4.The Security Compliance Manager client is armed with a remediation handler. The remediation handler provides a method of displaying the compliance posture data to the end user. In addition to informing the user of the specific posture failures, the remediation handler can display additional, customizable information informing the user what the current security policy requirements are and what steps have to be taken and whom to contact for additional assistance with resolving the specific compliance violations. Finally, the remediation handler also provides a method for reinitiating the local security compliance scanning process.

5.When the workstation has completed the remediation process and is healthy again, it will be allowed access to the production network following the next periodic status query issued by the Cisco enforcement device.

Security compliance criteria

According to the published security policy for desktops, ABBC will institute the following compliance criteria for Network Admission Control checking:

1.Local workstation password quality must meet the following criteria:

a.Password age must not be older than 90 days.

b.Password minimum length must be eight characters.

2.The Windows Messenger service on user workstations must be disabled.

3.A system must have run a full virus scan during the past 7 days.

4.The antivirus software version must be correct (Symantec Antivirus Version 9.0.3.100).

5.The virus definition file must be up to date, meaning not older then September 29th, 2006.

6.The users’ workstations have to run Windows XP Service Pack 2.

7.There must be specific Microsoft hotfixes (for example, we used KB896423 and KB893756) installed on the workstation.

8.The personal firewall software must be installed and running.

9.The Windows messenger service must not be allowed.

Remediation services

ABBC will deploy and configure the infrastructure to enforce network admission based on business policy. However, to minimize the impact on users’ productivity the remediation methodology will utilize automated remediation processes.

It must be noted that the Network Admission Control (NAC) system is not intended to be a replacement for traditional workstation life cycle management. As documented in 2.3.2, “Security policy life cycle management” on page 30, we

100Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 117 Page 119
Page 118
Image 118
IBM Tivoli and Cisco manual Security compliance criteria, Remediation services
Page 117 Page 119
Top Page Image Contents