Security appliances should not be in-line rather than out of band

Two industry insiders debate the best approach to NAC

Regardless of a network access-control solution's features, maintaining an operational network infrastructure should be its main priority. Out-of-band solutions offer the best way to take advantage of NAC's superior network protection without compromising network uptime.

Whether for policy enforcement, quarantine, compliance or visibility, every NAC solution depends upon a pervasive network deployment. Deploying in-line devices throughout a network infrastructure is an unavoidable outage event, requiring a scheduled window of downtime. Even a temporary evaluation of an in-line NAC solution requires a burdensome change-control process across all involved departments.

Face-off: Security appliances should be in-line rather than out of band

By contrast, out-of-band solutions are flexible in their implementation and can be deployed quickly in the middle of a workday, without the risk of interrupting critical business operations. In short, out-of-band NAC solutions provide network protection, with no single point of failure and minimal risk to the operational status of the network.

The potential risks and costs of a spike in network load are much higher with in-line solutions, because they must act as a pass-through for critical network-control packets. These spikes can be caused by attack propagation, the introduction of a new network application or an increase in normal traffic flow. Out-of-band solutions are not in the path of control packets and frames, thus eliminating any potential for network failure under times of high load.

Networks that provide real-time applications such as voice, video and status monitoring demand consistent, reliable network performance. Placing in-line solutions into these environments requires an additional point of latency and the potential for jitter injection. Out-of-band solutions protect real-time environments without injecting any latency or jitter that would impact user experience in these segments.

Endpoint discovery is a critical element of NAC. Every NAC solution must discover endpoints attempting to access the network in order to trigger preadmission checks. In-line devices are made aware of new endpoints only when the endpoint sends a frame or packet that traverses the path of the in-line device.

This leaves IT staff with a difficult choice: deploy the in-line solution out in the closets close to the endpoints (where each installation is a scheduled outage event), or risk missing the entry event of the endpoints. By using discovery based on Address Resolution Protocol (ARP), an out-of-band solution provides the most reliable and granular method of knowing when a particular endpoint has entered the network, because it does not rely on network placement or switch-level integration for its visibility.

Similar to endpoint visibility, endpoint quarantining with in-line solutions is only as complete as the in-line location is specific. Given an in-line model, economies of scale are almost impossible to achieve, if the hope is to provide in-segment protection from quarantined endpoints. By leveraging ARP-based quarantining, out-of-band solutions provide comprehensive isolation of offending network devices, regardless of the physical placement of the NAC solution.

For mission-critical networks, in-line devices are not good enough. Out-of-band NAC solutions offer rapid, risk-free deployment, comprehensive quarantining, improved network performance, increased visibility and are superior in high-volume conditions. Out-of-band solutions are unquestionably better at meeting the demands of today's high-performance, high-availability network environments.

Hartline is CTO at Mirage Networks, a leading provider of NAC solutions. He can be reached at

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022