Access to network resources has become an easy problem to solve. Using LAN connections, wireless access points, remote VPNs and Internet-enabled coffee shops, users can pretty much access a network from almost anywhere. Unfortunately, the bad guys can do the same thing.

The iLabs Full Spectrum Security Initiative investigated two basic questions that apply here: How do you allow users to legitimately gain access to the network? And how do you make sure they continue to practice safe networking once they get there?

Simply stated, policy-based network access is implemented by enhancing the protocol stacks in the clients and in the network infrastructure to control when and where users are allowed to send packets.

Products - such as the wireless access points from Extreme Networks, Trapeze Networks, and switches from HP, Extreme and Foundry Networks - use the 802.1X protocols to regulate wireless and LAN access, and 802.1Q VLAN tagging to control to which portions of the network a user has access.

Another group of products - from Microsoft, Cisco and The Trusted Computing Group, among others - generally consist of a policy enforcement point (PEP) that uses either an in-line appliance that controls network access or a combination of 802.1X, RADIUS and policy enforcement client software, to validate a system before it is allowed on the network.

In the iLabs testing, we saw that systems from Check Point and Sygate can check a system for policy compliance before it can access the network. Policy checks can consist of simple authentication or check a user's system to make sure it hasn't been infected or compromised by accessing malicious software. These products also can be used to set up fine-grained network control, allowing only legitimate users access to specific portions of a network.

Once you can (appropriately) block access, you can start to defend the network from viruses, unpatched systems and policy violations. If a machine is found to have a problem or is noncompliant with the defined policy, use the network access technology to take action to remediate the problem. If a machine simply requires an update, the PEP can use 802.1Q virtual LANs (VLAN ) to reconnect the machine to an isolated section of the network where it can be patched. Worm outbreaks and unauthorized peer-to-peer traffic can be controlled through the use of policy enforcement when it's tied to a switch's management capabilities.