This means that for each desired change in the configuration settings, there must be an appropriate configuration change process in place to perform the changes on the afflicted systems. For example, if there is a security policy stating that each workstation must have antivirus software installed, there has to be a corresponding software installation process to distribute it to clients consistent with this policy.

Depending on the size of the environment, this can be achieved in a number of ways: fully automated, manually, or in some way in between. Depending on the type of policy, a different grace period for the implementation may be granted.

Enforcement

Before introducing the IBM Integrated Security Solution for Cisco Networks to the corporate environment, the only way to enforce the security policy as a client connected to the network was to perform a periodic audit of the configurations on individual user PC workstations. This was very ineffective and costly, the process was resource-intensive, and the results were not satisfactory. With the introduction of the IBM Integrated Security Solution for Cisco Networks, any noncompliant clients trying to connect to the network can be denied access to corporate resources or quarantined (that is, they are allowed to connect to only one designated network for remediation) until the workstation regains a compliant state according to the policies.

Review and update

As the IT environment and business requirements may change frequently, the security policy should be reviewed periodically and updated to reflect current security threats and business goals.

Updating the policy requires special attention because a policy version is the first value checked by the posture validation server in the IBM Integrated Security Solution for Cisco Networks. It is an important architectural decision whether clients with an outdated policy version should be admitted access to the compliance server to be updated or if first they should be updated using a remediation process and then, only if compliant, allowed to further access the network. This second approach is more secure, but it requires the automated remediation process to be operational.

2.3.3 Solution objectives

Several business drivers for the IBM Integrated Security Solution for Cisco Networks were described in 1.2, “Why we need this” on page 5. Each particular implementation may require all drivers to be in place or just a subset, so the selected objectives should be documented. The solution objectives will eventually drive most of the architectural decisions in the design process.

32Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 50
Image 50
IBM Tivoli and Cisco manual Solution objectives, Enforcement, Review and update