ConSentry plugs into directories for NAC

Secure networking developer ConSentry Networks has introduced what it calls its Intelligent Switch architecture - in essence, a firmware upgrade which adds application and role-based control within the network.

The ConSentry devices were already able to pull a user's profile out of an identity store such as Microsoft Active Directory, RADIUS or LDAP, and use this to control network and application access, as we reported in our review last year.

What's new, claimed the company's CTO Jeff Prince, is it can now work out who should have access to what and where automatically, based on role data stored in the directory.

"The system now uses roles, and enforces without you having to program ACLs into switches, set up VLANs or anything. The IT manager doesn't have to get involved," he added. "In effect, it writes your business policies to the switch."

He said this means an organization can consolidate its security permissions in one place - the directory - with the ConSentry system automatically binding changes into the network.

This is already working well, said Lou Owayni, global network and telecom manager at Adaptec, which has a Cisco core with ConSentry LANShield edge switches.

"With LANShield, when new users are placed in Active Directory, I can safely and automatically add them to the LAN and implement access controls with a single touch," Owayni added.

Like other flow-based network devices such as WAN accelerators and IPS, the ConSentry switch includes a deep packet inspection (DPI) processor able to identify applications at Layer 7, not just by port number. The system can also tie in with ID management software and handle non-user devices such as printers, Prince said.

He noted that ConSentry does still sell NAC appliances, in particular to companies which aren't ready to refresh their edge switches and want to add security non-disruptively. (Learn more about NAC products from our Network Access Control Buyer's Guide)

He said though that this application and role-based security really belongs within the edge switch, and predicted that other vendors would follow ConSentry's lead over time.

"Cisco with Trustsec has acknowledged the need to bring in user and role data, and so does Juniper's announcement this week," he said.

Juniper already has similar security technology, in its UAC devices, and is about to launch a range of enterprise switching products.

Prince said that the Intelligent Switch firmware is already shipping within ConSentry's 24 and 48-port switches, and will be a free upgrade for switch or controller customers with a support contract.