Segmenting a network may sound like an overly complicated and highly technical project to embark on. However, in reality, with good practices and a step-by-step plan you can take on network segmentation without any problem. This guide will show you how.

6 steps to successful network segmentation

There are two types of network segmentation approaches: physical segmentation, using physical devices such as routers and switches; and logical segmentation, which uses software. This guide will cover both, serving as a blueprint to guide you through the journey of network segmentation no matter which approach you choose to take.

1. Know your assets and data

The first thing you need to do is identify your assets and your data. This involves building an inventory and figuring out which assets and data are the most valuable. Ask yourself what is business-critical, but be thorough and include all your data and assets in your inventory.

This step is critical to determine how your network will be segmented. During this stage you can use data inventory software, risk assessment technologies, or vulnerability scanners.

2. Classify your data and asset inventory

Once you have a full visualization of your data and assets, you need to classify them according to sensitivity and importance. This will help you to determine how much protection they need and how they should be segmented.

Common ways to classify assets and data include:

• Confidential: This data should be protected from unauthorized access.
• Private: This data should be protected from unauthorized disclosure.
• Public: This data is not sensitive and does not require a lot of protection.

Confidential and private data and assets are considered high-sensitivity data, while public data is usually considered low-risk.

Note that emails, company policies, and other related documents are mid-level data, while online public information such as social network data, websites, or postings are low-risk data.

You should consider any data or asset that, if affected, would disrupt or affect business operations, as highly sensitive. This includes everything from financial and customer data to supply chain information.

3. Build a network map with data flows

With the information from steps one and two, it is now time to create a network map. This map must include all the devices, users, and connections of your network and their relationships. It must also have a clear diagram of how data flows.

With this map, you will begin to have a clear idea of how you can subdivide your network avoiding pitfalls and mitigating any vulnerability.

If you want to automate this process you can use different solutions to create network maps. Top vendors include SolarWinds Network Topology Mapper, NetBrain, ManageEngine OpManager or the free open-source Spiceworks Network Mapping. These solutions offer features that allow you to map out data flows.

There are three main types of data traffic:

• Northbound traffic: forward-looking traffic leaving your systems.
• East-west traffic: inner system data traffic.
• Southbound traffic: inner-looking traffic entering your digital surface.

Northbound traffic

Northbound traffic includes all the data and assets going through your network flowing out of your system. This includes user-generated traffic or management administrative traffic. A user browsing the internet or your workers sending out emails are common examples of Northbound traffic.

East-west traffic

East-west traffic is everything flowing within your infrastructure. This includes data and assets moving from data centers, servers, devices, and applications. This traffic can be broken down into inter-server — data in transit or transferring — and storage traffic.

East-west traffic can occupy a significant amount of bandwidth, be used for mid-risk and highly sensitive data, and congest a network. This is why segmenting east-west traffic is commonly a good practice.

Southbound traffic

Southbound traffic is network traffic that flows from a data center to the outside world. It is typically used to describe traffic that originates from within the data center — such as from servers, storage devices, and applications — and is sent to the internet or other networks.

Southbound traffic can also be grouped into two main categories: application traffic (generated by applications, such as web traffic, email, and file sharing) and management traffic (used to manage the data center, such as traffic from monitoring systems and security devices).

Southbound traffic can be a major source of security risks and is also usually segmented to strengthen security postures.

4. Design your segmentation plan

Your network map, low-mid-high labels, and traffic flows have already given you a definite view into which subnetworks you need to create. Now in this stage, you will decide which methods, techniques, physical concepts, or software you are going to use to segment your network.

Here is where you decide whether to use physical or logical segmentation, or both. Evaluate which is best for each subnetwork and design your segmentation plan.

Physical segmentation includes physical devices such as routers, switches, and air gaps.

Logical segmentation uses software to divide the network. While this is a more complex type of segmentation, recent solutions are making it easier for any company to use them.

Top vendors for logical network segmentation include Palo Alto Networks Prisma Cloud, Cisco ACI , VMware NSX, Juniper Networks Contrail, and Fortinet. Together they offer a wide range of software-driven networking and logical network segmentation solutions which include:

• Policy-based segmentation.
• Role-based access control (RBAC).
• Micro-segmentation.
• Encryption.
• Device and user profiling.
• User access security technologies.

Consider your IT expertise, budget, security risks, and how important your data and assets are to best determine which technique and technology you will use to segment your network.

5. Run your segmentation plan

At this stage you should have everything you need to implement the plan you have designed. Make all the necessary changes to your infrastructure, configure your security and devices, and update your policies and procedures.

Make sure your IT team is fit for business and that communication channels are open to discuss progress, goals met, and possible problems that may arise to implement upgrades, adjust and optimize your network segmentation.

You can run small tests, for example, segmenting first one department or area of business and then moving on and scaling. Think big but take small wins. Test, gather feedback, and retest everything again.

6. Monitor, maintain, and optimize

Network segmentation is not a once-and-done deal. You have to constantly monitor the network, profile users and devices, gather data traffic flow information, check for bugs and vulnerabilities, and make upgrades to optimize the infrastructure.

At this stage, while humans in the loop are essential, you can also leverage the latest in network monitoring technologies which will help you automate most of the processes, especially those such as network information gathering and analytics, alerts and flags, and security and compliance policies and issues.

Can you physically segment a network?

Yes, it is possible to physically segment a network. As mentioned above, networks can be segmented through physical means or through the use of software or a combination of both.

The steps to successfully physically segment a network are exactly the same as described above, except for a variation of step four, where software options would not be considered for use.

From extreme concepts like air gap — where devices, servers, or computers are completely disconnected from any other device or the internet — to the more standard use of physical switches, routers, or other network devices, there are many physical options to create subnetworks within a large network.

Physical network segmentation can protect critical systems, such as the corporate network, from unauthorized access, prevent the spread of malware or other malicious traffic, help meet compliance, and improve network performance by reducing congestion.

However, physical network segmentation may be more expensive than logical segmentation as hardware costs need to be considered. Additionally, logical segmentation software provides visualization tools and can integrate with other solutions and software also receives constant updates and support. Consider the importance of these factors for your company before deciding.

Bottom line: Network segmentation the right way

No matter what type of network segmentation approach you choose to use, always follow the steps listed above to make sure you have a robust, ordered, and clear network segmentation strategy.

Make sure security and privacy are included from the very beginning of your plan. Once deployed, continually monitor and optimize your subnetworks and keep an eye on new technologies that could help you increase performance and reduce costs.

For help establishing a securely segmented network, here’s our guide to the best network segmentation software available today.

The post How to Properly Segment a Network in 6 Steps appeared first on Enterprise Networking Planet.

NAC technologies typically use a combination of hardware, software, and policy to control access to a network. However, cloud NAC has also become increasingly popular. Policies may be based on authentication, endpoint configuration (posture), or users’ role/identity. 

There are two main reasons why NAC solutions are trending. First, the digital surface has expanded with a significant number of new devices connecting to networks, such as IoT, Industrial IoT, and Bring-Your-Own-Device (BYOD). Secondly, organizations must respond with solid security technologies against the global wave of sophisticated cyberattacks and malware network spread. 

Here are our top picks for NAC solutions in 2023: 

• Cisco Identity Services Engine (ISE): Best for large enterprises with advanced requirements
• Forescout Platform: Best for organizations with user and device diversity
• Aruba ClearPass: Best for small and medium-sized businesses (SMBs)
• Fortinet FortiNAC: Best cloud-based NAC solution
• Extreme Networks ExtremeControl: Best for integrating NAC solutions to existing infrastructure

Top Network Access Control (NAC) software comparison

Several features are essential to all NAC solutions. When choosing a vendor, businesses must evaluate features offered against their operational needs to determine whether the technology fits. 

From policy enforcement to user profiling, vulnerability scanning and customer support and pricing, find below a comparison chart to help you choose the best NAC solution for your enterprise.

1. Cisco Identity Services Engine (ISE) 

Best for large enterprises with advanced requirements

CISCO ISE Logo. Source: CISCO. 

Cisco Identify Services Engine (ISE) is one of the top NAC solutions in the market. The technology is popular among large enterprises with sophisticated network requirements. ISE is a comprehensive, next-generation NAC solution, rich in features.

Companies using ISE can provide highly secure network access to users and devices while having complete visibility across wired, wireless VPN, and 5G connections. It also provides users with information on apps installed and running and vital contextual data, such as user and device identities, threats, and vulnerabilities. 

The company differentiates itself from the competition by being a one-stop solution. It also offers self-service onboarding features for BYOD policies, automated device-compliance checks, and central network device management. Cisco offers separate NAC solutions for the industrial Internet of Things (IIoT), operational technology (OT), and industrial controls for medical devices.

Pricing

CISCO ISE pricing can not only be expensive but difficult to understand. The CISCO ISE licenses plans are numerous, and components and services may only be available with additional costs, depending on the number of users in the network. The new Tier Licenses include Essentials, Advantage, and Premier. Details of each can be found here. Prices are available upon request. 

CISCO ISE central visibility dashboard. Source: CISCO. 

Features

• Centralization, visualization and management:  Administrators can configure and manage profiles, postures, compliance, users, and authentication and authorization services in a single web-based GUI console.
• Integrations: The service can integrate with external identity repositories such as Microsoft Active Directory (On-Prem or Azure AD), Lightweight Directory Access Protocol (LDAP), RADIUS, RSA One-Time Password (OTP), certificate authorities for both authentication and authorization, Open Database Connectivity (ODBC) and SAML providers.
• Attributes: Includes user and endpoint identity, posture validation, authentication protocols, device identity and other external attributes. 
• Highly secure environment customized with company policies: Provides features to enforce a highly secure access policy that matches the identity’s business role with attributes such as user, time, location, threat, vulnerability and access type. 
• Streamlined network visibility: Stores a history of all endpoints that connect to the network and users, including guests, employees, and contractors, as well as applications and firewalls. 
• Advanced policy enforcement: Allows users to apply access rules that meet changing requirements. 
• Automated device-compliance checks: Using the Cisco AnyConnect Unified Agent, users can access advanced VPN services for desktop and laptop compliance checks. 
• Seamless onboarding for BYOD and guest policies: Provides IT staff with automated device provisioning, profiling, and posturing to comply with security policies, while BYOD devices can self-onboard without IT support.
• Reports and real-time tracking: Provides administrators with real-time visual flows, tracks access across the network for security and compliance, and runs advanced reports. 
• Device profiling: Offers predefined device templates for many types of endpoints, such as IP phones, printers, IP cameras, smartphones, and tablets. Additional templates for specialized devices such as medical, manufacturing, and building automation are available.

Pros

• Advanced capabilities for large enterprises that require sophisticated NAC technology. 
• One-stop solution, rich in features. 
• Provides features for industrial networks and specialized use cases. 
• Excellent consolidation and visualization through centralized dashboards. 
• Enables zero trust architectures.
• Provides compliance. 
• Seamless onboarding for BYOD devices. 

Cons

• It can be expensive. 
• Requires expert knowledge to operate. 
• Has a steep learning curve. 
• Pricing and licensing can be confusing. 

2. Forescout Platform 

Best for organizations with user and device diversity

Forescout Logo. Source: Forescout.

Since 2021 when Forescout was recognized as the Customer Choice by Gartner Peer Insights’ “Voice of the Customer” NAC report, the company has consolidated its reputation for offering a robust solution to manage all types of devices.  

With an easy-to-use platform and seamless deployment, sided with good support, companies can implement Forescout zero trust access on their networks for a vast array of devices and connected things — including employee devices returning to the office post-COVID, remotely connected devices, transient devices, guest/BYOD devices, and IoT, OT, and smart devices. 

Additionally, the company provides modern NAC features, including automated remediation, access control implementations, monitoring, and management and insights. 

Pricing

Forescout does not provide online pricing information. The company does offer a licensing guide that details the hardware and software products. The platform can be deployed on physical on-premises or cloud and edge virtual appliances, as well as smaller use cases licenses. 

Forescout products include: 

• XDR
• eyeSight
• eyeInspect
• eyeSegment
• eyeControl 
• eyeExtend
• Forescout Medical Device
• Multifactor Risk Scoring
• Forescout Timeline

Forescout dashboard. Source: Forescout.

Features

• Visibility: 100% real-time visibility of all devices connected to extended networks.
• Zero trust: Zero trust for all connecting devices. Continuous agentless monitoring and a unified policy engine that dynamically segments and isolates all connecting devices. 
• Discover, classify, and inventory: 100% real-time visibility of all IP-connected devices the instant they access the network. Provides an accurate, real-time asset inventory. Users can choose from 20+ active and passive discovery and profiling methods. 
• Device diversity: 12M+ device fingerprints available in the Forescout Device Cloud for device classification. Determine device function, OS, vendor and model, and more.
• Compliance: Detects device noncompliance, posture changes and vulnerabilities. Find and fix managed devices with missing, broken, or nonfunctional agents from your existing security tools.
• Threat detection: Detects weak credentials, IoCs, spoofing attempts, and other high-risk indicators, all without agents. Monitor unmanaged devices.
• Access policies: Provisions least-privilege access to enterprise resources based on user role, device type, and security posture. Prevent connection of unauthorized, rogue, and impersonating devices.
• Forescout Platform: Delivers visibility and automation across all types of assets — IT, IoT, IIoT, and OT.

Pros

• Easy to use. 
• Can rapidly identify and deploy a vast array of devices. 
• Provides NAC advanced features for visualization, security and vulnerabilities. 

Cons

• Pricing is not disclosed online. 
• Complexity: Forescout solutions can be complex to deploy and manage. They require a significant investment in time and resources and can be challenging to scale to large environments.

3. Aruba ClearPass 

Best for SMBs

Aruba HPE. Source Aruba ClearPass. 

Aruba Clearpass, a Hewlett Packard Enterprise company, is popular among SMBs looking to authenticate, authorize, and enforce secure network access control with role-based network policies based on zero trust security.

The solution innovates with AI-powered visibility, robust integrations and state-of-the-art security. ClearPass is available as hardware or as a virtual appliance. It is also a vendor-agnostic technology that works seamlessly with third-party network devices. Besides its Clearpass solution, Aruba offers network switches, access points, and cloud-based technologies. Its ease of use and price make it an SMB favorite. 

Pricing

There are three significant licenses for Aruba ClearPass: Platform Licenses, Base Applications, and add-on Applications. Platform licenses and base applications are required for deployment, while add-ons extend functionality and are optional. 

The solution can be purchased as virtual technology or as hardware. For a detailed explanation of ClearPass licenses, you can watch the following official video. The company does not provide pricing information online; it is only available upon request.  

Aruba ClearPass device insight dashboard. Source: Aruba.

Features

• Robust Network Access Control: Aruba ClearPass Policy Manager (CPPM) provides robust network access control with role-based policies for authentication, authorization, continuous monitoring, and enforcement. 
• Automated BYOD provisioning and device compliance: Users can easily deploy BYOD workflows to authorize employees and contractors.
• Customized visitor experience: Companies using Clearpass can implement secure guest access and build customized web portals for visitors. 
• Automated device configuration:  ClearPass Onboard automatically configures and provisions both PCs and mobile devices — Windows, macOS, iOS, Android, Chromebook, and Ubuntu — enabling them to securely connect to enterprise networks supporting BYOD initiatives.
• Vendor agnostic: Supports Windows, macOS, iOS, Android, Chromebook, and Ubuntu operating systems 
• Automation: Automates the configuration of network settings for wired and wireless endpoints 
• AI-powered visibility: ClearPass has built-in AI-driven device discovery and profiling features. 
• Policy enforcement: The system can detect and respond to security vulnerabilities and breaches from various security, network, and IT sources.

Pros

• Integrations: Provides more than 140 security-based partner solutions.
• Easy to use and deploy. 
• Identifies and reacts to breaches and suspicious activity. 
• Cost-effective. 
• Popular among SMBs. 

Cons

• It may not be suitable for sophisticated network requirements. 
• Troubleshooting can be complex. 

4. Fortinet FortiNAC 

Best for cloud-based NAC solution

FortiNAC logo. Source: Fortinet. 

FortiNAC is a comprehensive NAC solution that provides visibility, control, and security for all devices connecting to your network. Although it can be deployed on-premises or in the cloud, its cloud version leads in the market due to its rapid deployment, scaling, and management. 

The solution is a good option for organizations of all sizes. It is easy to deploy and manage and it offers a wide range of features and capabilities that can help you protect your network from various threats. 

Pricing

FortiNAC pricing can be complex as it varies depending on what products and services the customer needs. The company offers hardware and virtual machines for network controls. 

Additionally, its platform can be acquired under three plans, Base, Plus, or Pro. Licenses can be perpetual or subscription-based and depend on the number of endpoints in the network. Details are explained in this official guide on FortiNAC licenses.

FortiNAC Control and Application Server Settings dashboard. Source: Fortinet

Features

• Device identification and profiling: FortiNAC can identify and profile all devices connecting to your network, including their operating system, software versions, and security settings. This information can be used to identify unauthorized devices, devices out of compliance with security policies, and devices that pose a security risk.
• Policy-based access control: The platform allows users to define granular access policies based on user identity, device type, and other criteria, ensuring security policies and compliance. 
• Compliance reporting: FortiNAC can generate reports that can be used to demonstrate compliance with industry regulations, such as HIPAA, PCI DSS, and SOX.
• Vulnerability assessment and incident response: The technology can scan devices for known vulnerabilities and provide remediation recommendations. It can also help users respond to security incidents by providing information about the devices involved in the incident and the actions that can be taken to mitigate the incident.
• Cloud-based reporting and remediation: Fortinet NAC leverages cloud technology to generate reports that can be accessed from anywhere. The vendor also automatically remediates security vulnerabilities found on devices, reducing the risk of an attack.

Pros

• Compliance: FortiNAC can help organizations comply with various security regulations, including HIPAA, PCI DSS, and SOX.
• Security: FortiNAC is a solution of Fortinet, a company known for its cybersecurity technology. 
• Cloud-based features allow for remediation, rapid updates, visualization, and more. 

Cons

• It can be complex to operate. 
• Steep learning curve. 
• Licensing can be tricky for beginners. 

5. Extreme Networks ExtremeControl 

Best for integrating NAC solutions to existing infrastructure

Extreme Networks ExtremeControl Logo. Source Extreme Networks.

ExtremeControl, a product of Extreme Networks, is a flexible and scalable technology that can be deployed in a variety of ways, making it the best for integrating NAC solutions to existing infrastructure.

ExtremeControl can be deployed on-premises, in the cloud, or a hybrid environment. ExtremeControl can also be integrated with other security solutions, including firewalls, intrusion detection, and identity management systems.

Pricing

Pricing information is only available upon request. Plans and licenses vary depending on the customer’s on-premises technology or cloud needs. ExtremeControl can be purchased as a perpetual license or in subscription models. Prices vary depending on the number of users and features required.

ExtremeControl Extreme Networks. Source Extreme Networks. 

Features

• Identify and authenticate devices: ExtremeControl can identify and authenticate all devices connecting to the network, including their OS, software versions, and security settings. 
• Define granular access policies: Administrators can define granular access policies based on user identity, device type, and other criteria. 
• Network Visibility: Administrators have full visibility into all devices and users on the network, including their identity, device type, and security posture. This information can be used to identify security threats and to improve security posture.
• Unauthorized access: ExtremeControl helps companies protect networks from unauthorized access by enforcing access policies and identifying and remediating unauthorized devices.

Pros

• Flexible deployment options: ExtremeControl can be deployed on-premises, in the cloud, or a hybrid environment. 
• Scalable solution: Can be scaled easily up or down to meet demands.
• Easy to integrate with other security solutions: ExtremeControl can be integrated with various other security solutions, including firewalls, intrusion detection systems, and identity management systems. 

Cons

• The wide range of features and capabilities may be overwhelming for beginners.
• Like all NAC, ExtremeControl can have a negative impact on network performance, especially when running the system on large networks.

Key features of NAC software

As a rule, NAC software should include policy enforcement and session controls, vulnerability scanning and malware detection, and user profiling and reporting capabilities. You’ll also want to consider each solution’s scalability, customer support, and of course its pricing matrices.

Policy enforcement and session control 

Enforcing policies on devices connecting to the network is a fundamental feature of all NAC technologies. This can include policies such as requiring devices to be patched, requiring devices to be encrypted, or requiring devices to be registered with the network.

Vulnerability scanning and malware detection

NAC solutions scan devices for known vulnerabilities. This information can be used to block devices with known vulnerabilities, quarantine devices until they are patched, or remediate vulnerabilities. 

Scalability and integration

Networks are ever-changing environments that can scale up or down and NAC solutions must be able to pivot rapidly, offering customers easy-to-use scalability. When traffic increases, NAC tools must be able to manage it by scaling without affecting performance or compromising security. 

Additionally, integration is essential in the modern digital era. NAC platforms and hardware must integrate with other security solutions, such as firewalls, intrusion detection systems, and antivirus software. 

User profiling and reporting 

Profiling users and devices is another crucial component of NAC systems. They should offer visibility into performance, risks, vulnerabilities, and network status. Administrators can block unauthorized devices, quarantine infected devices, or remediate vulnerabilities by profiling users.

Reporting is also fundamental. It can be used to make data-driven decisions about the network, present compliance and security reports, and better understand users, credentials, certificates, and more. 

Customer support

NAC solutions can be highly advanced, therefore having solid, dependable customer support can make a big difference. 

Pricing 

As a rule of thumb, NAC vendors do not disclose pricing online. Their products, services, solutions, and licenses can also be complex. To understand the costs, and whether they align with your company’s budget, you’ll need to reach out to each vendor’s sales team and do your research. 

How to choose the best NAC software for your business

Choosing the best NAC software for your business depends on several factors, including your organization’s size, industry, and security needs. Before taking the leap, consider what NAC solutions are the best for your business size and network demands. 

Also take into consideration your industry. Some vendors offer specialized NAC technology for healthcare and IIoT for manufacturing. The number of users, contractors, and guests on your network will also be a defining factor. 

No matter which NAC solution you choose, it is important to ensure it is properly implemented and configured. Do your research, get quotes from multiple vendors, make sure the service and products align with your business goals, and consider your needs and compatibility. 

Frequently Asked Questions (FAQs)

What are NAC technologies? 

NAC stands for Network Access Control. Companies offering NAC solutions usually sell software, licenses, hardware, cloud platforms, and virtual machines to create a security framework that helps organizations control who and what can access their networks. 

NAC solutions typically use a combination of policies, enforcement mechanisms, and profiling tools to assess the security posture of devices and users before granting them access to the network.

What is policy enforcement?

Policy enforcement in NAC ensures that devices and users comply with the organization’s security policies. 

Policy enforcement is an essential part of NAC because it helps to protect the network from unauthorized access, malware, and other threats. By enforcing security policies, users can ensure that only authorized devices and users can access the network.

Why are user and device profiling important in NAC solutions?

The number of devices connecting to a network has increased exponentially in recent years. This creates a problem, as the digital attack surface of companies keeps increasing, giving cybercriminals more chances to find vulnerabilities. 

Knowing which devices and users are connected also allows administrators to manage traffic and privacy and gain critical insight into a network. Companies can enforce security and authentication by identifying and profiling users and devices, preventing malware infections, and shutting down unauthorized users. 

How do NAC solutions help companies stay compliant?

From GDPR to the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and other national and international laws, NAC solutions can help companies stay compliant with regulations by enforcing security policies, preventing unauthorized access and providing visibility. 

Additionally, some NAC technologies offer compliance reporting capabilities that companies can leverage when presenting reports to authorities. 

Why do NAC solutions rarely provide pricing online?

There are a few reasons why NAC solutions rarely provide pricing online. But most importantly, NAC technologies vary greatly depending on the needs of an organization, including the type of network, if they need hardware or software, and how many users and devices the network has.

Many NAC solutions are sold as part of a larger security suite, which includes other security products such as firewalls, intrusion detection systems, and antivirus software. 

Do I still need threat detection if I have a NAC solution running? 

While NAC technology can run vulnerability scanning and malware detection, you still need threat detection. Threat detection solutions can help to identify and respond to threats that have already bypassed NAC controls. Furthermore, NAC solutions work together with threat detection technologies providing a multilayered approach to network security. 

What are the benefits of NAC?

NAC can help to improve the security and performance of a network in several ways, including:

• Preventing unauthorized access to the network.
• Protecting the network from malware and other threats.
• Enforcing security policies on devices and users.
• Providing visibility into the network and its users.

What are the challenges of NAC?

NAC can be complex and challenging to implement. 

Some of the challenges of NAC include:

• Integrating NAC with existing security solutions.
• Managing NAC policies and enforcement.
• Educating users about NAC.

Methodology

We looked into the best-performing vendors and alternatives to write our review and evaluate the top NAC solutions and features. We examined sites that compile aggregate data based on verified user reviews. We also reviewed demos on vendor sites, test-drove the software when possible, and scoured through the official sites of the featured vendors to evaluate their features, customer service, user-friendliness, price, and scalability.

Bottom line: Protecting your network with NAC

Driven by the global digital transformation that followed the post-pandemic era, NAC solutions have become vital privacy and security solutions. NAC technology manages and monitors devices, enforces policies, identifies security weaknesses and leverages automation and AI to make your networks better and safer. 

If you are looking to gain visibility in your network, reduce data breaches, enforce policies, reduce costs, and increase performance and security, NAC solutions can help you to achieve these goals.

For more tips on improving your network security profile, here’s a quick guide to conducting a network security audit at your organization.

The post Top 5 Network Access Control (NAC) Solutions for 2023 appeared first on Enterprise Networking Planet.

Netgear and Cisco are leading manufacturers of ethernet switches, each with its own strengths. Netgear is known for its affordable and easy-to-use products, while Cisco is known for its high-performance and feature-rich switches.

While both brands have a wide range of models to attract all types of buyers, they tend to be more popular among different sectors:

• Netgear: Best for home and small business 
• Cisco: Best for medium and large enterprises

Here is an overview of each brand’s offerings, their strengths and weaknesses, and when to choose one or the other for your organization.

Netgear vs. Cisco at a glance

Best for pricing: Netgear

For those looking for ethernet switches on a budget, Netgear is an attractive option, as Cisco switches tend to be more expensive.

Both brands offer great value for price, but Netgear specializes in easy-to-use, affordable switches. This applies to its whole range of ethernet switches, from the most basic for home and small businesses to the more advanced.

Best for home users: Netgear

Home users want ethernet switches that are easy to use, fully managed, plug and play, and have good speed and security. They also usually do not require a lot of ports. 

This is a niche market that Netgear has mastered with products like its 300 Series SOHO Unmanaged Switch 5-Port with 4-Ports PoE+ (83W) (Figure A) for $59.99, its 5-Port Gigabit Plus Switch Series (GS105Ev2) and Gigabit Unmanaged Switch Series (GS105), and its essential Home/Office Ethernet Switch Series (GS605v5) for just $34.99.

The brand gives home consumers precisely what they need. Netgear also has 8, 16, and more port models for users that require more ports.

On the other hand, while Cisco’s main strength is focused on small, medium, and large enterprises, the brand does offer some options for home users. These include the MS120-8 Compact access switch with optional PoE. The product has eight 1G ports. However, it retails for over $650. The more affordable product of Cisco is the Business 110 for just $60.

Best for small and medium businesses (SMBs): Cisco

Small and medium businesses that are not limited by budget and are looking for robust, reliable, high-performing ethernet switches might find better options in Cisco’s products.

Cisco small business ethernet switches are designed for flexibility and simplicity. They can be cloud-managed, getting automatic updates delivered directly to the switch from the cloud, or can be on-premises. Cisco products for this sector range from the Cisco Business 110 Series to the Cisco Business 220 Series Smart Switches for $150, the Meraki Go GS110 Network Switch Series for $299, and the more advanced Catalyst 1000 Series Switches.

Netgear options for small businesses include the Multi-Gig series, the smart switches series with optional Remote/Cloud Management, and a range of Power over Ethernet (PoE) switches.

PoE will allow you to power smart devices and endpoints such as VoIP phones, surveillance cameras, or wireless access points. Before making a purchase, always consider PoE capacity, in addition to switch speeds and the number of ports you need.

Another vital feature to consider, especially if your SMB has expansion plans, is whether the switch is standalone or stackable.

Finally, small business owners not heavily IT-committed might consider unmanaged switches; these come with plug-and-play features, which require no advanced knowledge for setup, deployment, operation, and maintenance. It is important to understand that unmanaged switches have limited capabilities and cannot be modified or managed. These types of switches are often used in home and small office network environments.

Best for large businesses and data centers: Cisco

Founded in 1984, Cisco brings almost 40 years of experience and leadership to the industrial ethernet switch market. The brand’s extensive business and data center products are known for their high performance, reliability and security. They are also very scalable and stackable, making them ideal for large enterprises and data centers.

Cisco offers many ethernet switches for large enterprises running advanced operations. Some options include: 

• Cisco Catalyst 9000 Series Switches (Figure C).
• Cisco Nexus 9000 Series Switches, providing industry-leading data-center performance.
• Cisco Catalyst 6500 Series Switches.
• Cisco Catalyst IE9300 Rugged Series Switches for industrial uses. 

Alternatives from Netgear are more affordable but still offer good performance and reliability. Some popular Netgear ethernet switch models for large enterprises and data centers include:

• Netgear ProSafe Gigabit Smart Switch.
• Netgear ProSafe Plus Gigabit Smart Switch.
• Netgear ProSafe Managed Gigabit Smart Switch.

Netgear also offers specialized ethernet switches for Audio-Visual solutions, such as the M4250 AVLine. 

Strengths: Cisco vs. Netgear

Let’s dive into each brand’s strengths to understand which is the right fit for your home or business.

Cisco’s advantages are: 

• Performance: Cisco ethernet switches can handle high traffic loads and provide low latency for VoIP and video streaming applications.
• Reliability: Cisco ethernet switches are very reliable, designed to operate 24/7, and are backed by a warranty.
• Security: Cisco offers high protection and switches can be configured to prevent unauthorized access to the network and protect data from unauthorized access.
• Scalability: Cisco ethernet switches can be easily added to or expanded as your network grows.

On the other hand, the advantages of Netgear ethernet switches are:

• Affordability: Netgear ethernet switches are more affordable than Cisco ethernet switches, making them a great option if your company is on a budget.
• Ease of use: Netgear ethernet switches are easy to use. They can be rapidly deployed. The brand is known for its unmanaged switches with plug-and-play features.
• Warranty: Netgear backs up all its products with an extended warranty. This gives you peace of mind knowing that your investment is protected.

Why shouldn’t you use Netgear or Cisco?

Who shouldn’t use Netgear?

There are several cases in which users may want to stay clear of Netgear. Multinational, industrial, massive data centers, and other sophisticated IT operations with high demands for speed, latency and traffic should consider using Cisco products instead. These products might be more expensive, but they will meet the high requirements of these types of business.

Who shouldn’t use Cisco?

Homeowners and small and medium businesses looking for fast connections and reliable solutions, but on a very tight budget, will probably want to avoid Cisco. The price of Cisco ethernet switches can be much higher than that of Netgear. And while Netgear’s cost may be low, they still provide great value.

Top 3 Netgear and Cisco alternatives

There are other options in the market besides Netgear and Cisco. Aruba Networks, Juniper Networks, and Dell ethernet switches are three popular alternatives.

Aruba Networks is a well-known brand in the networking industry. Its ethernet switches are high performing, reliable, and secure. Aruba switches are also scalable and ideal for large enterprises and data centers.

Juniper Networks is another well-respected brand in the networking industry. Juniper switches offer a wide range of features and capabilities, making them a good choice for businesses with demanding network requirements. 

Finally, Dell also provides ethernet switches built on its experience as a leading IT solutions provider. Dell ethernet switches are robust and powerful, suitable for both home and business networks.

Bottom line: NetGear vs. Cisco ethernet switches

When it comes to the best ethernet switch, there is no one-size-fits-all solution. The best choice will depend on several factors, such as what speed you need, how many ports you have, what your security and traffic demands are, and if you need to power devices. Additionally, managed or unmanaged, cloud or on-premises, can be deal-breaking features. 

Cisco and Netgear are both reputable brands that offer a wide range of ethernet switches. Both can deliver excellent value, and which brand you choose should depend on your needs and your budget. If you need a high-performance, reliable and secure ethernet switch, Cisco is a good option, while if you are looking for an affordable and easy-to-use ethernet switch, Netgear is the way to go.

For more top networking options, see our full rundown of the best network switches available on today’s market.

The post Netgear vs. Cisco Ethernet Switches: 2023 Comparison appeared first on Enterprise Networking Planet.

How to block a program in Windows Firewall

Blocking a program with Windows Firewall is straightforward if you have the right steps. The process is very similar for Windows 10 and 11. Here is how to block a program in six simple steps.

1. Open Windows Defender Firewall

The first step involves accessing the Windows Firewall Advanced Setting configuration, where you will make the necessary adjustments and configure the firewall to block a program of your choice.

There are many ways to open the Windows Defender Firewall. You can open it through the search bar at the bottom left of your screen or open the Run window by pressing the Windows + R keys and typing in WF.msc.

To access Windows Defender Advanced Settings:

1. Open Windows Defender Firewall by searching or using run commands. 
2. On the left menu of the Windows Defender Firewall window, click on Advanced Settings (Figure A).

2. Access Outbound Rules

As previously mentioned, Windows Firewall works through a set of security rules. While most users keep the default settings, the Windows Defender Firewall is much more sophisticated and can be customized.

Creating inbound and outbound (network traffic) rules is one of the main features that can strengthen security and create isolated digital architectures.

In this step, you will access the outbound rules to block a program with the firewall.

To do this, click on Outbound Rules in the left pane of the Windows Firewall window (Figure B).

3. Create new Outbound Rule

Creating firewall rules may seem overwhelmingly technical for nonadvanced users. However, if you follow the following steps, it can be a simple and effective way to block programs.

To create a new outbound rule, click on New Rule… under Actions in the right pane of the Windows Firewall window (Figure C).

4. Select Program from the Rule Types

This step is essential, as it defines what type of rule you want to create. Once you click New Rule…, you will see four options: Program, Port, Predefined, and Custom. Each option serves a different function:

• Program rules block or allow apps and software.
• Port rules control connections for TCP or UDP ports.
• Predefined rules control connections for the core Windows experience.
• Custom rules are those that a user customizes. 

Because you are trying to block a program, select Program from the four types of rules (Figure D) and click Next.

You will now have two options: To either select All programs or to block a specific program.

To block a specific program, select This program path: and click Browse (Figure E). The directory will open for you to search for the program you want to block. You’ll need to locate the .exe program file of the program you wish to block.

Once you have located and selected the program you want to block, click Next.

5. Block the connection

At this stage, Windows Firewall will move on to Action. You will then have three options: 

• Allow the connection
• Allow the connection if it is secure
• Block the connection

Select Block the connection and click Next (Figure F).

6. Set profiles

The final step involves setting the profile and choosing a name for your rule so you can quickly identify it in the future.

On the New Outbound Rule Wizard window, you must answer the question, “When does this rule apply?”

You can select one, two, or all three options listed:

• Domain: The rule will apply when your computer is connected to its corporate domain.
• Private: The rule will apply when the computer is connected to a private network, such as your home.
• Public: The rule will apply when connected to a public network.

Select the type of profile or profiles you want the rule to apply to, and click Next (Figure G).

7. Name the rule

Finally, you must choose a name for your rule and add a description.

Do not type in a generic name. It will only make it difficult to find when you need to deactivate or delete the rule.

Even though it’s optional, adding a description is important, especially if you are creating several rules, as it may help you remember the rule’s specifics and why you created it.

Once you’ve entered your name and description (Figure H), click Next.

You should now see the new rule under the list of all Outbound Rules in the Windows Firewall Advanced Settings center panel (Figure I).

Can you temporarily block a program with a firewall?

You can temporarily block a program using Windows Defender Firewall’s Allowed Apps and Features tool. 

To temporarily block a program:

1. Open Windows Defender Firewall by searching or using run commands.
2. In the left pane, click Allow an app or feature and then click on Change settings.
3. You will now see a list of all your apps and programs. Search the list to find the program you want to block. If you do not find the program, use the Browse option to locate it. Then select the program and click Add to add it to the list. 
4. You will notice that some of the programs in the list are checked in the left checkbox, while others are not. Those that are checked are currently allowed by Windows Firewall. Uncheck the program you want to temporarily block and click OK to save your changes (Figure J).

Note that you can decide whether to block the program on Private networks, Public networks, or both.

Bottom line: Blocking programs in Windows Firewall

Firewalls are essential for data privacy and security, and Microsoft Windows Firewall Defender has an excellent performance rate.

Though customizing firewalls may seem to be something only the most advanced users should be doing, nothing is further from the truth.

If you need to block a program, an app, or a feature, all you need to do is follow the simple steps outlined in this guide.

Thinking about moving on from Windows Firewall? We reviewed the best firewall software to protect your network.

The post How to Block a Program with Firewall in 7 Easy Steps appeared first on Enterprise Networking Planet.

Linux virtual memory uses different techniques, such as copy-on-write, demand paging, and page aging in order to improve performance by offloading redundant or unnecessary processes from the disk.

This article will explain how Linux virtual memory works and provide a brief tutorial on how you can set up virtual memory on your own Linux machine.

How virtual memory works in Linux

Virtual memory is generally thought of as only used to extend a system’s physical RAM. However, Linux techniques and virtual memory components execute more sophisticated tasks.

Linux virtual memory allows each process to have its own private address space, even though there may not be enough physical memory to map all the addresses in all processes simultaneously.

It achieves this using a technique known as “paging.” Paging basically swaps memories from the physical memory to disk storage and back, depending on how frequently they are used.

Paging also gives each process the exact amount of memory it needs. For example, when a new process is created, the OS creates a virtual address space. But because this address space is “bigger” than the process itself, the OS will identify the pages of memory that the process needs. Then all the pages that the process does not require will be kept on disk in a swap file or swap partition.

Linux virtual memory techniques

Using Linux virtual memory techniques, users can run more processes than would normally be possible, run processes simultaneously, or use all of the available physical memory.

Linux virtual memory techniques include copy-on-write, demand paging, and page aging.

• Copy-on-write: When creating new pages of memory, Linux does not allocate new physical memory for a page but creates a virtual address for the page and marks the page as “shared.” When the process tries to write to the page, the OS only writes to the physical memory if the page is not already in use by another process. This can save a lot of physical memory, especially if multiple processes are using the same data.
• Demand paging: The only pages of memory that are loaded by Linux into the physical memory are those that a process demands or attempts to access. The benefits of this technique include speeding performance by not loading pages that are not often needed.
• Page aging: Linux virtual memory keeps track of every page of memory being used. The inactive or less accessed are likely to be swapped out to disk, while the most used ones are kept in the physical memory.

The Buddy and the Slab Allocator

The Linux kernel has two main memory allocators: the Buddy Allocator and the Slab Allocator.

The Buddy Allocator

The Buddy Allocator interacts directly with the Memory Management Unit (MMU), providing valid pages when the kernel asks for them. It also manages lists of pages and keeps track of different categories of memory addresses.

The Buddy Allocator is a general-purpose memory allocator and can be used to allocate memory of any size. It works by dividing memory into a binary tree of blocks. Every time a process requests memory, it will find the smallest block that is large enough to meet the demands of the request and allocate the block to the process.

The Slab Allocator

The Slab Allocator is a layer of the Buddy Allocator and provides the ability to create a cache of objects in memory. It is used to allocate memory for small objects.

The Slab Allocator groups objects of the same size together into a slab. When a process requests an object, the Slab Allocator checks the cache to determine if the object is already in memory.

If the object is in memory, the Slab Allocator returns the object to the process. If the object is not in memory, the Slab Allocator allocates a new object from the cache and returns the object to the process.

Linux memory pages

Linux classifies different types of pages in the virtual memory as:

• Free pages: Pages of memory not used by any process at the time and available to be allocated to a process that needs them.
• Active pages: Pages of memory in use by one or more processes. These are not available to other processes until they are no longer being used.
• Inactive pages: Pages of memory that are not being used by any process and have not been modified since they were last read from disk. These pages are available to be swapped out to disk to free up physical memory.
• Dirty pages: Refers to pages in use by one or more processes and which have been recently modified. To be swapped, these pages must be written.

Linux kernel tasks

Linux also has a number of kernel tasks for specific aspects of virtual memory management.

For example, the page fault handler, responsible for managing page faults, is activated when a process attempts to access a page of memory that is not in physical memory. The page fault handler brings the page from the disk into physical memory and resumes the execution of the process.

The memory pager is responsible for swapping pages of memory to disk. It is used by the OS when it needs to free up physical memory. The memory pager selects the pages of memory that are swapped by identifying which are not being used frequently.

Similarly, the page reclaimer brings pages of memory that have been swapped out to disk back into physical memory. It is activated when a process requests access to these pages.

Setting up virtual memory in Linux with tunable parameters

Tunable parameters are kernel settings that can be adjusted to improve the performance of your system. They can be adjusted in real-time using the sysctl command or in the /etc/sysctl.conf file.

Remember that changing parameters can have negative impacts on your system and affect your performance.

Let’s look at the most important tunable parameters for virtual memory.

Vm.Swappiness

vm.swappiness is a parameter that controls how aggressively the kernel will swap out pages of memory to disk.

When set at a value of 0, the kernel will never swap out pages of memory. If set at 100, the kernel will swap out pages of memory as soon and as rapidly as they are no longer in use. The value set by default is 60.

For example, to set vm.swappiness to 10, you would use the following command:

sysctl -w vm.swappiness=10

VM.Dirty_Ratio

With this parameter, users can control how full the kernel’s writeback cache can get before it starts writing dirty pages to disk.

Once again, if vm.dirty_ratio is set to 0, the kernel will never write dirty pages to disk. Set to 100, it will write dirty pages to disk as soon as they are dirty. The system default value is 20.

To change this parameter to 80 in real-time, with immediate effect, use the following command:

sysctl -w vm.dirty_ratio=80

Vm.Dirty_Background_Ratio

vm.dirty_background_ratio defines how full the kernel’s writeback will get before it starts writing dirty pages to disk in the background.

Set at 0, no dirty pages will be written in the background, while when set at 100, the kernel will write dirty pages to disk in the background as soon as they are dirty. The default value is 10.

The code to set the parameter at 25 is:

sysctl -w vm.dirty_background_ratio=25

This will immediately switch the parameter to 25. Using this example, the kernel will only start writing dirty pages to disk in the background when the writeback cache is 25% full. This ensures dirty pages are not written to disk too late.

If the writeback cache is too full, the kernel may have to start writing dirty pages to disk in the foreground, causing noticeable slowdowns.

What are the best practices for managing memory in Linux?

There are several techniques and good approaches to take when managing virtual memory in Linux systems.

You can use a swap file or a partition, a portion of your hard drive, to store pages of memory that are not in use by any process. This improves performance by freeing up physical memory.

You can also check the amount of physical memory on your system (free -h), determine the amount of swap space you need (free -h | grep -i swap), and check the status of your virtual memory (free -h | grep -i swap).

Other common good practices, such as keeping your computer in good shape, closing applications you are not using, and deleting unnecessary files, can also help improve your virtual memory management.

It’s critical that you keep your Linux OS updated constantly, as the Linux kernel is constantly releasing new features and bug fixes.

Bottom line: Using Linux virtual memory to improve performance

Linux virtual memory is an excellent feature, but understanding how it works is critical to improving its performance.

Armed with the information in this article—from how it works, how it defines and classifies pages, and what techniques it utilizes to the most used parameters to better configure a system—you should be able to start implementing this valuable feature.

Always remember that resetting parameters can negatively impact your system and requires testing, but if you are careful and take the right steps, you can dramatically increase the performance.

We analyzed, selected, and reviewed the best network virtualization software to further boost server performance.

The post Linux Virtual Memory: Optimizing Virtual Memory on Linux appeared first on Enterprise Networking Planet.