IBM Tivoli and Cisco manual Security Compliance Manager

Note: With the availability of Cisco’s Network Admission Control Appliance (NAC Appliance) offering, the Network Admission Control subsystem can be delivered by NAC Framework or NAC Appliance. While the interfaces between these two offerings vary, the Tivoli Security Compliance Manager and Tivoli Configuration Manager subsystems are designed to work with either version of Cisco’s NAC offerings. A minor difference exists in the interface between Tivoli Security Compliance Manager and the selected Network Admission Control offering, but all of the policies and remediation objects built for Tivoli Security Compliance Manager and Tivoli Configuration Manager can be used interchangeably with either Cisco offering.

Customers have to choose between a NAC Framework and NAC Appliance implementation because applications that are compatible with a NAC Framework do not work with an NAC Appliance, as the interfaces are currently dissimilar. It is Cisco’s stated intention to make NAC Framework and NAC Appliance solutions compatible, but at the current time, this is not the case.

In most cases, customers who run homogenous Cisco networks and have long-range NAC plans will be able to start with NAC Framework and deploy in phases. For customers with heterogeneous networks containing non-Cisco equipment or customers who wish to start with a smaller entry price and deployment footprint while still retaining the option to migrate to a full NAC Framework solution, NAC Appliance is the better choice.

For the purposes of this book, the majority of the content is targeted at NAC Framework solutions.

Security Compliance Manager

IBM Tivoli Security Compliance Manager performs the functions of managing security compliance policies and monitoring compliance of clients to these policies. It plays a vital role in deploying predefined policies and providing a repository for reporting that can help corporate auditors. The Security Compliance Manager server has a built-in reporting engine that can be used to produce standard reports as required by security officers. It can also utilize external report generators such as IBM DB2® Alphablox or Crystal Reports for ad hoc reporting.

The relationship between the Security Compliance Manager server and client is more accurately described as an agent/manager model than a client/server architecture. The Security Compliance Manager client acts as an agent collecting data from the client subsystem on a predefined schedule or at the request of the Security Compliance Manager server and sends the requested data back to the server. The Security Compliance Manager server acts as a manager issuing requests to clients and receiving data collections from the client.