. Component structure 63
NAC communication
During communication of the Cisco Trust Agent client with the Cisco Secure
ACS, a secure PEAP session is established with the network client and requests
the network client security posture credentials.
Cisco Trust Agent uses certificates to establish a PEAP session with the ACS.
Security Compliance Manager communication
The Security Compliance Manager client communication with the Security
Compliance Manager server is based on the server’s self-signed SSL certificate
and IP address or host name. Any other communication requests are denied.
This assures that only the authorized Security Compliance Manager server can
communicate with the particular client. The server presents its SSL certificate
during the first communication with the client (first contact trust). This certificate
is used to verify the server’s unique identity and to encrypt all traffic within the
Tivoli Security Compliance Manager environment.
Remediation communication
The communication between the remediation client and Tivoli Configuration
Manager Web Gateway is based on HTTP, which means that if desired, an
HTTPS session can be used to ensure confidentiality of the communications.
3.4 Component placement
Network security is an important consideration for most organizations. New
systems and components that are deployed into the enterprise periodically due
to business needs or security requirements must be deployed and should be
consistent with existing security polices and architecture. This leads us into the
discussion about where the various pieces of the IBM Integrated Security
Solution for Cisco Networks can fit into in an enterprise network.
3.4.1 Security zones
As per IBM MASS (Method for Architecting Secure Solutions), networks can be
divided into five major security zones.
Uncontrolled zone/Internet, external networks
Controlled zone/demilitarized zone (DMZ)
Controlled zone/intranet
Restricted zone/production network
Restricted zone/management network