particular security compliance concept is aimed at validating client access to the corporate network, so it is mandatory that the system is available at all times.

As mentioned in Chapter 1, “Business context” on page 3, this concept can be deployed in stages, first targeting the most vulnerable user group (such as WLAN users) or a branch office, which may have a security exposure, and then being deployed across the whole enterprise. This concept is flexible, can be implemented with minimum required equipment, and can be scaled up to become a high-available solution as business demands.

If an existing infrastructure has all of the required components for Cisco Network Admission Control already in place, only a Tivoli Security Compliance Manager server and clients are to be deployed. This both protects the investment and provides an avenue to obtain additional benefits from the existing infrastructure. Similarly, if a Tivoli Security Compliance Manager server has already been deployed for server compliance control, it will be easier to use the existing Security Compliance Manager server and extend this concept to desktop workstations.

It is recommended that when this concept is deployed enterprise-wide, adequate redundancies for individual components are put in place. For example, a NAC-

enabled Cisco router (Network Access Device) utilizes a secondary router that is configured in a redundant pair using Hot Standby Routing Protocol (HSRP), and

Cisco Secure Access Control Servers are configured as a redundant pair in Active-Active or Active-Standby mode. These different devices and applications are explained in more detail in 3.1, “Logical components” on page 40.

If an organization has already deployed a Cisco Secure ACS v3.3 server for TACACS+ use, the same server can be utilized for the IBM Integrated Security Solution for Cisco Networks concept, thus safeguarding the existing investment. The size of your infrastructure load may become an issue for your Cisco Secure ACS. The Server will require an upgrade to Release 4.0 or later to support Layer 2 NAC.

Based on initial deployments, a single Security Compliance Manager Server V5.1 is capable of handling approximately 10,000 concurrent desktop clients. For the IBM Integrated Security Solution for Cisco Networks, the Security Compliance Manager server is not mission critical. It is required only for policy deployment and reporting.

For the manual remediation process, an existing infrastructure may be utilized (such as a download or update server that may be Web-based) for fixes and patches. Tivoli Provisioning Manager can be used to assist in the automation of the remediation process, taking advantage of its workflow capability.

36Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 53 Page 55
Page 54
Image 54
IBM Tivoli and Cisco manual
Page 53 Page 55
Top Page Image Contents