In-Line vs. Out-of-Line Web Security

Comparison of Web Security Deployment Philosophies


Web security gateway solutions have two different deployment philosophies - in-line or out-of-line. In-line appliances reside behind the network firewall as a transparent proxy for performing Web security. Conversely, out-of-line Web security appliances reside away from the network traffic stream, having network traffic mirrored or routed to the out-of-line appliance for Web security.

Historically, Web security gateway appliances were mainly designed to sit out-of-line because of performance problems and because Web traffic was usually contained to a limited number of ports and protocols. Performance is a critical aspect for Web security, and in the past, limitations of older security technologies made sitting in-line nearly impossible. Today, the Web has evolved dramatically. Now Web 2.0 spans across many ports and protocols. With new advancements in security technologies and the evolution of the Web from static content to diverse applications, content and media, sitting in-line is much easier. DeepNines architected its products to sit in-line, however, today most Web security competitive vendors still remain out-of-line because of this historic precedence.

In-Line or Out-of-Line?
Some network administrators ask which deployment method they should consider. In fact, both philosophies have merit but obvious limitations and benefits exist. Comparing the models should make it easier to understand and decide which is best for your network.

  

 

 In-Line

  Out-of-Line


  PROS
  
  • Immediate control of all Web traffic regardless of port or protocol
  • Easy to install
  • Bi-directional visibility and control (inbound and outbound traffic)
  • Agnostic to switch/router or firewall platform and versions
  • Enhanced threat prevention capabilities with intrusion prevention, malware etc
  • Bandwidth management control
  
  • No network downtime for install
  • Agnostic to switch/router or firewall platform and versions


  CONS
  
  • Onetime network downtime for installation
  
  • Can’t identify all Web traffic, such as peer-to-peer (P2P) programs
  • Slow to install due to spanning or mirror porting or modifying of routing tables, et al, for routing traffic to the appliance
  • Limited network visibility
  • Limited control of applications
  • Limited control of bandwidth
  • Limited threat prevention of complex attacks, risks and suspicious traffic

 
 
Copyright © 2009 DeepNines.  Terms of Use Site Map