36 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
particular security compliance concept is aimed at validating client access to the
corporate network, so it is mandatory that the system is available at all times.
As mentioned in Chapter 1, “Business context” on page 3, this concept can be
deployed in stages, first targeting the most vulnerable user group (such as WLAN
users) or a branch office, which may have a security exposure, and then being
deployed across the whole enterprise. This concept is flexible, can be
implemented with minimum required equipment, and can be scaled up to
become a high-available solution as business demands.
If an existing infrastructure has all of the required components for Cisco Network
Admission Control already in place, only a Tivoli Security Compliance Manager
server and clients are to be deployed. This both protects the investment and
provides an avenue to obtain additional benefits from the existing infrastructure.
Similarly, if a Tivoli Security Compliance Manager server has already been
deployed for server compliance control, it will be easier to use the existing
Security Compliance Manager server and extend this concept to desktop
workstations.
It is recommended that when this concept is deployed enterprise-wide, adequate
redundancies for individual components are put in place. For example, a NAC-
enabled Cisco router (Network Access Device) utilizes a secondary router that is
configured in a redundant pair using
Hot Standby Routing Protocol (HSRP), and
Cisco Secure Access Control Servers are configured as a redundant pair in
Active-Active or Active-Standby mode. These different devices and applications
are explained in more detail in 3.1, “Logical components” on page 40.
If an organization has already deployed a Cisco Secure ACS v3.3 server for
TACACS+ use, the same server can be utilized for the IBM Integrated Security
Solution for Cisco Networks concept, thus safeguarding the existing investment.
The size of your infrastructure load may become an issue for your Cisco Secure
ACS. The Server will require an upgrade to Release 4.0 or later to support
Layer 2 NAC.
Based on initial deployments, a single Security Compliance Manager
Server V5.1 is capable of handling approximately 10,000 concurrent desktop
clients. For the IBM Integrated Security Solution for Cisco Networks, the Security
Compliance Manager server is not mission critical. It is required only for policy
deployment and reporting.
For the manual remediation process, an existing infrastructure may be utilized
(such as a download or update server that may be Web-based) for fixes and
patches. Tivoli Provisioning Manager can be used to assist in the automation of
the remediation process, taking advantage of its workflow capability.
