Subscribe
  • Home
  • /
  • Security
  • /
  • A guide to inline and port-based NAC differences

A guide to inline and port-based NAC differences


Johannesburg, 23 May 2019

On any given day, there are a lot of knocks on your IT network door. In some of Soliton Systems' blogs, the company has talked about the pressures IT managers face to secure their network in times of 'bring your own device' (BYOD) policies, Internet of things (IOT) devices and flexible employment trends.

Soliton looked at the challenges these trends present to old styles of IT security, like relying on virus scanners and firewalls alone. The company also looked at how IT managers can secure their network with network access control (NAC) by focusing on who can enter in the first place.

In this article, Soliton examines the two main NAC methods for securing your network. How does each work, what are the advantages, and which is best for your organisation?

Inline, out-of-band or port-based network access control?

Rather than secure a network by detecting threats like malware, NAC manages who to let on the network in the first place. It acts as a virtual customs agent to "clear" users, devices and connections to specific compartments of the network. That means it checks a request, decides on a role and enforces it based on a predefined company policy.

There are different ways a NAC solution can do that, of which the inline method and the port-based method are the most commonly used. Port-based is often referred to as out-of-band. However, Soliton finds port-based a more accurate term because this method manages access from a specific entry point. This is important, as the main difference between the two NAC methods is how they decide and enforce access.

Inline NAC: upsides, downsides

So, how do both NAC solutions work? Let's start with inline. An inline NAC solution sits in the middle of your network's traffic flow. From its position in-flow, it decides whether to pass on requests or to decline them, meaning it simultaneously decides and enforces NAC policies for each request. This makes it heavy duty, as it's pushing all network traffic through the NAC solution to check each message for policy compliance.

This provides 100% control over message exchange, which often sounds appealing to people in charge of computer networks. However, as you might imagine, inline NAC requires a lot of bandwidth. You can, of course, extend bandwidth, but this is expensive and won't make your security solution less complex. Second, if the infrastructure can't keep up and traffic creates a bottleneck, it can paralyse the whole network. Third, inline NAC solutions are a single point of failure, meaning that if they fail, the entire system stops working. Finally, all of the aforementioned reasons make inline NAC solutions hard to scale.

Port-based NAC: upsides, downsides

Port-based NAC separates the function of deciding on access from that of enforcing it. It does so by teaming up with the entry point of the network, meaning a switch, a WiFi access point or a VPN connector, to guard the network doors.

Port-based NAC solutions work with a RADIUS server, which is up to date on user rights and device security, so that it can tell switches, WiFi entry points and VPN connectors which policy to enforce.

Once a user and his device are cleared and assigned a role, an entry point (like a switch) enforces the correct policy so that the user can access the network, but only to a compartment with the parts he's allowed in. As opposed to inline NAC, the user's activity on the network is not constantly monitored.

Separating functions make this method nimble on the network. There's no need for extra bandwidth, it's less complex and assigning access based on roles ensures the network is safe. And, as this method does not check every single message, it will have lower impact on network capacities and will be easier to scale. You could even install so-called "slave units" at satellite offices, so that every location is optimally secured. Lastly, with port-based, you get rid of the single point of failure problem.

At the same time, port-based NAC does demand more of network configuration: you'll have to make some changes in your set-up before you start.

How do you choose?

The choice for either inline or port-based NAC all depends on the needs of your organisation. First, you need to assess the risk: how much financial and reputational damage will you sustain by a security breach, and how likely is one to happen?

For instance, if you're an international enterprise with a lot of sensitive data which provides you with a major competitive advantage, and the funds are there, then an inline NAC solution sounds like something you'd want. However, for most businesses, going with inline NAC is like cycling to work equipped with shin-guards, cricket pads, a gun, a Swiss Army knife and a helmet; that is, over-equipped and compromised in your movements.

So even though inline has you fully covered from a technical point of view, port-based remains a more practical, lower maintenance and more scalable method. And where inline is often sold as a complete security solution, port-based NAC provides you with a solid foundation by compartmenting user access. You can easily build on this security solution by adding virus scanners and firewalls, or even inline NAC for your sensitive data.

For a complete guide to network access control, download Soliton's free white paper.

Share

Soliton Systems

Soliton Systems, headquartered in Japan with offices in Europe, the USA and China, develops innovative technology for IT and cyber security, remote live imaging technology and special unique embedded solutions, fulfilling the needs of companies and organisations with turnkey solutions.
www.solitonsystems.com

Private Protocol

Private Protocol is a data security distributor, offering solutions and strategies that cover mobile device and data security, secure data collaboration, secure messaging, SharePoint/O365 security and compliance, AWS Security, data classification and data discovery, file share security and compliance, software-defined perimeter, zero trust security, total fraud protection and cloud security.

Private Protocol also offers cloud risk assessments so companies can understand the effect cloud is having on their business and highlight any risks that may be associated. Private Protocol has a distributed partner channel covering Africa and Indian Ocean Islands.

Web site: www.privateprotocol.com

Editorial contacts