Chapter 3. Component structure 67
3.4.2 Policy enforcement points
The IBM Integrated Security Solution for Cisco Networks employs the Cisco NAC
solution to restrict access to users depending on the compliance level of the
client. The NAC solution requires network access devices (NAD) to be deployed
at various network points to enforce the policy. Some of the widely used network
topologies and possible policy enforcement points are discussed here.
Branch office compliance
Most medium and large networks have regional and branch offices. Routers are
usually deployed at both ends (for example, at the headquarters and the branch
office). Hence there are two locations at which policy enforcement can be
achieved at the branch router or at the headquarter router. In addition, if the
branch office has a NAC-capable switch, the NAC policy enforcement can be
implemented on the switch.
Branch egress enforcement
Regional and branch offices can have the policy enforcement point deployed at
their location before they connect to the central data center at the branch routers
itself (Figure 3-10).
Figure 3-10 Branch egress enforcement
Internet
AAA
AAA
AAA
Regional
Offices
Remote
Offices
Remote
Offices
AAA
Private
WAN
Remote Office
Branch Office Compliance
(Branch egress Enforcement)
Corporate
Headquarters
Data Center
Posture Enforcement
Points
Router
AAA
AAA
Server
Remote
Offices
