14.2. Extending NAC Enforcement
Because NAC has matured in the marketplace, and new APIs and standards have become available, you can choose from an expanding number of possible enforcement models.
The following sections discuss some of the many potential policy enforcement points that you can use in a NAC environment containing some of today's leading NAC solutions. You can't use all these points with all NAC solutions, nor do all enforcement-point vendors support the standards and APIs necessary to accomplish such a goal. But we introduce you to the possibilities before you proceed with a NAC deployment so that you can determine whether your organization's network and security goals, as set forth in your security policy, require a solution integrated with other security devices.
Some of these enforcement points come in different form factors. Multi-function network and security devices have become very popular in recent years — in many cases, encompassing all the enforcement models discussed in the following sections.
The descriptions in the following sections describe logical enforcement modules, rather than fully separate standalone devices and appliances.
14.2.1. Firewall enforcement
Your organization has, in all likelihood, already deployed many firewalls at various points throughout your network, such as
The ingress and egress points to the network
In front of datacenters
Separating locations and departments
Because of their strategic placement, firewalls make logical ...