10.2. Endpoint/Software Enforcement

Endpoint enforcement involves software on a connecting client that enforces policies. This kind of enforcement is similar to putting firewall software on an endpoint. In the firewall software, you can control with what the endpoint can communicate by using source IP, destination IP, ports, and protocol type of a nomenclature. That type of functionality is the most basic of endpoint enforcement. In the case of NAC, the policy engine controls the policies, instead of statically configuring those policies on the endpoint.

You can use endpoint enforcement for not only network enforcement, but also endless types of policies (including which software can be run).

Never use endpoint enforcement on its own in a NAC deployment. Because of the nature of an endpoint, if it's compromised and contains malicious code, you can't trust the software on the endpoint to do its job. In other words, if you're using endpoint enforcement to control what server or IPs the endpoint can reach, you put all your eggs in one basket. If the endpoint is compromised, malicious users can circumvent the software to reach the network. Always use endpoint enforcement in conjunction with another form of enforcement, such as 802.1X- or firewall-based enforcement. This extra enforcement adds an external check and balance so that if the endpoint becomes compromised, the firewall, in ...

Get Network Access Control For Dummies® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial