On any given day, there are a lot of knocks on your IT network door. So far in other blogs, we’ve talked about the pressures IT managers face to secure their network in times of BYOD policies, IoT devices and flexible employment trends. We’ve looked at the challenges these trends present to old-styles of IT security, like relying on virus scanners and firewalls alone. We’ve also looked at how you as an IT manager can secure your network with Network Access Control, by focusing on who can enter in the first place. In this blog, we’ll examine the two main NAC methods for securing your network. How does each work, what are the advantages, and which is best for your organisation? Read on to find out.
Inline, out-of-band or port-based Network Access Control?
Rather than securing a network by detecting threats like malware, Network Access Control (NAC) manages who to let on the network in the first place. It acts as a virtual customs agent to “clear” users, devices and connections to specific compartments of the network. That means it checks a request, decides on a role and enforces it based on a pre-defined company policy. There are different ways a NAC solution can do that, of which the inline method and the port-based method are the most commonly used. Port-based is often referred to as out-of-band, however we find port-based a more accurate term because this method manages access from a specific entry point. This is important, as the main difference between the two NAC methods is how they decide and enforce access.
Inline NAC: upsides, downsides
So how do both NAC solutions work? Let’s start with inline. An inline NAC solution sits in the middle of your network’s traffic flow. From its position in-flow, it decides whether to pass on requests or to decline them, meaning it simultaneously decides and enforces NAC policies for each request. This makes it heavy duty, as it’s pushing all network traffic through the NAC solution to check each message for policy compliance. This provides one hundred percent control over message exchange, which often sounds appealing to people that are in charge of computer networks. However, as you might imagine, inline NAC requires a lot of bandwidth. You can of course extend bandwidth, but this is expensive and won’t make your security solution less complex. Second, if the infrastructure can’t keep up and traffic creates a bottleneck, it can paralyse the whole network. Third, inline NAC solutions are a single point of failure (SPOF), meaning that if they fail, the entire system stops working. Finally, all of the aforementioned reasons make inline NAC solutions hard to scale.
Port-based NAC: upsides, downsides
Port-based NAC separates the function of deciding on access from that of enforcing it. It does so by teaming up with the entry point of the network, meaning a switch, a Wi-Fi access point or a VPN connector, to guard the network doors. Port-based NAC solutions work with a RADIUS server which is up to date on user rights and device security, so that it can tell switches, Wi-Fi entry points and VPN connectors which policy to enforce. Once a user and his device are cleared and assigned a role, an entry point (like a switch) enforces the correct policy so that the user can access the network, but only to a compartment with the parts he’s allowed in. As opposed to inline NAC, the user’s activity on the network is not constantly monitored. Separating functions make this method nimble on the network. There’s no need for extra bandwidth, it’s less complex and assigning access based on roles ensures the network is safe. And as this method does not check every single message, it will have lower impact on network capacities and will be easier to scale. You could even install so-called “slave units” at satellite offices, so that every location is optimally secured. Lastly, with port-based you get rid of the single point of failure problem. At the same time, port-based NAC does demand more of network configuration: you’ll have to make some changes in your set-up before you start.
“For most businesses, going with inline NAC is like cycling to work equipped with shin-guards, cricket pads, a gun, a swiss army knife and a helmet”
How do you choose?
The choice for either inline or port-based NAC all depends on the needs of your organisation. First, you need to assess the risk: how much financial and reputational damage will you sustain by a security breach, and how likely is one to happen? For instance, if you’re an international enterprise with a lot of sensitive data which provides you with a major competitive advantage, and the funds are there, then an inline NAC solution sounds like something you’d want. However, for most businesses, going with inline NAC is like cycling to work equipped with shin-guards, cricket pads, a gun, a swiss army knife and a helmet. Hence: over-equipped and compromised in your movements. So even though inline has you fully covered from a technical point-of-view, port-based remains a more practical, lower maintenance and more scalable method. And where inline is often sold as a complete security solution, port-based NAC provides you with a solid foundation by compartmenting user access. You can easily build on this security solution by adding virus scanners and firewalls, or even inline NAC for your sensitive data.
For an even completer guide to Network Access Control, download our free white paper below!
Originally published 3rd April 2019, updated on 15th August 2023