One important piece of a multilevel security defense for companies of almost any size is network access control (NAC), which lets you enforce policies for end-user machines.
The basic idea behind NAC — which can include hardware, software or a combination — is deceptively simple. Before any end user’s computer — an endpoint — is allowed on the corporate network, a NAC makes the computer prove that it complies with the company’s security policies. For example, you could set up a NAC to refuse to let a user’s PC on the company LAN until the PC reports that it has all the latest patches for its operating system and office software and that it has the latest updates for the corporate antivirus program. If it doesn’t have the goods, the device is not getting on the network.
Although the theory behind NAC is deceptively simple, the marketplace reality is anything but. It requires that network administrators piece together hardware and software from multiple vendors, unless you’re willing to go with an all-in-one solution and risk vendor lock-in. And, with NAC, whatever you decide to do, there are usually multiple ways to do it.