In the reference architecture described later in this book, there are several untrusted networks that are the default networks to which users are assigned based on their identity-based authentication. When clients are in a healthy state, they should be placed in the default network based on the user’s identity.

Quarantine access

We use this term to refer to the necessary network resources that a quarantined client needs to access. Network access is governed by the content of an access control list (ACL) applied to the router or switch port to which the client is

connected, and this ACL may include several particular IP addresses required for remediation.

Depending on the solution design, remediation resources may include:

￿Remediation server

￿Compliance server

￿Software distribution depot

￿Internet access proxy

Trusted network

In a real world scenario this term is used for static, internal network segments where no clients are physically connected. In this book, we consider as trusted any network segment that is excluded from the NAC. Of course, other security means such as firewalls may still apply, but this outside the scope of this book.

Performance controls

Network admission control introduces the two timing parameters used to control solution behavior:

Revalidation period Defines how often the whole NAC procedure will be repeated for clients that are already connected.

Status query period Defines how often the posture agent is asked by the NAC router for changes in the posture. This second type of polling enables us to initiate a revalidation process if the client posture changes significantly (for example, if the user stops or disables an essential service required in the policy).

Depending on those settings the policy enforcement may be more or less rigid, but they also influence the end-user experience and network performance.

The revalidation process enables the client to pick up changes in a security policy version if no other distribution way is defined. However, as a result of the NAC process, a user connecting to the network is presented a pop-up window with the current status (Healthy, Quarantined, Checkup, Infected, or Unknown). If the

34Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 51 Page 53
Page 52
Image 52
IBM Tivoli and Cisco manual Quarantine access, Trusted network, Performance controls
Page 51 Page 53
Top Page Image Contents