Tuesday, September 25, 2007

Putting NAC inline or out of band

Network World

Security: Network Access Control




Network World's Security: Network Access Control Newsletter, 09/25/07

Putting NAC inline or out of band

By Tim Greene

The issue of whether to put NAC devices inline with traffic or out of band continues to linger, according to a talk at the recent Security Standard conference.

The answer is not black and white, and it all depends on the circumstances of a particular user, says Steve Hanna, who sits on two NAC standards committees and works for Juniper Networks as a distinguished engineer.

Inline devices sit in the middle of traffic flow, usually above the access switch level, and decide whether to admit or restrict traffic from each endpoint as it logs in. It is both the decision point and the enforcement point for NAC policy.

Straight Talk from Security Experts

Leading security experts share their advice, secrets and real-world experiences in Network World's latest Executive Guide, "The Security Treadmill." Learn how to get inside users' heads, fight for a bigger security budget and much more.

Click here to download this Executive Guide.

Out-of-band devices separate the functions of deciding and enforcing, and can use a range of devices for the actual enforcement including switches, gateways and firewalls.

The downside of inline devices is that if they get overloaded, they can mess up network traffic in general by becoming a congestion point. The downside of out-of-band devices is they are much more disruptive of network configuration.

There are NAC vendors that make either inline or out-of-band products and predictably they defend the option they make. This is perhaps the main reason inline or out-of-band continues to be an issue - vendors with strong monetary interests keep pushing it.

Hanna’s take on the situation follows some basic tenets of any good IT project, namely do what is best for meeting your goals.

He says that inline devices tend to run into scaling problems for large deployments, but beyond that customers should use the option that best fits their needs and budget. Both models, he says, are equally effective.


  What do you think?
Post a comment on this newsletter

TODAY'S MOST-READ STORIES:

1. Lawsuit charging GPL violation is first ever
2. Daylight saving time issue reappears on IT radar
3. Researchers flash personal aircraft, future jetpack
4. Gartner: Open source impossible to avoid
5. VMware bugs shine spotlight on virtualization security
6. How much does the store owe this PC buyer?
7. Apple’s options for stopping open source iPhone use
8. Gartner touts Web 2.0, scoffs at sequel
9. The end of booth-babe culture?
10. Cisco: A quarter of acquisitions not working out

MOST-READ REVIEW:
VM management tools from Microsoft, VMware, XenSource leave room for improvement


Contact the author:

Tim Greene is a senior editor at Network World, covering network access control, virtual private networking gear, remote access, WAN acceleration and aspects of VoIP technology. You can reach him at tgreene@nww.com.



ARCHIVE

Archive of the Security: Network Access Control Newsletter.


BONUS FEATURE

IT PRODUCT RESEARCH AT YOUR FINGERTIPS

Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.


PRINT SUBSCRIPTIONS AVAILABLE
You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: networking.world@gmail.com. Please use this address when modifying your subscription.


Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

No comments: