15.4. Policy Enforcement

A lot of NAC solutions include optional enforcement. Even if you start out with an evaluate-only type of NAC deployment, you probably eventually want to enforce NAC policies in the network.

Look at the NAC solutions that you are evaluating to determine what methods of enforcement are included and how they fit with your organization's short and long-term goals for NAC. Several options for enforcement allow greater flexibility and more capabilities from NAC. These options include

• Switch-based enforcement

• Inline devices or appliances

• Endpoint or client-based enforcement

Try to leverage more that one option when you complete your deployment. For example, if you use endpoint enforcement, also set up a check-and-balance with network-based enforcement to enforce the policy so that you can protect yourself if the endpoint becomes compromised.

The closer to the endpoint you position enforcement, the more control you have over what the device can see. In a perfect world, you'd enforce policies everywhere possible:

• The endpoint itself

• The access layer switch

• An inline device in front of your protected resources