with the Web Gateway component to allow for automated remediation at the workstation level without need of having Tivoli Framework endpoint installed.

Again referencing Figure 5-3 on page 102, note that the total solution is comprised of three major subsystems: the compliance subsystem, the Network Admission Control subsystem, and the remediation subsystem. The implementation of these subsystems is described in the following three chapters.

In logical terms, we can span both the Network Admission Control subsystem and the compliance subsystem into a logical network admission policy. This

collective network admission policy is comprised of the establishment and enforcement of compliance criteria.

Establishing compliance criteria

In this section we describe the process of establishing the compliance criteria based on the security policy for desktops described in 5.2.1, “Security compliance requirements” on page 96.

Configuring the compliance server

Let us create the compliance criteria, the policy, that is used to evaluate the client posture. Chapter 6, “Compliance subsystem implementation” on page 125, describes the detailed flow of the overall installation and configuration, including the assignment of the policy to the client groups. Additionally, administrative Security Compliance Manager information, such as importing and modifying policies, can be found in the Tivoli Security Compliance Manager Version 5.1: Administration Guide, SC32-1594. Our focus here is to show how to manage the policy versioning needed for policy life cycle management.

The IISSCN_TCM_v2.00_WinXP.pol policy bundle, which is available from the IBM Tivoli Security Compliance Manager 5.1 Utilities Web page (see “Online resources” on page 484), is used as our initial reference policy. This policy bundle contains the posture collectors that are used to make client-side compliance decisions. This policy is imported into the IBM Security Compliance Manager environment and modified to meet ABBC’s functional requirements.

Note: This solution is still being developed, so it is likely that the specific version of the referenced posture policy, IISSCN_TCM_v2.00_WinXP.pol, may not be publicly available by the time you read this book. However, we expect that the general contents of the default posture policy will be fairly consistent. Thus, the procedures for setting up policies as outlined in this book most likely can be followed using the policies that IBM has available.

Chapter 5. Solution design 103

Page 120 Page 122
Page 121
Image 121
IBM Tivoli and Cisco manual Establishing compliance criteria, Configuring the compliance server
Page 120 Page 122
Top Page Image Contents