Deploying In-Line or Out-of-Band NAC

Organizations must first understand what problems they want network access control vendors to solve.

When Binghamton University looked to bring network access control into its residence halls, classrooms, study lounges and other public areas in 2004, Network Manager Joe Roth had a choice to make-to be in-line, or not to be in-line.

"We liked several things about the out-of-band [NAC] solutions-if the appliance fails, it leaves the network in its current state without disconnecting additional users," Roth said. "It also does not present another physical or routed hop in the network, which could potentially degrade performance at some point."

In the end, the school-which was deploying NAC primarily out of concern for the worms propagating on the Internet at the time-went with an out-of-band product from Bradford Networks.

But there is plenty of debate about whether in-line or out-of-band NAC is the best and why. In the end, it may just come down to what problems an organization is trying to solve.

"Enterprises need to consider the reasons behind their interest in NAC," said Burton Group analyst Eric Maiwald. "If you are truly concerned about limiting access to the wired network, then you need to control who connects to the switch ports. You can do this with 802.1X, configuration control on the switches, some products like ConSentry or Nevis switches or some other out-of-band products like those from Lockdown. I should note that [dynamic hosting configuration protocol] systems can also help with the need to limit who gets on the network, but the mechanism is weaker than a switch-based control."

Organizations may also have an interest in NAC to limit or respond to policy violations in network traffic, he said. However, this capability is not unique to NAC products-IPS and IDS (intrusion detection system) products can watch network traffic and take action, as can firewalls and content filtering devices to varying extents, he said.

"If you are trying to keep people off the network, the closer to the end point you place the enforcement point, the better off you are," Maiwald said. "If you are worried about network traffic, you need to look for choke points on the network and consider the amount of traffic that is flowing. Then it becomes a tradeoff between cost and effectiveness."

The real reason to be in-line is to provide customers an alternative to Cisco System switches, said Ogren Group analyst Eric Ogren.

"The value is delivering extra security filters at the access points. ... It can be used as a negotiating tool to win concessions from Cisco or to avoid being locked into a single vendor," he said.

Enterprises dont really like putting extra bumps in the wire, Ogren said, adding that it is unlikely that IT wants to block users.

An in-line security device must do more than NAC, which essentially is designed simply to prevent noncompliant PCs from connecting to the network and redirecting them to a server where they can be remediated, he said.

"[An in-line device] must think about traffic shaping, catching attack command-and-control sequences, detecting inappropriate user access," Ogren said. "An additional device that just adds NAC will add latency with very little value-not enough to risk destabilizing the network. [Out-of-band] is easy to add to an existing infrastructure and does not risk interfering with the network. This can be software or hardware. Actions are limited to blunt instruments-TCP reset, boot-off switch. OOB is good for watching and analyzing; not so good for taking intelligent action."

NAC vendors have their own points of view.

"If an organization has an existing network thats tuned for high performance and wants to add NAC without risk of performance-impact and that scales readily and cost-effectively, they should go out-of-band," said Frank Andrus, CTO of Bradford Networks, in Concord, N.H.

When implemented correctly, out-of-band NAC does not disrupt network configurations, he said.

"When an OOB NAC appliance sends a command to a switch to enforce policy, it communicates with the switchs management plane, which is independent of the switchs bandwidth delivery fabric," Andrus said. "Therefore, a switch doing VLAN [virtual LAN] enforcement-which is good, sound security practice-will never cause a problem. The same cannot be said about in-line devices, especially those based on off-the-shelf servers or those working with processor-intensive advanced security features."

One often-heard complaint logged against in-line NAC products relates to scalability. But this complaint is a fallacy, said Dominic Wilde, vice president of Nevis Networks, in Mountain View, Calif.

"The reality is that most OOB solutions sit in-line for some part of the NAC session, but they have chosen the OOB architecture because they do not have the processing power to sit in-line without affecting the latency and throughput of the network," Wilde said. "I would argue that OOB is not scalable because of the amount of reconfiguration of the network topology that is required to deploy them and to maintain them as networks grow and change."

Many companies are more comfortable deploying out-of-band NAC because its less invasive, Forrester Research analyst Robert Whiteley said. However, that decision could lead to performance and granularity trade-offs, he said.

"Ultimately, companies should select technology that provides both options and can ideally deploy in a hybrid environment so you are making the decision based on scenarios, locations and user densities, as opposed to making assumptions upfront and then finding you cant accommodate a change in your environment," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.