4.3. Enforcement Time

After you define the policy, you decide how and where to enforce your policies. Enforcement gives your network access control policies teeth, so to speak, allowing them to have meaning and purpose on the network.

Most network access control deployments use several enforcement methods. When selecting the best method to enforce policies, take a look at each method and see what makes sense in your network. You may even choose to do no enforcement at all and just run the entire deployment in monitor mode. Whatever you decide to do, do your homework and test each option thoroughly.

4.3.1. Endpoint

Endpoint enforcement, the most basic form of enforcement, involves the endpoint client enforcing policy that the policy engine pushes. The enforcement can be network-access-based or software-based. For network-access-based enforcement on the endpoint, the endpoint client restricts or changes access for a network user based on a policy that the policy engine sends. Endpoint enforcement can use a couple of different methods, but the most common method uses a software firewall-based approach. The other method of enforcement is software based, which is limited only by your imagination. For example, the software based approach can block certain applications from running or start a virtual desktop.

Try to avoid using endpoint enforcement on its own. Malicious users can get ...

Get Network Access Control For Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.