Ibm Tivoli and Cisco Manuel d'utilisateur Page 85
- Page / 516
- Table des matières
- MARQUE LIVRES
Noté. / 5. Basé sur avis des utilisateurs
Chapter 3. Component structure 67
3.4.2 Policy enforcement points
The IBM Integrated Security Solution for Cisco Networks employs the Cisco NAC
solution to restrict access to users depending on the compliance level of the
client. The NAC solution requires network access devices (NAD) to be deployed
at various network points to enforce the policy. Some of the widely used network
topologies and possible policy enforcement points are discussed here.
Branch office compliance
Most medium and large networks have regional and branch offices. Routers are
usually deployed at both ends (for example, at the headquarters and the branch
office). Hence there are two locations at which policy enforcement can be
achieved at the branch router or at the headquarter router. In addition, if the
branch office has a NAC-capable switch, the NAC policy enforcement can be
implemented on the switch.
Branch egress enforcement
Regional and branch offices can have the policy enforcement point deployed at
their location before they connect to the central data center at the branch routers
itself (Figure 3-10).
Figure 3-10 Branch egress enforcement
Internet
AAA
AAA
AAA
Regional
Offices
Remote
Offices
Remote
Offices
AAA
Private
WAN
Remote Office
Branch Office Compliance
(Branch egress Enforcement)
Corporate
Headquarters
Data Center
Posture Enforcement
Points
Router
AAA
AAA
Server
Remote
Offices
- Building a Network 1
- Access Control Solution 1
- IBM Tivoli and Cisco Systems 3
- January 2007 3
- Second Edition (January 2007) 4
- “Notices” on page vii 4
- Contents 5
- Contents v 7
- Trademarks 10
- Network 11
- Admission Control 11
- Preface xi 13
- Become a published author 14
- Comments welcome 15
- Summary of changes 17
- Architecture 19
- Business context 21
- IBM Integrated 22
- Cisco Self-Defending Network 23
- Endpoint 23
- Compliance & Remediation 23
- 1.7 Conclusion 28
- Architecting the solution 31
- 2.1.1 Architecture overview 32
- Network Admission Control 33
- Security Compliance Manager 35
- Tivoli Configuration Manager 37
- Security policy 37
- Compliance query 37
- Compliance User Interface 38
- Remediation handler 38
- Quarantined 39
- Cisco NAC and IEEE 802.1x 40
- Using Cisco terminology 41
- Posture agent 42
- Network identity provisioning 42
- Remediation process 43
- Internet 45
- 2.3 Design process 46
- Creation 49
- Implementation 49
- 2.3.3 Solution objectives 50
- Default network 51
- Quarantine access 52
- Trusted network 52
- Performance controls 52
- 2.4 Implementation flow 53
- 2.6 Conclusion 55
- Component structure 57
- 3.1 Logical components 58
- Posture validation server 59
- Figure 3-2 ACS architecture 60
- Policy enforcement device 61
- Admission control client 61
- 3.1.2 Compliance 64
- Compliance client 66
- Posture collector 67
- 3.1.3 Remediation 69
- 3.2 Physical components 70
- Network access device 72
- Network Access Profiles 76
- Remediation (flow 4) 79
- 3.3.1 Secure communication 80
- 3.4 Component placement 81
- Figure 3-8 Security zones 82
- Controlled zone - intranet 84
- Other networks 84
- Branch office compliance 85
- Campus internal enforcement 86
- Branch Office Compliance 87
- (Campus Ingress Enforcement) 87
- SOHO Compliance 88
- (PAT access protection) 88
- Extranet compliance 89
- Lab compliance 90
- Data Center protection 91
- 3.5 Conclusion 92
- Customer 93
- Armando Banking Brothers 95
- Corporation 95
- 4.1 Company profile 96
- 4.2 Current IT architecture 97
- Uncontrolled zone - Internet 98
- Controlled zone - DMZ 98
- Controlled intranet 98
- Production network 98
- NAC Framework 98
- NAC Appliance 100
- Firewall 104
- Project overview 106
- 4.4 Conclusion 109
- Solution design 111
- 5.1 Business requirements 113
- 5.2 Functional requirements 114
- Remediation 117
- Production 117
- Compliance 117
- Security compliance criteria 118
- Remediation services 118
- 5.3.1 Logical components 120
- Enforcing compliance criteria 127
- Posture token 128
- Healthy indicates that the 132
- Performing remediation 133
- 5.3.2 Physical components 134
- Compliance subsystem 135
- Access Control Server 136
- NAC-enabled network device 138
- Layer 2 devices 138
- Layer 3 devices 138
- Cisco Trust Agent 139
- Remediation subsystem 140
- Software Package Web Server 140
- 5.4 Conclusion 141
- Figure 6-11, click Next 155
- English and click Next 159
- 6.2.1 Posture collectors 171
- 6.2.2 Policy collector 172
- Figure 6-34, click Next 177
- Figure 6-37 Policies view 180
- Rule operators 192
- Rule results 193
- Rule format 193
- TCMCLI utility policy 207
- 6.3.1 Cisco Trust Agent 208
- 6. Click Next (Figure 6-66) 214
- (Figure 6-71) 219
- 6.4 Conclusion 230
- Network enforcement 231
- Installing Cisco Secure ACS 233
- Configuring logging 244
- client 247
- Figure 7-16 AAA clients 251
- Figure 7-18 AAA Clients 253
- Configuring RADIUS attributes 254
- Configuring groups 255
- Figure 7-21 Group Setup 256
- Configuring users 257
- Internal Database 258
- Global authentication setup 259
- (Figure 7-24 on page 241) 260
- 6. Click Submit + Restart 261
- To do this: 262
- Token (APT) of 268
- Figure 7-33 on page 251 268
- (Figure 7-33) 269
- Figure 7-35 271
- 12.Click Done 271
- 27.Click Done (Figure 7-44) 280
- Allow any Protocol 289
- Grant access 290
- NAC_IISSCN_Posture_Profile 292
- Healthy PA message: 294
- 24.Click Submit 300
- External User Database 301
- Unknown user policy 301
- Clientless user 301
- Figure 7-64 Naming of ACL 303
- 7. Click Submit 304
- Figure 7-66 Binding the ACL 305
- Router# 321
- 7.2.1 Installing CCA Agent 322
- The steps are: 325
- (Figure 7-77) 327
- Figure 7-82 Managed subnets 332
- Configure default login page 333
- Configuring a Switch Group 334
- 3. Click Add 335
- Configuring a switch profile 337
- Configuring Port Profile 338
- Configuring SNMP receiver 341
- Adding a managed switch 342
- IP Address box, and a 343
- Figure 7-94 Managed switch 344
- Defining user roles 345
- Creating traffic policies 347
- Access to TCM 349
- Creating local users 350
- Configure Clean Access Agent 352
- Figure 7-106 New rule 356
- Validity 358
- Figure 7-109 Requirements 359
- 26.Click Update 363
- Discovered clients 364
- Logging on as a client 365
- Continue 367
- 7.3 Conclusion 372
- 8.2.1 Prerequisites 376
- Figure 8-16 Welcome window 394
- is False) and click Next 401
- IISSCN Extension Pack2 for 404
- 8.3.1 Locating HTML 416
- Base HTML 418
- Posture item HTML 418
- HTML pages example 419
- Posture element HTML 420
- The wfattribute tag 421
- The field Tag 421
- The remattribute tag 422
- 8.3.3 Debug attributes 424
- Logging posture items 425
- Logging the HTML search path 426
- TCRNavScan workflow 436
- TCRNavVirusDefUpdate 441
- TCRNavSoftwareInstalled 443
- TCRMSPatchesInstallWinXP 444
- HotfixId 446
- TCRZLSoftwareInstalled 450
- TCRZLSoftwareRunning 452
- TCRMessengerDisabled 453
- 8.5 Conclusion 455
- Appendixes 457
- Hints and tips 459
- Deployment overview 460
- Top-level sequence of events 462
- Cisco NAC sequence of events 465
- Fault isolation 466
- SCM Push Client 468
- Tools and tricks 469
- Cisco IOS Software router 470
- Cisco IOS Software switch 470
- Cisco Secure ACS server 471
- NAC Appliance details 473
- In-band versus out-of-band 474
- NAC Appliance integration 475
- Integration design 476
- NAC Appliance Agent 477
- TSCMAgent.bat 478
- NACApplianceCompliance.entry 478
- Policy collector 478
- Scheduler 479
- System path 481
- Scheduler.bat 481
- NAC Appliance Manager 482
- State mapping and scenarios 483
- Conclusion 488
- Executive summary 490
- The benefit of NAC 490
- NAC implementation options 492
- The NAC Appliance 493
- NAC Framework solution 494
- Investment protection 494
- The next steps 496
- NAC technology 496
- NAC Framework components 497
- Additional material 499
- Using the Web material 500
- Related publications 501
- Online resources 502
- How to get IBM Redbooks 502
- Help from IBM 503
- Numerics 505
Produits connexes et manuels pour Matériel Ibm Tivoli and Cisco
Matériel Ibm SY27-0345-06 Manuel d'utilisateur
(148 pages)
(148 pages)
Matériel Ibm 19K4206PT1 Manuel d'utilisateur
(10 pages)
(10 pages)
Matériel Ibm 22P6972 Manuel d'utilisateur
(46 pages)
(46 pages)
Matériel Ibm B50 Manuel d'utilisateur
(198 pages)
(198 pages)
Matériel Ibm 22P6959 Manuel d'utilisateur
(50 pages)
(50 pages)
Matériel Ibm Ultra320 Manuel d'utilisateur
(54 pages)
(54 pages)
Matériel Ibm 09-0572-000 Manuel d'utilisateur
(101 pages)
(101 pages)
Matériel Ibm EP-8KTA Manuel d'utilisateur
(73 pages)
(73 pages)
Matériel Ibm 28L2234 Manuel d'utilisateur
(66 pages)
(66 pages)
Matériel Ibm 71P7285 Manuel d'utilisateur
(77 pages)
(77 pages)
Matériel Ibm CFC2 Manuel d'utilisateur
(154 pages)
(154 pages)
Matériel Ibm 2292 Manuel d'utilisateur
(230 pages)
(230 pages)
© 2020, manymanuals.fr. Tous droits réservés | 0.066 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commentaires sur ces manuels