beautypg.com

IBM Tivoli and Cisco User Manual

Page 84

background image

66

Building a Network Access Control Solution with IBM Tivoli and Cisco Systems

Remote offices and branch offices can use the Internet as a primary method
of access or for backup if the primary access method fails.

Organizations can provide partners access over the Internet and exchange
data over VPN.

Controlled zone - external network-facing DMZ

One

controlled

, semi-trusted network zone is called the DMZ. It provides a buffer

zone between the Internet and internal networks. This zone can realize the
following benefits:

DMZ can terminate partner traffic or any other WAN traffic before it enters any
restricted production zone.

This zone terminates all dial-up users and VPN traffic.

The Tivoli Configuration Manager Web Gateway is typically located in the
DMZ.

Controlled zone - intranet

The intranet is the other

controlled

zone. Local client users on the LAN

infrastructure and remote office users, using WAN-technologies to connect to
various enterprise resources, are participants of this zone.

Restricted zone - production network

One or more network zones may be designated as

restricted

zones in systems to

which access must be strictly controlled. These systems can be production
servers and are typically application servers, database servers, and other
servers that support business-critical functions. Direct access to these systems
from uncontrolled networks should not be permitted. The Security Compliance
Manager server, Security Compliance Manager proxy, and, optionally, the
Configuration Manager Software Distribution server may be placed in the
production network.

Restricted zone - management network

This zone contains network and enterprise management systems. The ACS can
typically be part of the management zone.

Other networks

The network examples that we use do not necessarily include all possible
scenarios. There are organizations that extensively segment functions into
various subnetworks. However, in general, the principles discussed here may be
translated easily into appropriate architectures for such environments.

See also other documents in the category IBM Hardware: