14.2. Extending NAC Enforcement

Because NAC has matured in the marketplace, and new APIs and standards have become available, you can choose from an expanding number of possible enforcement models.

The following sections discuss some of the many potential policy enforcement points that you can use in a NAC environment containing some of today's leading NAC solutions. You can't use all these points with all NAC solutions, nor do all enforcement-point vendors support the standards and APIs necessary to accomplish such a goal. But we introduce you to the possibilities before you proceed with a NAC deployment so that you can determine whether your organization's network and security goals, as set forth in your security policy, require a solution integrated with other security devices.

Some of these enforcement points come in different form factors. Multi-function network and security devices have become very popular in recent years — in many cases, encompassing all the enforcement models discussed in the following sections.

NOTE

The descriptions in the following sections describe logical enforcement modules, rather than fully separate standalone devices and appliances.

14.2.1. Firewall enforcement

Your organization has, in all likelihood, already deployed many firewalls at various points throughout your network, such as

  • The ingress and egress points to the network

  • In front of datacenters

  • Separating locations and departments

Because of their strategic placement, firewalls make logical ...

Get Network Access Control For Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.