NAC Appliance Manager

A policy on the NAC Appliance Manager must be created to check for the following two requirements:

￿The Security Compliance Manager Client is running as a service.

￿The c:\Program Files\IBM\SCM\Client\NACApplianceCompliance.properties file exists.

Considerations for designing a production solution

Once the existing prototype components have been integrated in a non-production environment, several facts should become evident that should be considered before designing a production-class solution based on this design. The following is a list of these issues, but it is not to be considered a complete list. Every deployment will have different factors that must be considered, but these items should be common to most deployments.

￿Security concerns - Several of the prototype components store sensitive information such as passwords in plain text. This is an advantage for training and discovery but it is also a security vulnerability. Even if the sensitive data is passed to the client in Collector parameters, these are still entered and stored in plain text in the Security Compliance Manager console. In addition, several of the files that are used to capture state on the client are not protected and could be manipulated by users. We recommend that these files be set to hidden, with administrative privileges required to access them.

￿Timing - With the current version of the prototype policy collector, there are several possible timing issues that introduce potential vulnerabilities in the solution. Features that are expected in upcoming releases of software should be able to address these vulnerabilities. Most of these are related to post-admission processing.

￿Post-admission processing - With post-admission processing, the Security Compliance Manager Client will periodically rescan the endpoint for violations. The normal behavior when a violation is found is to present the remediation handler Interface to the user and proceed as normal. In contrast, the prototype policy collector provided for this integration does not present this interface in this situation. Instead, it marks the endpoint as noncompliant by deleting the compliance semaphore file and then terminates the user’s network session, forcing the user to restart the admission process. During this second admission process, the non-existence of the compliance semaphore file will cause the NAC Appliance to quarantine the endpoint, at which point the client will enter the same state as in pre-admission. The prototype version uses the kickrich.html form to initiate the termination of the user’s current session, but this situation leaves the user’s session active until he responds to the HTML form.

464Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 482
Image 482
IBM Tivoli and Cisco manual Considerations for designing a production solution, NAC Appliance Manager