Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Tutorial: Network Access Control (NAC): Page 9 of 11

>> Out-of-band NAC is more commonly used than in-band and covers products that are PDPs but use other methods, like 802.1X, DHCP and ARP management, or VLAN steering, to enforce policy. As hosts come online, the NAC product intervenes and performs some kind of assessment, then grants access where appropriate. The benefit of out-of-band NAC is that there's little impact on network performance, and fewer devices are needed. The effectiveness of out-of-band NAC depends on the discovery and enforcement mechanisms. DHCP control, for example, is easily bypassed if a host has a static IP address.





Out of Band


Click to enlarge in another window

>> Switch-based NAC is similar to in-band NAC, but rather than having enforcement between the access and distribution switch, enforcement occurs on the switch itself. What differentiates switch-based NAC from simply using 802.1X to control a port? Switch-based NAC offerings don't require 802.1X to communicate with the access requestor.

Once a host requests access, it's assessed using an agent or agentless scan, and then the PDP sets policy on the switch port. Switch-based NAC products also offer internal intrusion detection and anomaly detection on a per-port basis, so there's no need to integrate an external system. Like in-band NAC, switch-based NAC can also apply access controls to network application ports and by traffic type. Ideally, NAC should be enforced at port level for the finest control, so if you're planning on upgrading your switches, investigate advanced switch features.