ConSentry switches NAC around a bit

ConSentry LANShield

Cost: $13,995 for LANShield switch; $2,995 for 100 agents; $7,995 for Insight Manager.

Score: 3.93

ConSentry integrates standard functionality for network-access control directly into a switch device it calls LANShield — which then replaces your existing access switches. The LANShield switch and all role- and policy-management capabilities are managed by ConSentry InSight, a standalone Windows-based management application while endpoint assessment is carried out by an agent ConSentry licenses from Check Point.

ConSentry also offers a second NAC option called the LANShield Controller, which we tested late last year. The Controller sits a little farther into the network, such as between the access and distribution layers, and controls NAC policy enforcement from there.

For this round of testing, we evaluated the LANShield switch, the product ConSentry submitted for this review, deployed it in-line as our access-layer switch in the test network. We did not employ ConSentry’s optional 802.1X support for this test, but that is certainly another deployment option.

Overall, ConSentry is focused on evaluating rights and providing secure access based on user profiles and the applications/resources a user wants to access. NAC policies are assigned to users’ roles, which are defined based on a number of factors, such as Active Directory group membership, MAC address and IP address. Authentication is handled by passively monitoring Windows-authentication traffic or actively support for RADIUS back ends.

ConSentry also supports guest users via a captive portal. The passive Windows-authentication feature is an interesting one that is also used by ForeScout in its product. However, there is a potential weakness here should a flood of network traffic cause an important packet to be lost. We did not conduct any load testing that would render a definitive answer to that question. The ConSentry folks say that their product is not susceptible to this issue, because it is designed on custom silicon to support 10Gbps, unlike PC-based products that support 1-2Gbps.

ConSentry licenses the Check Point Integrity dissolvable agent for end point assessment purposes that gets pushed out to the endpoint each time it attempts network connection. With this agent, AV checks for the major vendors are supported as well as custom checks for file information or registry keys. We created a custom registry and file check with the remediation action defined so that the LANShield would send a link to administrator-provided information should any end point be out of compliance. The detection, enforcement and remediation measures for this custom check all worked as expected.

While the dissolvable agent is ideal for guests who get redirected to a captive portal where the dissolvable agent is loaded and the system assessed for compliance, employees will not want to install the same agent every time they try to connect to the network. We would like to see a persistent agent available for “employee” use.

As pointed out in our assessment of the Check Point Integrity product, this agent software does not allow for checks for system patch, client firewall or vulnerability status outside of what you can create through custom registry and file checks.

But in terms of spotting potential endpoint-security issues, the LANShield switch also monitors traffic and decodes certain protocols, such as HTTP, FTP and CIFS, for malicious activity. We launched a worm-propagation test, and the switch identified and blocked the traffic almost as quickly as our test started. While we didn’t have an issue with false positives in our testing, there is indeed the potential in which case the endpoint would be blocked from access unnecessarily.

The ConSentry folks say they’ve included time-based, behavior-driven algorithms that both minimize false positives as well as the need for extensive tuning. That said, an IT manager can just configure this ConSentry algorithm to block only the offending application or merely to send an alert, so a false positive might not block a user’s entry onto the network if configured to support these modified actions.

In terms of enforcement, devices can be provided a URL within a Web browser which would provide remediation information or completely blocked from accessing the network. We used both approaches during our testing and encountered no surprises.

Incompliant devices also can be shunted to a specific virtual VLAN if LANShield is running in 802.1X mode.

ConSentry’s InSight Manager is very strong in terms of policy-definition options. You can define policies based on specific users’ location or as universal policies applied across all systems. While flexible, configuration and management of NAC policies within InSight is not intuitive and is easily confusing if you are working with a number of separate policies.

ConSentry provides very detailed reports outlining information on both users and endpoint systems. Reports include full details on users, including an IP address, network applications used and network activity history, the systems they have used, the applications/resources accessed and the actions being performed.

A full four tabs of dashboards are available for reporting on such areas as general overview, malware incidents, policy incidents and posture incidents. A number of default report templates are also available in an out of the box installation and they can be scheduled to run on a periodic basis.

ConSentry provides a very forward-thinking approach to NAC by bundling the security functionality directly into the switch using ASIC technology. This is a great solution for a company already looking to deploy new access switches.

< Previous story: Cisco | Next story: ForeScout >