Infonetics defines in-line NAC products as appliances that are physically in-line with the network infrastructure -- bump in the wire. They define out-of-band as products that are bump in the stack -- they aren't physically in-line with the network, but may manipulate layer 2/3 protocols like VLANs, ARP, and DHCP to control access. The definitions, I think, are accurate.
Our own reader survey on NAC deployments indicates respondents have a strong preference to add enforcement points and in-line appliances into their existing network rather than use out-of-band appliances, which agrees with Infonetics prediction that out-of-band appliances will have a smaller penetration than in-line products.
However, Wilson points out, "Our survey research showed an early preference for in-line appliances as well, but as the market matures and as more of our respondents have real-world deployment expertise, there has been shift back to out-of-band. If you look at the market and the players, it's really Cisco (mostly with out-of-band deployments), Juniper (same), and then smaller companies like ForeScout who are doing well."
Why all the fuss about market segments and growth? On the one hand, Wilson, myself, and others have pointed out that IT professionals don't necessarily make purchasing decisions based on market definitions. I doubt anyone wakes up and decides that in-line NAC is the way to go. Rather, IT pros look for products that fit with their architectural, strategic, and tactical goals. Besides, many vendors offer products in multiple market segments.
What is important is that the type or types of deployment options a NAC product supports determines what kinds of controls you can put in place. For example, out-of-band NAC products perform network admission control, determining whether a host can get or remain on the network. Simply placing a computer into a designated VLAN or DHCP subnet isn't access control because, regardless of where the computer ends up, network visibility and control are still missing.
In-line and NAC switches can often go further using network access control by restricting which hosts or services a user or computer can access. Essentally, in-band network access control applies firewalls rules based on user identity or group membership. In-line and NAC switch vendors also are in the position of being able to provide network controls to application access -- something still in the early stages.
It's good to see the market growth. While some of my reservations about the efficacy of network admission control are aligned with Stiennon's, who doesn't think it's a technology worth investing in, I'd not want to throw out the proverbial baby with the bath water. I think part of what studies like Infonetics market research and our reader survey shows is that organizations have differing goals, which leads to differing uses of technology.
Even guerrilla marketing executive Dominic Wilde, VP of marketing for Nevis Networks, a company who makes an in-band appliance and NAC switch, likes to set realistic expectations about how market position meets user needs. Paraphrasing a recent conversation, Wilde pointed out that some user organizations just want pre- and post-connect host assessment to admit users onto their network and that's it. We (Nevis) can do that as part of network access control, but there are other vendors that do it better. Nevis is about access control in the network from admission through access of systems, services, and application resources.
Hence, market demand -- that's you -- drives innovation. Innovation drives differentiation. Differentiation drives market segmentation. Market segmentation drives product development. Product development -- that's you again -- drives specialization, which furthers market segmentation. So really, the confusion in the NAC market is all your fault.