In the IBM Integrated Security Solution for Cisco Networks, the collector is called a posture collector. A posture collector consists of posture data collection and

posture status determination. The posture data collection part of a posture collector is the same as in a regular Security Compliance Manager collector, but the posture status determination part of a posture collector is an extension to the

standard model. A posture collector determines the client posture status by checking or comparing a collected value with a required value. The required

posture data value, which is part of the collector, is inserted into the collector by editing collector parameters while creating a collector on the Security Compliance Manager server.

If required posture data values are null in the parameters, the posture determination part is not executed. Each posture collector stores into the posture cache:

￿Collected posture data

￿Posture status, which is from the set {PASS, FAIL, WARN, ERROR}

￿Optional posture messages

￿Zero or more remediation actions

The posture collector also contains appropriate information to be used in order to remediate any compliance violations.

A posture collector can be called by the Security Compliance Manager server or by the policy collector on the client, or it can be scheduled.

Note: Organizations having Security Compliance Manager deployed can use Security Compliance Manager collectors and posture collectors at the same time, but only posture collectors can trigger posture violations and hence trigger NAC enforcement. To enforce a compliance policy before a client connects to the enterprise network, posture collectors have to be deployed using the IBM Integrated Security Solution for Cisco Networks.

Policy collector

After a posture collector collects all required information from the client system,

the policy collector counts the number of posture collector results that show noncompliance; this result forms the violation count. The violation count and the policy collector’s version information together form the posture credentials. The

policy collector also receives back the client’s posture that is evaluated by the

posture validation server (ACS). Depending on the client’s posture status, the policy collector calls the default remediation handler to present information about

noncompliant items on the client system to the end user.

50Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 67 Page 69
Page 68
Image 68
IBM Tivoli and Cisco manual Policy collector
Page 67 Page 69
Top Page Image Contents