Securing corporate networks from attack has become evermore essential as networking has evolved to support both wired and wireless access. For example, global corporations may support thousands of employees and contractors all over the world, resulting in workers and contractors that are mobile and unwired. As a result, network access for such employees depends more and more upon wireless local area networks (WLANs) and wide area networks (WANs), as well as virtual private networks (VPN) for remote access. Unfortunately, each of these technologies creates the potential to expose a network perimeter to threats.
Such threats from malware (e.g., computer viruses, Trojan horses, worms) continue to grow, which provides every increasing challenges to network administrators to provide network security. Current detection techniques are generally reactive and are designed to react to known malware that has been spread. That is, when malware is discovered, identifying characteristics are used to identify future instructions of the malware. Applying this detection technique to a network may allow the spread of malware under some conditions.
In spite of the threats posed by such malware, current network access control (NAC) architectures are typically limited to static roll designations that usually correspond to a particular class of device (e.g., access requests or common policy enforcement point, access server, policy decision point). Furthermore, the definition of network boundaries is implicitly defined by topology of devices acting as policy enforcement points.