It would be pointless to have a NAC/NAP solution that treated every device exactly the same way. For example, if the goal was to restrict every device from a network, there are certainly ways to globally lock everybody out, though what would be the point of having a network where no one connected? The same is true for letting all devices onto a network. You would simply let them all on and not really need any type of NAC/NAP solution. The element needed is knowledge to make a decision on whether or not the security posture of a particular device that is attempting to gain access is sufficient enough to allow that access. An important step in that process is analyzing the security posture of the device.
There are two basic means to analyze the security posture of a device:
Using an agent or client that resides on the device
Using a network-based scanning mechanism to assess the device
Both of these options have advantages and disadvantages. These will be covered in detail later in this chapter, but it's important to understand now that these basic two options are the choices.
The analysis of the device is certainly one of the most important elements of any NAC/NAP solution. This is the "meat" of any NAC/NAP solution, and it requires very careful consideration. A fine balance is necessary between being stringent enough on the criteria to allow access to an appropriate level of security, and being realistic enough as to ...