Security: Network Access ControlThis newsletter is sponsored by PacketeerNetwork World's Security: Network Access Control Newsletter, 09/25/07Putting NAC inline or out of bandBy Tim GreeneThe issue of whether to put NAC devices inline with traffic or out of band continues to linger, according to a talk at the recent Security Standard conference. The answer is not black and white, and it all depends on the circumstances of a particular user, says Steve Hanna, who sits on two NAC standards committees and works for Juniper Networks as a distinguished engineer. Inline devices sit in the middle of traffic flow, usually above the access switch level, and decide whether to admit or restrict traffic from each endpoint as it logs in. It is both the decision point and the enforcement point for NAC policy.
Out-of-band devices separate the functions of deciding and enforcing, and can use a range of devices for the actual enforcement including switches, gateways and firewalls. The downside of inline devices is that if they get overloaded, they can mess up network traffic in general by becoming a congestion point. The downside of out-of-band devices is they are much more disruptive of network configuration. There are NAC vendors that make either inline or out-of-band products and predictably they defend the option they make. This is perhaps the main reason inline or out-of-band continues to be an issue - vendors with strong monetary interests keep pushing it. Hanna’s take on the situation follows some basic tenets of any good IT project, namely do what is best for meeting your goals. He says that inline devices tend to run into scaling problems for large deployments, but beyond that customers should use the option that best fits their needs and budget. Both models, he says, are equally effective.
|
Contact the author: Tim Greene is a senior editor at Network World, covering network access control, virtual private networking gear, remote access, WAN acceleration and aspects of VoIP technology. You can reach him at tgreene@nww.com. This newsletter is sponsored by PacketeerARCHIVEArchive of the Security: Network Access Control Newsletter. BONUS FEATUREIT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE International subscribers, click here. SUBSCRIPTION SERVICESTo subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: networking.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007 |
No comments:
Post a Comment