One important piece of a multilevel security defense for companies of almost any size is network access control (NAC), which lets you enforce policies for end-user machines.
The basic idea behind NAC -- which can include hardware, software, or a combination -- is deceptively simple. Before any end user's computer -- an endpoint -- is allowed on the corporate network, a NAC makes the computer prove that it complies with the company's security policies. For example, you could set up a NAC to refuse to let a user's PC on the company LAN until the PC reports that it has all the latest patches for its operating system and office software and that it has the latest updates for the corporate anti-virus program. If it doesn't have the goods, the device is not getting on the network.
Although the theory behind NAC is deceptively simple, the marketplace reality is anything but. It requires that network administrators piece together hardware and software from multiple vendors, unless you're willing to go with an all-in-one solution and risk vendor lock-in. And, with NAC, whatever you decide to do, there are usually multiple ways to do it.
NAC's capabilities have evolved. Nowadays, NAC systems also include automated ways for failed endpoints to update their software so they will be allowed on the network. In addition, NAC now includes provisions for rechecking endpoints periodically and monitoring their behavior while they're on the network.
The standards situation
You might think that with three different ways to do the same thing, the industry would be on its way to yet another standards war like what happened with 802.11n. And while there has been no agreement on even a standard definition of NAC, never mind how to get there, some progress has been made.
Cisco and Microsoft have been working together to make sure their components are interoperable. So, for example, you can use Windows Server 2008 R2's Network Policy Server to set overall NAC policy while using Cisco's Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling module for user authentication on Windows Vista or Windows 7 clients.
At the same time, the IETF (Internet Engineering Task Force) is making a standard of Posture Attitude-TNC, which defines a set of endpoint health checks, including anti-virus status. Another standard in the works, by a different group, is Posture Broker-TNC, which defines how to perform a health check of network endpoints, including laptops and printers. There is no connection between the two; at this point, they're independent efforts, with the IETF's plan considered the more "official" of the two.
Further, NAC also encompasses the range of mobile devices -- laptops, especially, but also smartphones.