￿If the client is not Security Compliance Manager policy–enabled, it is denied access to the corporate network and may be allowed only restricted access to the Internet or may be denied access to all networks.

￿When a client is quarantined, the user is given a choice to either remediate manually using the provided instructions or to use an automated remediation process by clicking a button on the pop-up window (if the Tivoli Configuration Manager infrastructure exists).

Untrusted LAN

 

Trusted LAN

 

Healthy

 

Compliant

Remediation LAN

 

 

 

 

Quarantined

 

Non-compliant

Remediation

Corporate

 

Resources

 

TCM

 

 

 

Server

 

 

Denied

 

Clientless

 

 

Figure 2-3 Basic overview of NAC functionality

In general, any admission control solution can base the admission decision on a number of factors. Authentication decisions are identity-based and the admission decisions are based on who is attempting access. Posture decisions are integrity-based and depend on the integrity of the device being used for access.

Posture-basedNAC is designed to protect the network from threats introduced by noncompliant workstations. Workstation-related information is presented to the authorization server. It describes the current state of the hardware, operating system, and installed applications (for example, the list of patches installed, version of installed antivirus or personal firewall software, version of virus definition file, the date of the last full scan). With Layer 3 NAC, it is not straightforward to tie the identity-based and posture-based admission decisions together. Since they operate in two different time frames with regard to network

Chapter 2. Architecting the solution

21

Page 39
Image 39
IBM Tivoli and Cisco manual Tcm