Out-of-Band Network Access Control appliances watch traffic from outside of the network. They make a copy of any traffic that goes through, and they review it. They report on the harmful things that have come through, and make changes so that they can’t happen again. By copying every piece of traffic, and then sending code through for remediation, they essentially double the amount of traffic coming through, slowing down your network. Out-of-Band NACs also have to be compatible with your specific network equipment.
Out-of-band Network Access Control solutions offer some of the policy smarts for NAC but leave the enforcement elements to Ethernet switches, VPN concentrators and wireless access points. They also require endpoint agents, which can be removed from the devices, especially if they are personal or BYOD devices.
These solutions rely on Layer-3 ACLs and Layer-2 VLANs for some traffic segmentation, but offer no enforcement, and are extremely weak at identity-based access control, the cornerstone of NAC.
These solutions are also very dependent on the types of switches, access points and VPN concentrators, and on the software versions running on these devices.
They have so many moving parts and management issues as to make their deployment, beyond an interesting lab demonstration, a costly proposition.
Inline Network Access Controls, sit right on your network. They’re able to stop threats as they emerge, instead of having to remediate them later. It's a common misconception that having an inline NAC will slow down your network. The reality is that while it looks at every piece of data coming through, it only needs to do it once. As you can see above, Out-of-Band not only makes copies, doubling the traffic, but it sends through more traffic when making repairs.
Inline doesn’t need to talk with the switches, routers, or other networking equipment, and is therefore agnostic. It can be used with any type of network.
Inline solutions offer the most effective NAC functionality, including traffic inspection, and when deployed in a standard network require almost no changes to existing network equipment.
These solutions offer a complete NAC lifecycle without the integration costs, moving parts, switch upgrades to the latest and greatest software patches, and changes in configuration required on the network.