Inline and out-of-band LAN security appliances offer different levels of functionality. Understanding these differences is key to selecting the right product for your organisation, says Jeff Prince
The local-area network (LAN) has emerged as a security risk, subject to insider misuse, as well as external attacks. Threats can arise from a number of aspects including rogue hosts on wireless, guests plugging into open ports in a conference room, contractors or partners needing access to corporate resources and the continued movement of laptops between the corporate LAN and the Internet. At the same time, malware is escalating because attacks are easier to build, faster to spread and motivated by financial gain.
The IT department finds itself providing more points of access into the LAN without compromising systems and data. In response to these challenges, vendors have developed a variety of LAN security devices. Enterprises looking to secure their LANs will find these platforms readily available and easy to deploy within an existing network infrastructure.
LAN security devices fall into two broad classes - those that operate inline and those that operate out-of-band. Inline platforms are deployed between the wiring closet switch and the network core and are distributed throughout a network, close to users. They function as both a policy decision point and an enforcement device, because they sit in the stream of network traffic.
Out-of-band LAN security appliances are centrally located and typically connect to a switch in the core. They are not directly in the flow of traffic and therefore act as a policy decision point, with enforcement being delegated to other infrastructure devices, usually the wiring closet switch in the distribution layer.
Inline and out-of-band LAN security devices differ in terms of their interoperability with existing infrastructure, the security services they support, and the operational issues they pose.
A LAN security device must protect the LAN from both internal and external risks. To be effective, the platform should support key functions including network admission control (NAC), traffic visibility, post-admission control, and malware control.
NAC includes authentication and host posture check. It allows the IT department to verify that users are who they say they are and the machine they are using complies with corporate standards (for example, running an approved operating system with current patches and fixes and an updated anti-virus program). The best devices incorporate NAC that:
- Supports both active and passive authentication
- Influences existing identity stores for authentication
- Identifies a user’s role as part of authentication, which is essential for applying control policies to that user following admission to the network
- Provides ubiquitous host posture check that applies to all classes of users, including employees, contractors and visitors - without burdening IT
- Works with multiple host agents
- Supports hosts not under enterprise control
Traffic visibility is a pre-requisite for access control and auditing, because devices cannot control what they cannot see. Look for the level of visibility granularity that will deliver the level of control your business needs. For granular control, a LAN security platform must:
- Tie all LAN traffic to the user and not simply to IP or MAC addresses
- Provide key user data, including login/logout time, applications run and resources reached
- Perform deep packet inspection on all flows and not just sampled traffic
- Retain statistics about all flows for regulatory compliance and accounting purposes
- Track security incidents, including those relating to host posture checks, policy violations, authentication failures and malware events
- Provide real-time and historical data
- Provide an aggregated view of the LAN's security health
In terms of traffic visibility, inline and out-of-band LAN security appliances offer significantly different capabilities. Inline devices have the capacity to see everything that goes by because they sit in the flow of traffic and out-of-band appliances have no visibility into ongoing LAN traffic.
Post-admission policies provide control over where users go and what resources they can access once they are admitted onto the network. For the most granular security, a LAN security platform should provide post-admission control functionality that:
- Ties all LAN activity back to specific users – this link enables the IT department to define rights and permissions, as well as control and enforcement actions, based on a user’s role in the organisation
- Supports universal access control – this architecture ensures the correct rights and permissions are applied to all users, regardless of the access method used, or location from which they attach to the LAN
Post-admission control capabilities of inline versus out-of-band security appliances vary greatly. If designed with comprehensive traffic visibility, an inline device can apply per-flow packet handling, allowing for granular control based on user, group, and application, even layer 7 content. Since enforcement is built in, the platform is able to inspect user traffic and apply controls at LAN speed.
Lacking traffic visibility, out-of-band appliances are limited in their access control capabilities. In addition, since out-of-band appliances are dependent on distribution switches for policy enforcement, they have limited enforcement control over user traffic.
Malware detection and blocking provides the IT department another tool for protecting the LAN. Worms, viruses, bots, spyware and other malware can wreak havoc with network availability. Comprehensive post-admission traffic visibility and control is required to contain malware. When evaluating a LAN security appliance for malware control, look for devices that:
- Granularly block bad traffic. For example, giving the IT department the flexibility to block all traffic from an infected user or just the infected application
- Recognise and contain ‘zero-hour’ attacks
- Operate close to the host to limit the spread of malware and minimise system and network damage
Inline LAN security platforms can scan for malware and therefore have the ability to continuously monitor traffic in real-time. Operating inline enables this class of device to respond quickly and directly apply enforcement actions.
Out-of-band appliances cannot perform malware control, as they have no traffic visibility once a user has been admitted onto the LAN.
It is important to evaluate a LAN security appliance for its potential impact on network and IT operations, specifically whether it impacts LAN performance, or the IT departments’ ability to troubleshoot the network.
Out-of-band LAN security appliances generally don’t affect LAN performance.
In contrast, inline devices must have high performance characteristics to keep up with LAN traffic at line speed and perform functions such as deep packet inspection and continuous real-time monitoring and enforcement.
Inline devices that rely on off-the-shelf processors will not be able to sustain gigabit speeds and are likely to negatively impact LAN performance.
In terms of troubleshooting, inline platforms have the advantage of being simpler to manage and troubleshoot than out-of-band devices, because they combine policy decision and enforcement functions in a single box. With out-of-band appliances, the IT department must determine which device, the LAN security appliance or switch, is the source of a problem.
In selecting a LAN security appliance, IT and security personnel need to consider the range of internal and external threats their LAN faces, along with the specific requirements of their organisation. Which appliance is best will depend on a number of factors, including the set of security services desired, the granularity of traffic visibility and control needed and where in the network IT prefers to implement their LAN security.
Organisations that want only admission control will find good options among both out-of-band and inline. Businesses that want to implement more post-admission controls should focus on inline devices, since out-of-band appliances are much more limited in these functions.
Regardless of architectural approach, the IT department needs to move quickly to protect against LAN security risks.
Jeff Prince is CTO, ConSentry Networks