Security appliances should not be in-line rather than out of band

Two industry insiders debate the best approach to NAC

Regardless of a network access-control solution's features, maintaining an operational network infrastructure should be its main priority. Out-of-band solutions offer the best way to take advantage of NAC's superior network protection without compromising network uptime.

Whether for policy enforcement, quarantine, compliance or visibility, every NAC solution depends upon a pervasive network deployment. Deploying in-line devices throughout a network infrastructure is an unavoidable outage event, requiring a scheduled window of downtime. Even a temporary evaluation of an in-line NAC solution requires a burdensome change-control process across all involved departments.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Regardless of a network access-control solution's features, maintaining an operational network infrastructure should be its main priority. Out-of-band solutions offer the best way to take advantage of NAC's superior network protection without compromising network uptime.

Whether for policy enforcement, quarantine, compliance or visibility, every NAC solution depends upon a pervasive network deployment. Deploying in-line devices throughout a network infrastructure is an unavoidable outage event, requiring a scheduled window of downtime. Even a temporary evaluation of an in-line NAC solution requires a burdensome change-control process across all involved departments.

By contrast, out-of-band solutions are flexible in their implementation and can be deployed quickly in the middle of a workday, without the risk of interrupting critical business operations. In short, out-of-band NAC solutions provide network protection, with no single point of failure and minimal risk to the operational status of the network.

The potential risks and costs of a spike in network load are much higher with in-line solutions, because they must act as a pass-through for critical network-control packets. These spikes can be caused by attack propagation, the introduction of a new network application or an increase in normal traffic flow. Out-of-band solutions are not in the path of control packets and frames, thus eliminating any potential for network failure under times of high load.

Networks that provide real-time applications such as voice, video and status monitoring demand consistent, reliable network performance. Placing in-line solutions into these environments requires an additional point of latency and the potential for jitter injection. Out-of-band solutions protect real-time environments without injecting any latency or jitter that would impact user experience in these segments.