Endpoint enforcement involves software on a connecting client that enforces policies. This kind of enforcement is similar to putting firewall software on an endpoint. In the firewall software, you can control with what the endpoint can communicate by using source IP, destination IP, ports, and protocol type of a nomenclature. That type of functionality is the most basic of endpoint enforcement. In the case of NAC, the policy engine controls the policies, instead of statically configuring those policies on the endpoint.
You can use endpoint enforcement for not only network enforcement, but also endless types of policies (including which software can be run).
|
NAC can use two distinct types of endpoint or software enforcement: hostbased and server-based.
NAC host-based enforcement is a software-based approach that has its functionality bundled in the endpoint agent.
The functionality available in host-based enforcement differs greatly from vendor to vendor.
Network policy enforcement is the most common of the policies that administrators use in conjunction with NAC. Network policy enforcement dictates with what the endpoint can communicate on the network, usually based on the five-tuple concept:
Source IP
Source port
Destination IP
Destination port
Protocol
The simplest example is a policy that says a user can't reach the exchange server if he or she doesn't have an up-to-date antivirus program installed and running. The endpoint agent blocks any traffic that tries to reach that server by filtering packets on the network interface of the endpoint.
|
One of the biggest benefits of having an agent on the endpoint is that the agent can control what software the endpoint runs. By using NAC, you can create policies that prevent a user from running instant messaging software on the endpoint. The endpoint agent can't monitor whether the user attempts to run the instant messaging software, and it can't block the software or terminate the application. Therefore, you have the power to actually control what applications run on an endpoint that's connected to your network.
A virtual environment is a temporary workspace on top of the existing desktop. A virtual environment protects the user, and his or her data, when he or she connects to the network.
NOTE
Virtual environments are the least popular type of enforcement technology.
Server-based enforcement deals with policies on an agent that's running on a server. This agent controls which users have access to a particular application or the server itself.
If possible, take server enforcement off of the server because enforcement can add additional strain or load to the server. But keep application authentication on the server for NAC because of audit trails. In some cases, you can tie your network access control into your application authentication infrastructure, which can allow your applications on the server to have Single Sign-On (SSO) functionality.
3.145.142.211