The managed state of an organization's individual endpoints may play a critical role in the overall security and availability of its Information Technology (IT) infrastructure and related business operations. The new wave of sophisticated crimeware not only targets specific companies, but may also target desktops and laptops as backdoor entryways into those enterprises' business operations and valuable resources. To safeguard themselves against these targeted threats, organizations must have a means to guarantee that each endpoint continually complies with corporate security and configuration management policies. Failure to guarantee endpoint policy compliance may leave organizations vulnerable to a wide array of threats. These threats may include the proliferation of malicious code throughout the enterprise, disruption of business-critical services, increased IT recovery and management costs, exposure of confidential information, damage to corporate brand, and/or regulatory fines due to non-compliance.
Network-access-control technologies may enable organizations to ensure the proper configuration and security state of user endpoints—including those of on-site employees, remote employees, guests, contractors, and temporary workers—before they are allowed to access resources on the corporate network. Network-access-control technologies may also discover and evaluate endpoint compliance status, provision the appropriate network access, and provide for mediation capabilities to ensure that endpoint security policies and standards are met.
Traditional network-access-control technologies may use transport-specific identifiers, such as Internet Protocol (IP) addresses, to identify and monitor endpoints. Unfortunately, controlling endpoint access using transport-specific identifiers may be problematic when an endpoint uses multiple different media-transport technologies. A media-specific identifier that identifies the endpoint when the endpoint uses one media-transport technology may not be available when the endpoint uses a different media-transport technology. As an example, an endpoint may typically use an Ethernet connection to connect to a network. The network may determine that the endpoint is infected with malware and may include an IP address associated with the endpoint on a blacklist. However, if the endpoint attempts to connect to the network by tethering through a cellular phone, the network may not be able to identify the endpoint as a blacklisted endpoint