Putting NAC inline or out of band

* Putting NAC inline or out of band depends on the circumstances of a particular user

The issue of whether to put NAC devices inline with traffic or out of band continues to linger, according to a talk at the recent Security Standard conference.

The answer is not black and white, and it all depends on the circumstances of a particular user, says Steve Hanna, who sits on two NAC standards committees and works for Juniper Networks as a distinguished engineer.

Inline devices sit in the middle of traffic flow, usually above the access switch level, and decide whether to admit or restrict traffic from each endpoint as it logs in. It is both the decision point and the enforcement point for NAC policy.

Out-of-band devices separate the functions of deciding and enforcing, and can use a range of devices for the actual enforcement including switches, gateways and firewalls.

The downside of inline devices is that if they get overloaded, they can mess up network traffic in general by becoming a congestion point. The downside of out-of-band devices is they are much more disruptive of network configuration.

There are NAC vendors that make either inline or out-of-band products and predictably they defend the option they make. This is perhaps the main reason inline or out-of-band continues to be an issue - vendors with strong monetary interests keep pushing it.

Hanna’s take on the situation follows some basic tenets of any good IT project, namely do what is best for meeting your goals.

He says that inline devices tend to run into scaling problems for large deployments, but beyond that customers should use the option that best fits their needs and budget. Both models, he says, are equally effective.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.