802.1x and IPsec for Securing An Intranet

Which is better for securing our intranet: 802.1x or IPsec? Our company has several branch offices with varying degrees of physical security and many publicly accessible areas that have network drops connected to our corporate intranet. Like most companies, we have many visitors, including clients, contractors, consultants, and other business partners. We're interested in preventing rogue or insecure computers infected with malware from connecting to our intranet.

802.1x and IPsec are complementary technologies that require computers to prove they are trusted. 802.1x is a hardware-based solution that limits access to the network, whereas IPsec is a host-level protocol that secures packets. IPsec requires that sending and receiving devices share a public key. 802.1x has specific hardware requirements that apply to edge switches (i.e., switches connected to your network receptacles, also known as "drops," that must support 802.1x). When a computer connects to a port on a switch, the 802.1x switch requires the computer to authenticate before the switch opens the port to the network. 802.1x doesn't re-authenticate until the computer is physically disconnected from the port and reconnected, which triggers 802.1x authentication again. 802.1x requires a Remote Authentication Dial-In User Service (RADIUS) server (two for fault tolerance), against which the edge switches authenticate computers that are connected to controlled ports on the switch. IPsec authenticates, checks the integrity of, and optionally encrypts packets. Although 802.1x protects initial access to the network itself, IPsec protects individual computers on the network. IPsec is the more popular choice for securing intranets because 802.1x is more vulnerable to an attacker and IPsec is more flexible.