14.1. Learning from Your Network
NAC truly is the first solution that allows you to coordinate the information available on all your many network and security elements into one single location so that you can establish access control policies based not only on user identity and endpoint security posture, but also on each user's behavior while he or she is attached to the network.
New standards, such as the TNC's IF-MAP protocol (discussed in Chapter 13), have opened the doors to this level of coordination. While these standards take root and an increasing number of vendors adopt them, you'll have access to many new types of enforcement and policies, allowing you to extract additional value from your NAC implementation through extension to other products. The following sections discuss some examples of how your NAC deployment can benefit from extension to include other products.
14.1.1. IDP/IPS integration
Intrusion detection and prevention (IDP), or intrusion prevention systems (IPS), have become increasingly popular in recent years, especially when vendors respond to early challenges in the NAC market, such as perceived deployment and usability difficulties. Many large organizations have now fully deployed IDP/IPS, but prior to NAC, those solutions were somewhat limited in their abilities to prevent new attacks from occurring against the corporate network. You can configure all IPS sensors to drop malicious or otherwise unwanted traffic on the network. For example, if a particular ...