Manuals / IBM / Computer Equipment / Network Card

IBM Tivoli and Cisco manual Posture collection process flow

Models: Tivoli and Cisco

1 516
Download 516 pages 58.69 Kb
Page 76
Image 76

￿Cisco Secure ACS policy creation (1d)

An ACS policy consists of rules that must match required posture criteria. Depending on the matched criteria, a token is assigned to the network client

that requires validation. The token results in the network client being dynamically assigned to a group. Based on the Network Access Profiles configured on the ACS, the group has an access policy (for example, an ACL or a RAC) associated with it. Thus depending on the client’s posture, the ACS assigns an access policy to the client that is enforced by the NAD.

An example of such posture criteria in our solution is to match the OS type, the Security Compliance Manager Policy_Version noted in step 1b, and the violation count to a predetermined value defined by the enterprise policy. This criteria must be deployed as a policy on the ACS. The ACS policy also has a feature to provide an action parameter with each rule. Whenever a new Security Compliance Manager policy is deployed, the ACS Server’s policy must be updated with the new Policy_Version as noted at the Security Compliance Manager server in 1b.

￿NAD configuration deployment (1e)

The NAD should be a NAC-compliant hardware device with specific software that supports NAC. It has to be deployed at the appropriate network points. The NAD must be deployed with a NAC-related configuration.

Posture collection process (flow 2)

After the policy has been deployed in the various subsystems, the next step is to collect the posture compliance from the clients. This is the posture collection process:

￿Posture collection (2a)

The policy that has been deployed to the clients in process 1c includes posture collectors that are responsible for determining the client’s posture. The posture collector determines the client’s posture status by comparing the required posture data value with collected posture data.This data is stored in the posture cache.

￿Violation count (2b)

The policy collector determines the number of violations. The number of violations and the policy collector version, which form the posture credentials, are passed on to the Cisco Trust Agent when it queries the Security Compliance Manager client. The policy collector passes the posture credentials to the Cisco Trust Agent using a posture plug-in.

58Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Page 75 Page 77
Page 76
Image 76
IBM Tivoli and Cisco manual Posture collection process flow
Page 75 Page 77