IBM Tivoli and Cisco User Manual

Front cover

Building a Network
Access Control Solution

with IBM Tivoli and Cisco Systems

Covering Cisco Network Admission
Control Framework and Appliance

Automated remediation of
noncompliant workstations

Advanced security
compliance notification

ibm.com/redbooks

Axel Buecker

Richard Abdullah

Markus Belkin

Mike Dougherty

Wlodzimierz Dymaczewski

Vahid Mehr

Frank Yeh

International Technical Support Organization

Building a Network Access Control Solution with
IBM Tivoli and Cisco Systems

January 2007

SG24-6678-01

Note: Before using this information and the product it supports, read the information in
“Notices” on page vii.

Second Edition (January 2007)

This edition applies to Tivoli Security Compliance Manager V5.1, Tivoli Configuration Manager
V4.2.3, and Cisco Secure ACS V4.0.

© Copyright International Business Machines Corporation 2005, 2007. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.

Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Summary of changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

January 2007, Second Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Part 1. Architecture and design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1. Business context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 The security compliance and remediation concept . . . . . . . . . . . . . . . . . . . 4

1.2 Why we need this . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.3 Does this concept help our mobile users . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.4 Corporate security policy defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.5 Business driver for corporate security compliance . . . . . . . . . . . . . . . . . . . 8

1.6 Achievable benefits for being compliant . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.7 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2. Architecting the solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.1 Solution architectures, design, and methodologies . . . . . . . . . . . . . . . . . . 14

2.1.1 Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.1.2 Architectural terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.2 Definition of a Network Admission Control project . . . . . . . . . . . . . . . . . . 26

2.2.1 Phased rollout approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2.3 Design process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.3.1 Security compliance management business process . . . . . . . . . . . . 28

2.3.2 Security policy life cycle management . . . . . . . . . . . . . . . . . . . . . . . 30

2.3.3 Solution objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

2.3.4 Network design discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

2.4 Implementation flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.5 Scalability and high availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 3. Component structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.1 Logical components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

© Copyright IBM Corp. 2005, 2007. All rights reserved. iii

3.1.1 Network Admission Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

3.1.2 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3.1.3 Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.2 Physical components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.2.1 Network client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.2.2 Network access infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.2.3 IBM Integrated Security Solution for Cisco Networks servers. . . . . . 54

3.3 Solution data and communication flow . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3.3.1 Secure communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3.4 Component placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

3.4.1 Security zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

3.4.2 Policy enforcement points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Part 2. Customer environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Chapter 4. Armando Banking Brothers Corporation . . . . . . . . . . . . . . . . . 77

4.1 Company profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

4.2 Current IT architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4.2.1 Network infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4.2.2 IBM Integrated Security Solution for Cisco Networks lab . . . . . . . . . 80

4.2.3 Application security infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.2.4 Middleware and application infrastructure. . . . . . . . . . . . . . . . . . . . . 86

4.3 Corporate business vision and objectives . . . . . . . . . . . . . . . . . . . . . . . . . 87

4.3.1 Project layout and implementation phases . . . . . . . . . . . . . . . . . . . . 87

4.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 5. Solution design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5.1 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

5.2 Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

5.2.1 Security compliance requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 96

5.2.2 Network access control requirements . . . . . . . . . . . . . . . . . . . . . . . . 96

5.2.3 Remediation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

5.2.4 Solution functional requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

5.3 Implementation architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

5.3.1 Logical components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

5.3.2 Physical components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

5.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 6. Compliance subsystem implementation . . . . . . . . . . . . . . . . 125

6.1 Tivoli Security Compliance Manager setup . . . . . . . . . . . . . . . . . . . . . . . 126

6.1.1 Installation of DB2 database server . . . . . . . . . . . . . . . . . . . . . . . . 126

6.1.2 Installation of Tivoli Security Compliance Manager server . . . . . . . 140

6.2 Configuration of the compliance policies. . . . . . . . . . . . . . . . . . . . . . . . . 152

iv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

6.2.1 Posture collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

6.2.2 Policy collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

6.2.3 Installation of posture collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

6.2.4 Customization of compliance policies . . . . . . . . . . . . . . . . . . . . . . . 161

6.2.5 Assigning the policy to the clients . . . . . . . . . . . . . . . . . . . . . . . . . . 186

6.3 Deploying the client software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

6.3.1 Cisco Trust Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

6.3.2 IBM Tivoli Security Compliance Manager client . . . . . . . . . . . . . . . 199

6.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Chapter 7. Network enforcement subsystem implementation . . . . . . . . 213

7.1 Configuring NAC Framework components . . . . . . . . . . . . . . . . . . . . . . . 214

7.1.1 Configuring the Cisco Secure ACS for NAC L2 802.1x . . . . . . . . . 214

7.1.2 Configuring the Cisco Secure ACS for NAC L2/L3 IP. . . . . . . . . . . 283

7.1.3 Deployment of the network infrastructure . . . . . . . . . . . . . . . . . . . . 291

7.2 Configuring NAC Appliance components . . . . . . . . . . . . . . . . . . . . . . . . 303

7.2.1 Installing CCA Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

7.2.2 Configuring a CCA OOB VG server . . . . . . . . . . . . . . . . . . . . . . . . 306

7.2.3 Deployment of the network infrastructure . . . . . . . . . . . . . . . . . . . . 352

7.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Chapter 8. Remediation subsystem implementation. . . . . . . . . . . . . . . . 355

8.1 Automated remediation enablement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

8.2 Remediation server software setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

8.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

8.2.2 Tivoli Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

8.2.3 Configuration of the remediation server . . . . . . . . . . . . . . . . . . . . . 385

8.2.4 Installation of the Software Package Utilities . . . . . . . . . . . . . . . . . 394

8.3 Creating remediation instructions for the users . . . . . . . . . . . . . . . . . . . . 397

8.3.1 Locating HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

8.3.2 Variables and variable tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

8.3.3 Debug attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

8.3.4 Creating HTML pages for ABBC policy. . . . . . . . . . . . . . . . . . . . . . 409

8.4 Building the remediation workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

8.4.1 Modification of the remediation packages . . . . . . . . . . . . . . . . . . . . 436

8.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Part 3. Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

Appendix A. Hints and tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

Deployment overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Top-level sequence of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Security Compliance Manager and NAC compliance subsystem . . . . . . . . . 446

Cisco NAC sequence of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Contents v

Fault isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Security Compliance Manager server and client . . . . . . . . . . . . . . . . . . . . . . 450

Communication port usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Tools and tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Cisco NAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Tools and tricks for the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

NAC Appliance details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

NAC Appliance integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Appendix B. Network Admission Control . . . . . . . . . . . . . . . . . . . . . . . . . 471

Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

The benefit of NAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Dramatically improve network security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

NAC implementation options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

The NAC Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

NAC Framework solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Investment protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

Planning, designing, and deploying an effective NAC solution . . . . . . . . . . . 477

The next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

NAC technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

NAC Appliance components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

NAC Framework components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Appendix C. Additional material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Locating the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Using the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

How to use the Web material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

vi Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information about the products and services currently available in your
area. Any reference to an IBM product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:

IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions
are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES

THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.

COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to IBM for the purposes of
developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.

© Copyright IBM Corp. 2005, 2007. All rights reserved. vii

Trademarks

The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:

Redbooks (logo) ™
developerWorks®
ibm.com®
Access360®
AIX®

The following terms are trademarks of other companies:

Cisco, Cisco Systems, Cisco IOS, PIX, and Catalyst are trademarks of Cisco Systems, Inc. in the United
States, other countries, or both.

Java, JVM, J2EE, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in
the United States, other countries, or both.

Active Directory, Expression, Internet Explorer, Microsoft, Visual Basic, Windows NT, Windows Server,
Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.

Pentium, Intel logo, Intel Inside logo, and Intel Centrino logo are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

DB2 Universal Database™
DB2®
IBM®
NetView®
PartnerWorld®

Redbooks™
Tivoli®
WebSphere®

viii Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Preface

In February of 2004, IBM® announced that it would be joining Cisco’s Network

Admission Control

offering for the Cisco NAC program in the form of the IBM Tivoli® compliance and
remediation solution. In June of 2005 the first edition of this IBM Redbook was
published.

A number of subsequent updates from Cisco have changed the dynamics of the
Network Access Control market, and have led to significant changes by IBM to
our compliance and remediation solution. Foremost amongst these new
developments are the release of Cisco’s Phase 2 Network Admission Control
architecture, the addition of the NAC Appliance to Cisco’s offerings, and the
addition of Tivoli Configuration Manager as a remediation component of the
overall solution.

While this second edition addresses these changes, the fundamental concept
and business value of the solution remain relatively constant and are preserved
with minimal changes from the first edition. In contrast, the technical and
implementation details have significantly changed and are of great interest to
those who have read the first edition.

It is important to realize what is the compliance and remediation solution. It is not
a one-size-fits-all product that will work out-of-the-box for customers. It is an
integrated solution comprised of three products that are very powerful in their
own right. As such, there is no individual product manual that can properly
capture all of the techniques and practices that must be developed in order to
properly deploy this solution.

(NAC) program. In December of 2004, IBM released its first

A typical product manual is analogous to an automobile owner’s manuals in that
it tells you a wealth of information about your product but it does not tell you how
to apply your product in practice, just as an automobile owner’s manual does not
teach you how to drive or how to navigate. This redbook serves as a high-level
guide for designing and deploying the solution in various business scenarios. It
teaches you how to

Note that the IBM Integrated Security Solution for Cisco Networks, referenced
numerous times in this book, is a portfolio of solutions that also includes Tivoli’s
identity management solution for Cisco network access. This book does not
address the identity-based solution, so any references to the IBM Integrated
Security Solution for Cisco Networks in this book actually refers to the
compliance and remediation parts of the solution.

© Copyright IBM Corp. 2005, 2007. All rights reserved. ix

drive and navigate the compliance and remediation solution.

The team that wrote this redbook

This redbook was produced by a team of specialists from around the world
working for the International Technical Support Organization, Austin Center. The
project was executed at the Cisco Headquarter in San Jose.

Figure 1 Top left to right: Frank, Axel, Vahid, and Mike
Bottom left to right: Vlodek, Markus, and Rich

Axel Buecker is a Certified Consulting Software IT Specialist at the International
Technical Support Organization, Austin Center. He writes extensively and
teaches IBM classes worldwide in Software Security Architecture and Network
Computing Technologies. He holds a degree in Computer Science from the
University of Bremen, Germany. He has 20 years of experience in a variety of
areas related to Workstation and Systems Management, Network Computing,
and e-business Solutions. Before joining the ITSO in March 2000, Axel worked
for IBM in Germany as a Senior IT Specialist in Software Security Architecture.

x Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Richard Abdullah is a Consulting Engineer with Cisco Systems Strategic

Alliances. Prior to joining Cisco Systems in 2001, he worked in technical
capacities within various service providers. He has spent 19 years in the IT
industry focusing on networking and most recently on network security solutions.
He holds a BSEE degree from the University of Michigan, Dearborn.

Markus Belkin is a Network Architect with IBM Australia. He has worked in the
IT Industry for 10 years and works predominately with Cisco technologies. He
specializes in routing and switching, security and optical technologies. He has an
MCP, MCSE, CCNA, CCDA, CCNP, and CCDP and is currently working towards
his Routing and Switching CCIE.

Mike Dougherty is a Consulting Engineer at Cisco Systems, Inc. in San Jose,
California. He has worked in the industry for 16 years supporting Cisco
networking equipment ranging from routers and switches to security and unified
communication solutions. He obtained his CCIE in Routing and Switching in
1996 and is currently working on his CCIE in Security. Mike is a technical
consultant working in Strategic Alliances under the business development
umbrella at Cisco Systems, Inc.

Wlodzimierz Dymaczewski is an IBM Certified Senior IT Specialist with IBM
Software Group in Poland. Before joining the Tivoli Technical Sales team in 2002
he worked for four years in IBM Global Services where he was a technical leader
for several Tivoli deployment projects. He has almost 13 years of experience in
systems management, recently specializing in security. He holds a degree in
Computer Science from the Poznan Technical University, Poland. Vlodek is a
Certified Deployment Professional for Security Compliance Manager 5.1 and
Risk Manager 4.1 as well as for some Tivoli automation products (TEC,
NetView®, and Monitoring).

Vahid Mehr is a Consulting Engineer with Cisco Systems Strategic Alliances
working on joined architectural solutions with IBM. In his more than 13 years of
experience with Cisco he has been in various customer consulting and alliance
development roles. Prior to this, he was a Software Engineer working on Object
Oriented programming. He has a BSEE from the University of Colorado and
resides in San Ramon, California.

Frank Yeh is a member of the IBM Corporate Security Strategy Team who works
in Costa Mesa, California. He has more than 25 years of computing experience
in a variety of functions including Operations, Support, MIS, Development, Sales,
and Business Development. Prior to joining IBM, Frank served as the Strategic
Architect for Access360®, a pioneer in the Identity Management space that was
acquired by IBM in October 2002. He holds a degree in Economics from the
University of California, Los Angeles.

Preface xi

Thanks to the following people for their contributions to this project:

Cheryl Gera, Erica Wazewski, Lorinda Schwarz, Julie Czubik
International Technical Support Organization, Poughkeepsie Center

Wing Leung, Alex Rodriguez
IBM US

Tadeusz Treit, Bogusz Piotrowski, Anna Iskra
IBM Poland

Cindra Ford, Zary Stahl, Nick Chong, Prem Ananthakrishnan, Brendan
O'Connell, Irene Sandler, Raju Srirajavatchavai, Alok Agrawal, Marcia Hanson
Cisco Systems Inc.

Thanks to following people for working on the first edition of this book:
Wlodzimierz Dymaczewski
Jeffery Paul
John Giammanco
Harish Rajagopal
Hideki Katagiri

Additional support: Tom Ballard, Sam Yang, Mike Garrison, Max Rodriguez, Don
Cronin, Michael Steiner, Jeanette Fetzer, Sean Brain, Sean McDonald
IBM US

Phil Billin
IBM UK

Richard Abdullah, Mike Steinkoenig, Denise Helfrich, Laura Kuiper, Cindra Ford,
Vahid Mehr
Cisco Systems, Inc.

Become a published author

Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You’ll team with IBM technical professionals,
IBM Business Partners, and/or customers.

Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you’ll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.

xii Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Find out more about the residency program, browse the residency index, and
apply online at:

ibm.com/redbooks/residencies.html

Comments welcome

Your comments are important to us!

We want our Redbooks™ to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:

򐂰 Use the online Contact us review redbook form found at:

ibm.com/redbooks

򐂰 Send your comments in an e-mail to:

redbook@us.ibm.com

򐂰 Mail your comments to:

IBM Corporation, International Technical Support Organization

Dept. HYTD Mail Station P099

2455 South Road

Poughkeepsie, NY 12601-5400

Preface xiii

xiv Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Summary of changes

This section describes the technical changes made in this edition of the book and
in previous editions. This edition may also include minor corrections and editorial
changes that are not identified.

Summary of Changes
for SG24-6678-01
for Building a Network Access Control Solution with IBM Tivoli and Cisco
Systems
as created or updated on January 16, 2007.

January 2007, Second Edition

This revision reflects the addition, deletion, or modification of new and changed
information described below.

New information

򐂰 The Cisco Network Admission Control Appliance has been added to the

network access control solution.
򐂰 The IBM Tivoli Configuration Manager has been added to the remediation

solution. It replaces the IBM Tivoli Provisioning Manager product.

Changed information

򐂰 A new release of IBM Tivoli Security Compliance Manager is being used

within the security compliance solution.

© Copyright IBM Corp. 2005, 2007. All rights reserved. xv

xvi Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Part 1

Part 1 Architecture

and design

In this part we discuss the overall business context of the IBM Integrated Security
Solution for Cisco Networks. We then describe how to technically architect the
overall solution into an existing environment, and introduce the logical and
physical components on both the IBM Tivoli and Cisco side.

© Copyright IBM Corp. 2005, 2007. All rights reserved. 1

2 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Chapter 1. Business context

Information Technology (IT) security is a vital component of business success
and is very important in e-business security and security for on demand services.
As the Internet increasingly becomes an effective means to conduct business,
the challenge of protecting IT infrastructures from intruders and malicious attacks
increases as well. When an IT resource (server, workstation, printer, and so on)
is connected to a network, it becomes a target for a persistent hacker. Corporate
networks are constantly under attack by intruders seeking access for their
personal gain. In a world where everyone relies on the Internet, it is not difficult
for an intruder to find the tools on the Web to assist in breaking into an enterprise
network. To overcome this immense threat faced by many organizations, a
corporation must identify every user accessing its network and allow access only
to authorized users who are identified and meet

1

corporate compliance criteria.

Every time an intruder successfully breaks into a corporate network or infects
computers with a virus or malicious code, it can cause damage that may result in

substantial financial loss (loss of revenue) to the businesses involved.

Enterprises must defend their IT infrastructure continuously and keep
themselves protected from intruders. One infected server or workstation can
potentially bring the whole corporate network to its knees if it does not comply
with corporate security policies.

© Copyright IBM Corp. 2005, 2007. All rights reserved. 3

Personal computer workstations are used in the office, at home, or at a remote
client location. Telecommuters must use mobile PC workstations to meet
customer expectations and provide quicker response to queries, quotes, and
information.

In this book, we introduce a new concept: a

solution

arena for many years who have established enviable synergy in the industry. This
solution is based on the IBM Enterprise Class Autonomic Computing Model and
the Cisco Self-Defending Network. This new concept provides an integrated
security model that can help an organization protect its reputation by enabling its
network to self-defend. This also enables corporations to proactively secure IT
infrastructure and protect from loss of productivity, loss of revenue, and the
constant battle of escalation due to noncompliance. Every time an auditor finds
an IT resource that is noncompliant, it costs the enterprise a lot of money to fix
(reactive measure) and to regain compliance, which leads to loss of productivity.
Security auditors can even shut down a mission-critical server or deny access to
users if found to be vulnerable due to noncompliance.

The solution discussed in this book addresses corporations’ security concerns by
validating users against a centrally predefined policy before granting them
access to the network. It also provides a path for an automated remediation
process to fix noncompliant workstations quickly (improved productivity).

This solution can be deployed in stages by first targeting the most vulnerable
user community, such as wireless local area network (WLAN) users or a branch
office that is less secure, and then expanding the deployment enterprise-wide.
This concept resolves the human-intensive process that is involved in fixing
infected workstations that do not have antivirus software or the latest antivirus
signature and so on. This concept further helps customers to act proactively in
defending their network by denying access to unauthorized users.

jointly developed by IBM and Cisco Systems, trusted leaders in this

comprehensive integrated security

1.1 The security compliance and remediation concept

IBM and Cisco are working together on this new concept that offers a solution to
companies to defend their network. This solution is called the

Security Solution for Cisco Networks

Manager (SCM) and Cisco Network Admission Control (NAC) integration in this
solution can assist you in safeguarding your IT resources and enables security
compliancy to users. The IBM Integrated Security Solution for Cisco Networks is
a first of its kind in the industry that provides a full cycle self-defending and
automated remediation mechanism to corporate networks. Both Security
Compliance Manager and NAC are independent solutions. Combined, they
complement each other and can provide the best

4 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

. The IBM Tivoli Security Compliance

self-defending and compliance

IBM Integrated

concept that can protect all networks in this era. This IBM and Cisco integration,

depicted in an overview in Figure 1-1, is a true enabler for the on demand
self-defending and security compliance strategy.

Identity & Access Management

Identifies and manages user profiles

Device characteristics as part of the access decision

Endpoint

Protected client
Trusted identity

Figure 1-1 IBM and Cisco integration strategy

IBM Security Compliance Manager and Cisco Network Admission Control can
help the corporate protect networks by identifying every client and denying
access to the ones who are not identified. Further integrating Security
Compliance Manager and NAC with the IBM Tivoli Identity Management suite
can help corporations keep authorized users compliant with corporate security
through central management of user profiles and policy enforcement.

1.2 Why we need this

Computer virus outbreaks create a dreadful situation for corporate CIOs, who
must regard proactive protection against viruses as constant. The IBM Integrated
Security Solution for Cisco Networks solution provides in-depth defense by
ensuring that authorized users are kept compliant with corporate security policies
and denying access to users who are noncompliant. With the integration of Tivoli
Configuration Manager, the solution can provide a path to an

remediation

again, which can result in

process to help noncompliant users get their workstations compliant

Cisco Self-Defending Network

Identifies, prevents and adapts to threats

Limits damage from viruses and worms

Delivers new system-level threat defense

and identity management capabilities

Compliance & Remediation

Infection identification, containment, and remediation

Policy enforcement

improved productivity.

Endpoint

Protected

servers

automated

Chapter 1. Business context 5

It has become mandatory for businesses to comply with regulatory guidelines
such as the

Services Modernization Act
Portability and Accountability Act

time.

The Gramm-Leach-Bliley Act has provisions to protect consumer information
held by financial institutions. This act provides the authority for federal agencies
to enforce and administer the

Any company with stock that is publicly traded in the United States must comply
with the Sarbanes-Oxley Act, regardless of whether the company’s headquarters
is located in the U.S. This compliancy requirement was enacted to protect
individual investors, and corporations are required by law to provide truthful
financial statements. All public financial statements released by corporations are
subjected to intense scrutiny by regulatory authorities. Hence these legislations
mandate every corporation to maintain the integrity of its own data and provide
the same level of protection to the data it cares for.

Note: More information about the Gramm-Leach-Bliley Act (GLBA) can be
found at:

http://banking.senate.gov/conf/

More information about the Sarbanes-Oxley Act (SOX) can be found at:

http://www.sarbanes-oxley.com

Gramm-Leach-Bliley Act (GLBA; also known as the Financial

), Sarbanes-Oxley Act (SOX), and Health Insurance

(HIPAA). More guidelines may emerge over

Financial Privacy Rule and the Safeguards Rule.

More information about the Health Insurance Portability and Accountability Act
(HIPAA) can be found at:

http://www.cms.hhs.gov/hipaa

These laws are applicable for organizations in the United States of America.
Similar regulations may be enforced by government regulators of other
countries. Customers should consult their relevant government regulatory
bodies to learn more about the applicable laws in their respective countries.

6 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Note: Customers are responsible for ensuring their own compliance with

various laws such as the Graham-Leach-Bliley Act, the Sarbanes-Oxley Act,
and the Health Insurance Portability and Accountability Act. It is the
customer’s sole responsibility to obtain the advice of competent legal counsel
regarding the identification and interpretation of any relevant laws that may
affect the customer’s business and any actions the customer may need to take
to comply with such laws. IBM does not provide legal, accounting, or auditing
advice, or represent or warrant that its products or services ensure that the
customer is in compliance with any law.

The IBM Integrated Security Solution for Cisco Networks checks every client’s
workstation when it attempts to connect to the corporate local area network
(LAN) using predefined policies. For example, it can examine whether the
workstation has the latest antivirus signature installed, whether a desktop firewall
is running, whether the password length is correct, and so on. When a
noncompliant client is detected, the IBM Integrated Security Solution for Cisco
Networks quarantines the client by denying access to the corporate LAN and
directing that workstation to either automatically download the latest antivirus
signature or provide information why the workstation is noncompliant. This
provides an opportunity for the user to either manually download the required
updates from the remediation LAN or choose a path to automatically remediate
using IBM Tivoli Configuration Manager.

1.3 Does this concept help our mobile users

The IBM Integrated Security Solution for Cisco Networks by default denies
access to the corporate LAN for all noncompliant users and keeps them at bay.
Enforcing this policy requires every telecommuter’s computer to be compliant
before it is granted access to the corporate LAN.

Corporations must allow external partners and contractors to have access to
limited IT resources as well. Most businesses are looking for ways to remotely
connect to their corporate LAN using a secure virtual private network (VPN)
connection from outside their office premises. The IBM Integrated Security
Solution for Cisco Networks can be configured to allow only partners to connect
to the Internet by using a policy that provides appropriate access to the partners’
workstations that do not have particular client software installed on their
computers. This can be considered a winning situation for both parties involved,
as it provides a network access method without additional infrastructure and yet
assures protection from non-authorized users.

Chapter 1. Business context 7

Standard reports that can be generated from the IBM Integrated Security
Solution for Cisco Networks can be valuable to corporate auditors. These can be
used as artifacts, thereby reducing the effort in checking individual users.
Automated processes can also provide consistency in checking a particular
policy that may be required at certain circumstances. For example, when a new
vulnerability is being publicized a policy can be created and deployed quickly to
direct users to update their workstation and regain compliancy by downloading
and installing a fix using the appropriate remediation process.

1.4 Corporate security policy defined

A corporate security policy should protect the company’s valuable assets and
meet legal obligations. Intellectual properties must not be shared without explicit
written authorization. As we do business with customers, we are required by law
to maintain the confidentiality of the information, privacy of the individual, and so
on. Companies must adhere to government regulations that ensure that
businesses are run legally and ethically without jeopardizing the integrity of the
enterprise. This is fundamental to maintain a trusted relationship between
organizations and customers. Many businesses have outsourced their IT
management to third-party companies; now it is the responsibility of that
company to maintain the data confidentiality and integrity.

Most large corporations have employee guidelines that define how to protect
company assets and conduct business with customers. Each employee is solely
responsible for their actions and has to perform business within the given
framework or guidelines set by the company.

To maintain trust between organizations, security is everyone’s concern without
any exception. Every employee must be empowered to challenge untrusted
entities, such as unauthorized access to information. Hackers use all abilities and
means to access protected data. Physical security alone does not protect data,
as information is available in many shapes and forms. It is of utmost importance
for every employee of an organization to be conscious of corporate security
policies and to adhere to them without exception.

1.5 Business driver for corporate security compliance

Corporations are required to enforce compliance to their policies to maintain a
secure network and allow access only to authorized users, employees, and
external partners. Best practices include:

򐂰 Protect the corporate network from malicious attackers.
򐂰 Keep authorized users compliant with corporate security policy.

8 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

򐂰 Enable an automated remediation process that eases the process of

regaining compliancy for all authorized users on the corporate network.
򐂰 Provide partners and visitors access to the Internet but not the corporate

intranet.

1.6 Achievable benefits for being compliant

How do organizations benefit from compliance with corporate security policies?

Corporate security policies and controls are established to enforce consistent
rules that centrally secure access to IT resources across the organization. This
also provides consistency in compliance with general business rules. Enforcing
and maintaining strong passwords, for example, can make it more difficult for
malicious users to access protected data.

Corporate auditors check for consistency in compliancy to corporate policies and
look for deviations by individual users. Auditors are always looking for artifacts to
prove that users are compliant. These can be used when the enterprise is being
legally challenged by government regulators.

The following list spells out some tangible benefits to the organization:

򐂰 Increased accuracy of security compliance reporting
򐂰 Reduced effort and costs in data collection and report generation
򐂰 Timeliness of report generation and artifacts as required during security

audits
򐂰 A consistent approach to security compliance reporting across geographically

dispersed organizations

Chapter 1. Business context 9

Figure 1-2 depicts the relevant tasks in a life-cycle overview for endpoint
protection. All of the topics discussed in this chapter are represented at some
point in this life cycle.

Policy Development and Assurance

Asset protection, privacy and reputation protection,

and regulatory compliance

Privacy:
Secure Connectivity & Data

Confidential delivery of
applications, voice,
data, and transactions

Protection:

Threat Defense

Minimize and manage
both known and
unknown threats

devices in accordance

Secure Systems & Networks

Leverage core networking,

software, and systems
capabilities to address

Control:

Trust & Identity

Manage users and

with security policy

Infrastructure:

security issues

Secure Monitoring and Management

Realize security policy through

integrated network, device, and security management

Figure 1-2 Integrated endpoint protection

When an organization is responsible for maintaining and protecting customer
data, it must create measures to ensure policy compliance by all involved
systems on an automated and regular basis. Failure to meet this objective has
resulted in significant exposure and many lawsuits have been lost. It is better to
seem security-paranoid than to be ignorant.

More information about security compliance can be found in the IBM Redbook
Deployment Guide Series: IBM Tivoli Security Compliance Manager,
SG24-6450.

1.7 Conclusion

Organizations are constantly looking to maintain compliance status with their
corporate security policy for both inter-company and intra-company interactions.
Production losses and inefficiencies, and therefore substantial financial losses,
have resulted from noncompliance. Laws and government regulations such as

10 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

those mentioned in 1.2, “Why we need this” on page 5, mandate every
organization to comply with regulatory acts. Keys to greater productivity include
identifying authorized users and providing them easier access to network and
system resources while keeping them compliant.

The IBM Integrated Security Solution for Cisco Networks delivers corporate
compliance at a reduced cost. The IBM Integrated Security Solution for Cisco
Networks enables organizations to identify users, monitor their compliance, offer
them an easy and centralized remediation capability in case of noncompliance,
and easily route them into appropriate network zones based on their credentials.

IBM and Cisco have recognized inter-company and intra-company security
compliance problems. This approach enables corporations to implement a

simplified, compliance-based full life-cycle Network Admission Control and
remediation solution

of user administration. It also enables the corporate auditors and administrators
to have powerful controls in place for partners and contractors.

It is of utmost importance for every employee in an organization to be conscious
of and in adherence with corporate security policies to provide end-to-end
security across the gamut of IT services. Organizations must provide security
education to all employees and continuously update on a regular basis; every
employee from the CEO on down must comply. Security is the responsibility of

that can result in greater productivity, consistency, and ease

every employee, not just the holder of the security job title.

In the next chapter we introduce the architecture and design methodologies for
the IBM Integrated Security Solution using Cisco Networks.

Chapter 1. Business context 11

12 Building a Network Access Control Solution with IBM Tivoli and Cisco Systems