ConSentry is shipping a security box that enforces policies on LANs without requiring customers to upgrade switches, which they must do if buying into comprehensive plans from some large network vendors.

The Secure LAN Controller limits the network resources individuals are allowed to access and shuts down suspicious connections that appear to be the work of malware, the company says.

The boxes sit between workgroup switches and routers inspecting traffic to Layer 7, and, by virtue of using custom chips, accomplishes this with a worst-case latency of 500 microseconds, says Tom Barsi, the company's president and CEO.

The devices have four aims: controlling access to the network, showing what each user is doing, managing the resources individuals and groups can reach, and stopping outbreaks of viruses and worms. These are similar to the goals of Cisco's, Juniper's and Microsoft's security initiatives.

The difference is that ConSentry's setup requires less equipment and less cooperation among vendors, making it simpler to use, says Dave Passmore, research director for Burton Group.

The Las Vegas Review-Journal newspaper finds that operating and maintaining its ConSentry devices is much simpler than the alternative it had been using, says Steven Olson, the paper's infrastructure manager. The company had restricted the resources users could access by installing internal firewalls and establishing rules that restricted certain subnets to a specific set of network resources. The system relied on static IP addresses, so any time a user moved offices, he had to change firewall rules.

With the ConSentry box, policies for individual users are set in Active Directory and the Secure LAN Controller enforces them. "My profiles remain in effect even with roaming," Olson says. With policies applied per user rather than per machine, the Review-Journal has been able to institute DHCP, as well.

ConSentry's appliance provides real-time views of what users are doing and furnishes reports on incidents, something that was difficult with Juniper intrusion-prevention gear and NetScreen firewalls the company had in place, Olson says.

ConSentry's device doesn't address all the factors that Cisco's Network Admission Control does. For instance, it doesn't scan the machine logging on to see whether it meets corporate security policies, but Barsi says the company will announce a partner within a month that will provide endpoint security.

Secure LAN Controller comes in two models, the CS 1000 and CS 2400. The former supports 200 users, has 10 Gigabit Ethernet ports and supports 2G bit/sec of throughput. It costs $18,000. The CS 2400 supports 1,000 users, has 24 Gigabit ports and a throughput of 10G bit/sec. It costs $28,000.