beautypg.com

Security compliance criteria, Remediation services – IBM Tivoli and Cisco User Manual

Page 118

background image

100

Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

4. The Security Compliance Manager client is armed with a

remediation

handler

. The remediation handler provides a method of displaying the

compliance posture data to the end user. In addition to informing the user of
the specific posture failures, the remediation handler can display additional,
customizable information informing the user what the current security policy
requirements are and what steps have to be taken and whom to contact for
additional assistance with resolving the specific compliance violations.
Finally, the remediation handler also provides a method for reinitiating the
local security compliance scanning process.

5. When the workstation has completed the remediation process and is healthy

again, it will be allowed access to the production network following the next
periodic status query issued by the Cisco enforcement device.

Security compliance criteria

According to the published security policy for desktops, ABBC will institute the
following compliance criteria for Network Admission Control checking:

1. Local workstation password quality must meet the following criteria:

a. Password age must not be older than 90 days.

b. Password minimum length must be eight characters.

2. The Windows Messenger service on user workstations must be disabled.

3. A system must have run a full virus scan during the past 7 days.

4. The antivirus software version must be correct (Symantec Antivirus Version

9.0.3.100).

5. The virus definition file must be up to date, meaning not older then September

29th, 2006.

6. The users’ workstations have to run Windows XP Service Pack 2.

7. There must be specific Microsoft hotfixes (for example, we used KB896423

and KB893756) installed on the workstation.

8. The personal firewall software must be installed and running.

9. The Windows messenger service must not be allowed.

Remediation services

ABBC will deploy and configure the infrastructure to enforce network admission
based on business policy. However, to minimize the impact on users’ productivity
the remediation methodology will utilize automated remediation processes.

It must be noted that the Network Admission Control (NAC) system is not
intended to be a replacement for traditional workstation life cycle management.
As documented in 2.3.2, “Security policy life cycle management” on page 30, we

See also other documents in the category IBM Hardware: