Inline vs. Out of Band Network Access Control

Security Level Conceptual Meter
If you have ever looked into Network Access Control(NAC), you’ve probably come across two major options: Inline and Out of Band solutions. Several NAC Vendors tout that Out of Band is the way to go, while others are firmly entrenched in the Inline camp. I’m here to give you the facts about both.

An Out of Band NAC solution sits outside of your network.  The way it sits off to the side has many downsides to it. Since it is outside, it’s only seeing copies of traffic, and can’t react in real time. Ultimately, Out of Band is more of a reporting device. It can adjust to threats, but only after the fact. Out of Band solutions are not as scalable because of the amount of reconfiguration of the network topology that is required to deploy them and the amount of maintenance on them as networks grow and change. Not all infrastructure switches may be able to participate in out of band enforcement schemes.  This means that by choosing to go with this solution, your network equipment would need to be replaced, adding further cost and unnecessary complications.

Out of Band Network Access Control solutions offer some of the policy smarts for NAC but leave the enforcement elements to Ethernet switches, VPN concentrators and wireless access points. They also require endpoint agents, which can be removed from the devices, especially if they are personal or BYOD devices. These solutions rely on Layer-3 ACLs and Layer-2 VLANs for some traffic segmentation, but offer no enforcement, and are extremely weak at identity-based access control, the cornerstone of NAC.

Inline has become the industry leader in deployment scenarios. The main advantages can be seen in visibility and granularity. Inline NACs sit on the layer 2 of the network, which means that the users MAC addresses do not get stripped.  Inline does not see copies of traffic like an Out of Band Solution would, but sees real time traffic coming and going.  Because of this, it is able to stop any threats before they can cause a problem.  It is a common misconception that an Inline NAC bottlenecks traffic on a network. Inline solutions have many throughput options ranging from 1g to 10g.  Also since it isn’t copying every packet as it goes through, it isn’t doubling the amount of traffic.

Inline solutions offer the most effective NAC functionality, including traffic inspection, and when deployed in a standard network require almost no changes to existing network equipment.

These solutions offer a complete NAC lifecycle without the integration costs, moving parts, switch upgrades to the latest and greatest software patches, and changes in configuration required on the network.
So if you are in the market for a NAC device that will be able to quarantine users and give you visibility on the network without VLAN steering, the Inline NAC is the solution for you. I always base my decision on what I like to call the CEO. I know networking has enough acronyms, but what can one more hurt? CEO stands for Cost Effective, Ease of Deployment, and Ongoing Operational Cost. Based on the CEO ideology, the Inline is the clear frontrunner in the Network Access Control matchup.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *