NetPass works by assigning client ports into one of two VLANs. The default is for the port to be in the quarantined VLAN state. In this state, all traffic from the client is directed towards the NetPass Validation Server. The NPVS intercepts web traffic, performs compliance checks, facilitates self-remediation and moves the client's port to the unquarantined state once compliance is assured.
Self-remediation is achieved by correlating specific compliance failures with documentation on how to bring the client computer into compliance. Once the steps are followed, compliance is re-checked.
NetPass is built to offer modular identification. Any part of your existing infrastructure can be used to trigger a quarantining of a client. For example, your mailserver might detect a particular client sending out virus laden email - a sure sign that the client is infected. That very same mailserver can instruct the NPVS to quarantine the client. As part of that transaction, the mailserver would tell the NPVS why the client is being quarantined. This information would be used to assist the client in the self-remediation process.
NetPass includes compliance checking modules for Snort and Nessus in addition to an API for integrating other indentification systems. NetPass also includes a web interface for administrative purposes - allowing you to manually quarantine hosts when necessary.
NetPass pays attention to the state of the switch port and the devices attached to each port. If a quarantined client moves to another switch port, they will remain quarantined. If a quarantined client plugs into a mini-switch that contains unquarantined clients the port that the mini-switch is plugged into will be quarantined. NetPass supports multiple switch vendors out of the box and is modular, allowing for additional future support of other vendors.
NetPass is designed to be flexible and offers several deployment options - allowing you to decide how stringent you want to be in identifying when to quarantine a port.
Once a client is identified as being out of compliance, it is quarantined. This is accomplished by changing the VLAN membership of the switch port that the client is connected to. NetPass provides a per-subnet quarantine, rather than one big quarantine. This allows you to segment your quarantine as it is not appropriate to place all machines in the same quarantine, even temporarily, as some other network access control systems do.
While in the quarantine, the client keeps their "normal" IP address. They are not given a new distinct IP address. NetPass does not rely on DHCP to work.
In addition, the client uses your normal DNS servers, no custom DNS servers are needed and no fake DNS records are used. The client retains web access to approved websites (that you control) for the purposes of downloading patches, virus definition files and utilities to help the client self-remediate. This helps, in many instances, reduce the amount of IT staff time required to fix a client. When deploying NetPass at a University, this allows students living on-campus to correct the problem and get out of quarantine as rapidly as possible.
Once the client has completed all of the remediation instructions that they are given, NetPass once again checks them for compliance. If any additional steps are required, or the client did not successfully follow one or more of the instructions, they are presented with more instructions and left in the quarantine. This process continues until the client is in compliance.
NetPass is built for flexibility, allowing the NetPass Administrator to override a client's state and force an unquarantining if necessary. A client can be permenantly quarantined or unquarantined. In the former case, the client can not get unquarantined without administrator intervention. In the latter case, the client can not be quarantined by automated processes (such as the mailserver in the above example).