2.3. Where Have You Been?

When deployed, a NAC solution makes sure that a user device can meet a preset level of security standard. NAC can also assure that a device is free and clear of malware before allowing that device to access the company network; and some NAC solutions can even check whether the user's device maintains the corporate security standard, even after network connection. Your company can decide how you want to enforce access control. For example, if a NAC solution determines that a device has been infected with malware prior to connecting to the company network, the NAC solution can either

• Deny the device network access.

• Accept the device onto the network with a warning (or without a warning).

• Place the device on a quarantine network.

  A quarantine network is like purgatory for unclean devices. Just like its medical counterpart, a quarantine network segregates an infected, non-compliant, or potentially dangerous device with potential for contaminating others from the remainder of the healthy, normal network by putting it in an ancillary network — perhaps a virtual network — apart from the company's core network and resources.

While a device is in the quarantine network, a NAC solution can begin the procedure of cleaning or repairing the device itself or in conjunction with a third-party server, a process called remediation. A NAC solution can use several forms of remediation:

• Automated: Little to no human interaction necessary; remediation of the infected device happens automatically.

• Hands-on: A person from support (or another corporate department) may need to clean or repair the infected device.

• User-driven: Various forms of remediation that may include instructions on how a user or other individual should clean or repair a quarantined device on his or her own, or directions to a specific Web site that can walk the user through the process to clean or repair his or her system.

After the infected or non-compliant device has been cleaned and repaired, the user can be instructed to manually re-authenticate the device so that it can access the network or the NAC solution can automatically place the device on the appropriate network with the appropriate authorization rights, depending on the NAC solution.

NAC can make sure that all devices requesting network access are free of malware that might infect the network and its users' devices, as well as assuring devices that access the network have and maintain a certain, specific level of predefined malware and data protection.