Chapter 7. Step 3. Determine the Enforcement Layer
In previous steps, it was determined that clients connect to the network locally. The purpose of this step is to determine whether to enforce NAP restrictions at each host using IPsec or to enforce it on the network. Each approach has unique strengths and weaknesses.
Option 1: Enforce Restrictions at the Hosts
With IPsec enforcement, hosts on the network will ignore traffic from client devices that have not proven that they meet the organization’s health policies. This is a powerful method of protecting compliant computers from other computers. Additionally, it can be combined with server and domain isolation to ensure that when a system has demonstrated its compliance, it will still be restricted ...