Security appliances should be in-line rather than out of band

Two industry insiders debate the best approach to NAC

The question of whether security appliances should be deployed in-line or out of band depends on the answer to other key questions. Is authenticating users enough, or does IT need to control where users go on the network? For example, does IT need to limit what guests and contractors can do? Does IT need to guard against malware?

If any of these answers is yes, then the architecture becomes clear: Security appliances provide far greater control when deployed in-line rather than out of band. An old security adage says you can't control what you can't see. Only in-line devices can see the traffic.

LAN security starts with controlling who can come onto the LAN and checking whether users' machines are safe. These authentication and posture-check components constitute network-access control (NAC). For this step, in-line and out-of-band approaches offer similar capabilities. But in-line and out-of-band devices immediately diverge in their ability to provide postadmission controls. Controlling user activity and protecting against attack are critical, and this depends on in-line deployment.

Face-off: Security appliances should not be in-line rather than out of band

First, IT needs visibility. IT managers cannot control what Joe in sales can do if they don't know what applications he's running or what servers he's accessing. Similarly, threat detection depends on seeing all traffic so that anomalous patterns stand out. Only in-line security devices can provide this visibility.

Next, control requires enforcement, which requires in-line deployment. IT managers may want to enforce that guests get Internet-only access, contractors can reach only certain servers, but employees can go anywhere on the LAN. They may want to ensure that critical assets get extra protection — for example, only finance users can see and reach the finance server. Having this kind of identity-based control directly within the LAN enables IT to keep up with staff changes dynamically. In-line security appliances can learn a user's role during authentication and automatically apply changes as soon as they're in Active Directory or another identity store.

Limited postadmission control is possible with out-of-band appliances -- they use virtual LANs (VLAN) to separate users. But IT managers must redesign the LAN, changing VLANs and access-control lists to provide identity-based vs. geographical separation. And users can't be in more than one VLAN, so VLANs can't handle the CIO's need for both IT and executive resources.

Threat control also requires in-line enforcement. An in-line device can identify and control a zero-day attack before it can spread and take down the LAN. It also can protect against other threats, such as an attack on a VoIP call manager. Out-of-band appliances are not in the flow of traffic and so cannot offer threat protection.

Firewalls and intrusion-prevention systems sit in-line for a reason -- the LAN is no different. Advanced user and threat-control features now are being built directly into LAN switches, offering the ultimate in-line, embedded security. IT knows from experience -- as soon as real control is needed, in-line deployment is essential. Fortunately, secure in-line appliances and switches have arrived.

Prince is CTO at ConSentry Networks, a leading provider of secure LAN solutions. He can be reached at

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022