In-Band
In-band appliances sit in the flow of live network traffic, frequently close to where endpoints access the network (potentially in the access layer switch itself), so that all client-side traffic into and out of the network must pass through them. As such, they are able to directly provide both pre-connect and post-connect security services. Most in-line LAN security appliances co-locate the authenticator, PEP, and PDP functions in a single, stand-alone device.
In other words, because they are analyzing and passing live network traffic, in-band devices act as the enforcement point themselves rather than relying on another network system.
Out-of-Band
Out-of-band appliances are actually in-line for the login phase of the user session, and so can provide pre-connect compliance checks and policy enforcement. However, once the posture check is done, the user is authenticated, and policy decisions are made, they typically switch themselves out of the user traffic path for the remainder of the session.
The following table summarizes the differences between the in-band and out-of-band approaches.
Features | In-band | Out-of-band | Benefit |
Endpoint Compliance and User Authentication | Performed in straightforward manner, with remediation options that avoid VLAN steering. | Must be done in a provisional VLAN, then client traffic steered to an assigned or quarantine VLAN. Threats can spread within VLAN. | Does not ever require client to re-acquire IP address, which adds delays in users logging in. |
Identity-Based Access Controls | Internal stateful firewall policies based on source, destination, and traffic content. | VLAN steering would work if different roles are placed in different VLANs. Finer granularity requires upstream firewalls. | In-band provides fine-grained identity based access controls as basic security feature. |
Malware Detection | Continuous malware detection using various techniques, including behavior and signatures | No visibility into user traffic since out of flow of network traffic during session. Requires additional upstream IPS for comparable security. | In-band provides persistent malware detection and prevention as a basic feature. |
Visibility and Monitoring | Continuous monitoring of and visibility into all user activities, with associated user-based reports | No visibility into user traffic since out of circuit. Requires additional sensors, displays and reporting infrastructure for comparable security. | In-band provides persistent role-based monitoring and visibility as a basic feature. |
Quarantine Enforcement | Done using stateful firewall approach, shielding all users from each other | Places non-compliant users in a common quarantine VLAN | In-band protects vulnerable or infected clients from each other. |
Cost | No hidden deployment or reconfiguration costs, no upgrades to existing infrastructure required. | Initial capital expense for devices and controllers, but higher operational costs, and potential upgrades of enforcement points | In-band offers lower overall cost of deployment and management. |