A number of enforcement methods are available. Here are the eight most common. Many vendors support multiple enforcement methods; a few support a wide variety, letting you select the best fit and migrate from one to another as needed.
VLAN steering: Moves hosts and switch ports onto specific virtual LANs. A "guest" VLAN can be used to give visitors access to the Internet, for example, but nothing else. The critical component is for the command-and-control application to integrate with the switch.
802.1X: An IEEE port authentication protocol that authenticates a device to the network. Enforcement is through switch port control or VLAN steering. It's used extensively in wireless networks and is starting to be deployed in the wired infrastructure. Each endpoint needs a supplicant.
DHCP: Passes out leases and host-configuration information. By controlling which IP addresses are issued, access control can be enforced through IP addressing. It's an interim solution that is easily defeated unless the switch fabric is aware of what IP addresses belong to which MAC addresses.
Agent self-enforcement: Uses a resident agent on the host to enable and disable network access through application control or manipulating host firewall rules.
ARP poisoning: Uses a man-in-the-middle scenario to control at Layer 2 how hosts can access resources. Like DHCP, it can be easily defeated (see "Are DHCP Management and ARP Poisoning Enough?" ).
Inline blocking: Similar to deploying a network firewall on each switch port or uplink. Network traffic from hosts is regulated according to a deployed policy. The closer to the access port the host is connected, the better the access control. Likewise, the further upstream, the less effective the enforcement.
VPN: Can be used to restrict access. If all hosts are on a VPN and you don't accept non-VPN traffic, then an infected host or attacker can't cause problems. Of course, highly utilized servers must be able to handle the encryption/decryption.
DNS redirect: Used to force a user to authenticate, usually through a Web portal, before being granted access. This is similar to the hotel broadband access with which we're all familiar. Once the host authenticates and is assessed, it can be granted access to the network or sent to a remediation page.
