A new vendor is expected to come out this fall with an appliance it says will provide similar but less-expensive protection to comprehensive schemes laid out by established network vendors.
The well-funded start-up ConSentry Networks , with an distinguished leadership team, has built three custom chips to give the device the processing power it needs to parse packets to Layer 7, keep track of sessions and enforce access policies.
For example, the device will be able to deny individuals or groups access to applications chosen by network executives, as well as shut down connections that exhibit the behavior of worms and viruses in accordance with policies, says Tom Barsi, ConSentry's president and CEO.
The device would sit between workgroup switches and core routers, monitoring traffic and enforcing policies. Protecting a network would require multiple ConSentry devices, Barsi says. That is less expensive than upgrading switches so they can enforce policies with 802.1x authentication and installing a battery of software on each client machine to protect it from attacks, he says.
The appliance, whose name and price the company has declined to reveal, secures a network from within, instead of assuring that the devices accessing the network are secure, as is the case with initiatives by Cisco (NAC), Juniper (JEDI) and Microsoft (NAP), says Andreas Antonopoulos, founding partner of Nemertes Research. "They require a high level of software complexity instituted on the clients," he says.
By contrast, ConSentry's device moves the protection off the clients toward switches. "It gives you an additional hardware perimeter within the enterprise LAN," he says. The main benefit is that if network-based security can respond fast enough, it can stop the rapid propagation of new threats on the network, he says.
The downside is that businesses with a lot of mobile workers will need to install protective software on laptops to protect them when they are not attached to the corporate LAN, he says. Network-based security is a good and probably less-expensive choice for businesses primarily using fixed desktops such as call centers.
"My gut reaction is that it is cheaper to do LAN-based security than to update the software on every endpoint," Antonopoulos says. But many businesses will need both network-based and client-based security because of their high number of mobile workers, he says.
The ConSentry device seems a good choice to protect VoIP phones, which are vulnerable to many PC-type attacks but generally lack security software, he says.
The appliance will enforce policies set within other platforms, such as Active Directory or RADIUS, so policies can be applied to individuals or groups depending on what customers define.
The company's three founders - Barsi, chairman and CTO Jeff Prince, and chief scientist Mario Nemirovsky - all have created successful start-ups before (see graphic). They have attracted $31.1 million in venture capital. The long-term goal of the company is to sell its technology as blades that network companies can install in their switches, Barsi says.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment