Network admission control servers typically attempt to determine whether a client should be allowed to join a network based on whether the client is up-to-date with patches and security definitions. For example, when an employee takes a laptop on a business trip, the network admission control server will determine whether the laptop should be re-admitted to the enterprise network upon the employee's return. If the client is not up-to-date, the admission control server may require the client to join a remediation network where the appropriate patches and definitions can be applied. Once the client is up-to-date, the client is admitted to the network.
There are many scenarios in which the criteria used for admission decisions are insufficient to make a good judgment about the risk of allowing admission. Enterprises are often behind in their patch and update deployment. Even diligent enterprises may be out-of-date due to time spent testing updates before mandating they be applied to the entire network. There are also many forms of malicious software/code, sometimes referred to as “malware,” that exploit unknown vulnerabilities, system misconfigurations, third party software, and so on, which can be present irrespective of the patch level of the client. Additionally, actions taken by a user while detached from the enterprise network, such as downloading and installing software, modifying the registry, and so on, may go undetected and are not considered by a typical network admission control server. In each of these cases, a client may be admitted to the enterprise network by a typical network admission control server, despite the significant risk that the client poses.
Therefore, it would be desirable to have a better way to make network admission decisions and to determine what post-admission controls should be applied.