2.2 Definition of a Network Admission Control project

Objectives of a Network Admission Control solution must be carefully planned because the result of having a large number of workstations quarantined may be more disruptive to the business than a particular virus attack.

Planning the Network Admission Control is an organizational challenge for most enterprises as it requires close cooperation among different groups of people in different roles, typically not closely related:

￿Security officers responsible for the formal audit and compliance process

￿Network administrators responsible for configuration of network devices

￿Administrators responsible for everyday PC configuration and maintenance

It is essential to follow these steps in the implementation of the IBM Tivoli Security Compliance Manager and Cisco Network Admission Control:

￿Creation of the policies to meet the business requirements and needs

￿Building the policies on the compliance server

￿Deploying the clients with the required software and initial policy

￿Defining and implementing the remediation process

￿Preparing the network infrastructure

￿Turning on the security compliance enforcement

2.2.1Phased rollout approach

Enforced Network Admission Control solutions are new to the industry and are not yet widely adopted so the phased approach to rollout is highly recommended.

In the first phase the most vulnerable network segments should be selected. These networks can be selected based on network topology knowledge or on the statistics from threat monitoring software.

NAC planning and deployment may be combined with the process of deploying wireless networks, along with IEEE 802.1x authentication.

26Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 44
Image 44
IBM Tivoli and Cisco manual Definition of a Network Admission Control project, Phased rollout approach