In-Band
In-band appliances sit in the flow
of live network traffic, frequently close to where endpoints access the network
(potentially in the access layer switch itself), so that all client-side
traffic into and out of the network must pass through them. As such, they are
able to directly provide both pre-connect and post-connect security services. Most
in-line LAN security appliances co-locate the authenticator, PEP, and PDP
functions in a single, stand-alone device.
In other words, because they are
analyzing and passing live network traffic, in-band devices act as the enforcement
point themselves rather than relying on another network system.
Out-of-Band
Out-of-band appliances are actually in-line for the login phase of the user session, and so can provide pre-connect compliance checks and policy enforcement. However, once the posture check is done, the user is authenticated, and policy decisions are made, they typically switch themselves out of the user traffic path for the remainder of the session.
The following table summarizes the differences between the in-band and out-of-band approaches.
|
Features
|
In-band
|
Out-of-band
|
Benefit
|
|
Endpoint
Compliance and User Authentication
|
Performed
in straightforward manner, with remediation options that avoid VLAN steering.
|
Must
be done in a provisional VLAN, then client traffic steered to an assigned or
quarantine VLAN. Threats can spread within VLAN.
|
Does
not ever require client to re-acquire IP address, which adds delays in users
logging in.
|
|
Identity-Based
Access Controls
|
Internal
stateful firewall policies based on source, destination, and traffic content.
|
VLAN
steering would work if different roles are placed in different VLANs. Finer granularity
requires upstream firewalls.
|
In-band
provides fine-grained identity based access controls as basic security feature.
|
|
Malware
Detection
|
Continuous
malware detection using various techniques, including behavior and signatures
|
No
visibility into user traffic since out of flow of network traffic during session.
Requires additional upstream IPS for comparable security.
|
In-band
provides persistent malware detection and prevention as a basic feature.
|
|
Visibility
and Monitoring
|
Continuous
monitoring of and visibility into all user activities, with associated user-based
reports
|
No
visibility into user traffic since out of circuit. Requires additional sensors,
displays and reporting infrastructure for comparable security.
|
In-band
provides persistent role-based monitoring and visibility as a basic feature.
|
|
Quarantine
Enforcement
|
Done
using stateful firewall approach, shielding all users from each other
|
Places
non-compliant users in a common quarantine VLAN
|
In-band
protects vulnerable or infected clients from each other.
|
|
Cost
|
No
hidden deployment or reconfiguration costs, no upgrades to existing infrastructure
required.
|
Initial
capital expense for devices and controllers, but higher operational costs,
and potential upgrades of enforcement points
|
In-band
offers lower overall cost of deployment and management.
|
No comments:
Post a Comment