Start-ups look to horn in on net control

LAN security appliances enforce policies at access switches.

Businesses that seek more control over who and what machines access their LANs but don't want to wait for network equipment vendors to get their plans in place have another option: appliances that impose such controls without requiring switch upgrades.

This week a start-up called Nevis is scheduled to announce its alternative, two network devices that enforce policies by allowing access to authorized resources, denying it to unauthorized resources or shuttling a non-compliant machine to a quarantined network.

This is similar to the approach taken by competitors ConSentry Networks and Vernier Networks. All three vendors' appliances sit between LAN access switches and LAN distribution switches to exert control over individual access switches, so if a desktop starts misbehaving, it can be isolated without affecting an entire LAN segment. Nevis' LANenforcer gear can serve as the access switch and provide per-port control of security policies.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Businesses that seek more control over who and what machines access their LANs but don't want to wait for network equipment vendors to get their plans in place have another option: appliances that impose such controls without requiring switch upgrades.

This week a start-up called Nevis is scheduled to announce its alternative, two network devices that enforce policies by allowing access to authorized resources, denying it to unauthorized resources or shuttling a non-compliant machine to a quarantined network.

This is similar to the approach taken by competitors ConSentry Networks and Vernier Networks. All three vendors' appliances sit between LAN access switches and LAN distribution switches to exert control over individual access switches, so if a desktop starts misbehaving, it can be isolated without affecting an entire LAN segment. Nevis' LANenforcer gear can serve as the access switch and provide per-port control of security policies.

Equipment from Nevis and Vernier also checks that computers meet network security profiles, such as having appropriate patches and virus protection in place.

Cisco's Network Admission Control (NAC), Microsoft's Network Access Protection (NAP) and Juniper's Enterprise Infranet initiatives have similar goals but require software agents on every desktop and upgraded switches that can act as enforcement points for security policies.

Joel Snyder, a senior partner at Opus One, a consulting firm in Tucson, Ariz., and a member of the Network World Test Alliance, describes the new appliances as "high-density, high-performance, identity-based firewalls." The smaller vendors may have an advantage, he says.

"I see this as a technology that will do many of the things that NAC wants to do, and in fact might be better than NAC/NAP . . . at pushing the brains into the network rather than expecting them to be at the edge, where the PC is," Snyder says.

Click to see: Standing guard

The other issue is that Cisco and Microsoft alternatives are not ready. "When everything shakes out with the Cisco and Microsoft solutions, it will be 24 months down the pike," according to the infrastructure architect for one of the top five commercial insurance companies in the United State, who is testing Nevis gear. In the case of Microsoft, waiting for the client software and testing it before deploying could take another 12 months, he says.

But many businesses are looking for better, simpler LAN access control. For example, consultancy Financial Engines of Palo Alto, places a firewall between its corporate network and its production network - the network where customer financial information resides and where financial advice is generated.