Chapter 7.  Step 3. Determine the Enforcement Layer

In previous steps, it was determined that clients connect to the network locally. The purpose of this step is to determine whether to enforce NAP restrictions at each host using IPsec or to enforce it on the network. Each approach has unique strengths and weaknesses.

Option 1: Enforce Restrictions at the Hosts

With IPsec enforcement, hosts on the network will ignore traffic from client devices that have not proven that they meet the organization’s health policies. This is a powerful method of protecting compliant computers from other computers. Additionally, it can be combined with server and domain isolation to ensure that when a system has demonstrated its compliance, it will still be restricted ...

Get Selecting the Right NAP Architecture now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.