IBM Tivoli and Cisco User Manual

50

Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

In the IBM Integrated Security Solution for Cisco Networks, the collector is called
a

posture collector

. A posture collector consists of posture data collection and

posture status determination. The posture data collection part of a posture
collector is the same as in a regular Security Compliance Manager collector, but
the posture status determination part of a posture collector is an extension to the
standard model. A posture collector determines the client posture status by
checking or comparing a

collected value

with a

required value

. The required

posture data value, which is part of the collector, is inserted into the collector by
editing collector parameters while creating a collector on the Security
Compliance Manager server.

If required posture data values are null in the parameters, the posture
determination part is not executed. Each posture collector stores into the posture
cache:

Collected posture data
Posture status, which is from the set {PASS, FAIL, WARN, ERROR}
Optional posture messages
Zero or more remediation actions

The posture collector also contains appropriate information to be used in order to
remediate any compliance violations.

A posture collector can be called by the Security Compliance Manager server or
by the policy collector on the client, or it can be scheduled.

Policy collector

After a posture collector collects all required information from the client system,
the policy collector counts the number of posture collector results that show
noncompliance; this result forms the

violation count

. The violation count and the

policy collector’s version information together form the

posture credentials

. The

policy collector also receives back the client’s posture that is evaluated by the
posture validation server (ACS). Depending on the client’s posture status, the
policy collector calls the default

remediation handler

to present information about

noncompliant items on the client system to the end user.

Note: Organizations having Security Compliance Manager deployed can use
Security Compliance Manager collectors and posture collectors at the same
time, but only posture collectors can trigger posture violations and hence
trigger NAC enforcement. To enforce a compliance policy before a client
connects to the enterprise network, posture collectors have to be deployed
using the IBM Integrated Security Solution for Cisco Networks.