Start-ups ConSentry Networks and Nevis Networks have stepped into the network access control ring with in-line enforcement products that promise high levels of security with minimal impact on existing network infrastructures.

In this Clear Choice Test we found that ConSentry's LANShield CS2400 Controller coupled with its InSight Command Center management system comes closer to that mark with an enterprise-ready package that has only a few rough edges. Nevis' LANenforcer 2024 appliance coupled with its LANsight Security Manager trails in comparison because of overall design issues and more than its fair share of bugs.

Performance tests for ConSentry, Nevis
How we tested NAC products
Archive of Network World tests
Subscribe to the Network Product Test Results newsletter

At the core of LANShield and LANenforcer are very high-speed, high port-density, stateful firewall devices and intrusion-prevention systems (IPS). Both claim a maximum of 10Gbps throughput and a capacity of 1,000 users. They have many potential uses, such as traditional firewalls in a data center or as rate-limiting IPSs, but the buzz around NAC in the last 12 months has been deafening, and both products are being positioned -- at least this week -- as NAC solutions.

	LANShield CS2400 Controller V2.2 and InSight Command Center OVERALL RATING 3.78 Company: ConSentry Networks. Cost: $38,500 for LanShield and $8,000 for InSight. Pros: Excellent policy definition tools; versatile authentication and enforcement options. Con: Weak intrusion-protection system functionality. LANenforcer 2024 V2.0 and LANsight Security Manager OVERALL RATING 3.35 Company: Nevis Networks. Cost: $35,000 for LANenforcer and $7,000 for LANsight. Pros: Network security visibility; role assignment versatility. Cons: Policy definition clumsy; captive portal authentication only real option. The breakdown  ConSentry Nevis Authentication/authorization 20% 4 3 Endpoint security 25% 3.5 3.5 Enforcement and IPS 25% 4 3.5 System management 20% 3.5 3.5 Stability/maturity 20% 4 3 TOTAL SCORE 3.78 3.35 Network World Buyer's Guides: Research your NAC product options in the NWW IT Buyer's Guide. Click here. Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

Click to see: ConSentry, Nevis results

The use case goes like this: Enterprises want to implement NAC, but they want to minimize changes and upgrades to their installed LAN switching infrastructure. The LANShield and LANenforcer boxes we tested have 10 and 12 pairs, respectively, of Gigabit Ethernet ports. Install either device next to your core switch. For each uplink from a wiring closet, use a port pair to run the traffic through the device before passing it to the core switch. This gives you a control point -- both companies call their devices controllers rather than security switches -- to authenticate users, apply highly detailed per-user stateful firewall controls, and use as an internal IPS.

We looked at these products as NAC devices and focused on four areas critical for any NAC deployment: authentication and authorization, endpoint-security posture assessment, traffic enforcement, and system management (see "How we tested NAC products"). We are assessing the performance of these products in a separate test and will post those results when they are available.