ConSentry edges out Nevis in in-line NAC appliance test
Pair offers increased access control with minimal impact on existing networks.
Start-ups ConSentry Networks and Nevis Networks have stepped into the network access control ring with in-line enforcement products that promise high levels of security with minimal impact on existing network infrastructures.
| ||||||||||||||||||||||||||||||||||||||||||||
The use case goes like this: Enterprises want to implement NAC, but they want to minimize changes and upgrades to their installed LAN switching infrastructure. The LANShield and LANenforcer boxes we tested have 10 and 12 pairs, respectively, of Gigabit Ethernet ports. Install either device next to your core switch. For each uplink from a wiring closet, use a port pair to run the traffic through the device before passing it to the core switch. This gives you a control point -- both companies call their devices controllers rather than security switches -- to authenticate users, apply highly detailed per-user stateful firewall controls, and use as an internal IPS.
We looked at these products as NAC devices and focused on four areas critical for any NAC deployment: authentication and authorization, endpoint-security posture assessment, traffic enforcement, and system management (see "How we tested NAC products"). We are assessing the performance of these products in a separate test and will post those results when they are available.
Authentication and authorization
Authentication is a difficult piece of the NAC picture for LANShield and LANenforcer to master. Because they sit deeper in the network, there is no simple answer to how users will authenticate to the devices. The most obvious approach is to use a Web-based captive portal, and both products support this as an authentication method. With a captive portal, the user connects to the network, gets an IP address, then launches a Web browser and tries to open a Web page. LANShield and LANenforcer intercept this communication and redirect a user's browser to a page that lets him authenticate.
| ConSentry's LANShield controller is a high-speed, high-density in-line firewall coupled with a flexible set of authentication options that give companies versatile enforcement controls. |
We found a major design flaw in LANenforcer's captive portal. The version we tested does not let you use your own certificate authority or a well-known trusted certificate authority to sign the SSL certificate. Without a trusted certificate authority, you're asking people to connect to your network and give their user name and password to an unauthenticated system they don't know, not the best idea under any circumstances. Nevis says it is adding the capability to use your own digital certificate and certificate authority in its next release.
Captive portals generally are fine for hotels and hot spots, but aren't a particularly user-friendly approach for authenticating to enterprise networks. For this reason, LANenforcer lets the network manager enable self-registration, in which LANenforcer remembers the media access control (MAC) address of an authenticated user for some configurable period of time (eight hours to one year) and doesn't require reauthentication.
Our tests show that while this feature works perfectly, it's not a universal remedy for the problems associated with captive portals. Because MAC-based authentication offers such poor security -- MAC addresses are easily stolen and spoofed -- the self-registration approach takes an intrusive authentication method and significantly weakens an overall security model.
ConSentry has a better approach to the authentication problem: passive authentication as an alternative to a captive portal. If users are logging into a Windows domain or are using authentication for wireless or wired LAN access, LANShield watches that authentication pass through and infers the identity of users (in the case of Windows logons) or the groups they belong to (in the case of 802.1X authentication).
In our authentication testing, we found problems in both products. LANShield initially wouldn't work with our Funk (Juniper) server (the problem was fixed with a newer version of the software), and LANenforcer has design issues and bugs related to the assignment of groups from RADIUS and Lightweight Directory Access Protocol () servers. If you are using a Windows Active Directory server for authentication, you should be fine with LANenforcer, but our tests show you may not be able to assign group membership from LDAP or RADIUS even with common, off-the-shelf configurations.
We also were disappointed to see that when Nevis' LANsight Security Manager is used to configure devices, all authentications are proxied by the LANsight server. This makes for a frightening single point of failure, because the management server is simply a Linux server. We discovered this issue when our LANsight server lost communications with LANenforcer, losing most configuration information and requiring a reinstallation and reconfiguration of LANenforcer.
Once a user is authenticated, the ConSentry and Nevis boxes need a way to assign the right security-enforcement policies. ConSentry maps each user to a single role using a flexible system that includes the authentication group, time of day and access method. Nevis has a less-flexible system, assigning roles based on the group returned from the authentication server.
However, if you are using LDAP for authentication and a user is in multiple groups, Nevis has a well-designed system for merging different security policies. This capability will be extremely attractive to network managers who want to have very fine-grained security enforcement scaled to a large number of groups, because Nevis lets each group have a more precise policy.
ConSentry LANShield Controller and InSight Command Center
Score: 3.78
www.consentry.com
LANShield is a high-speed, high-density firewall with 10 pairs of Gigabit Ethernet ports. ConSentry has positioned it as a NAC device, placing it in-line between wiring closet switches and the core of your network to authenticate users and enforce security policies.
LANShield's authentication options range from the unobtrusive (such as watching a Windows domain login go by) to active authentication using a captive Web portal. This flexibility in authentication goes along with a well-designed policy definition toolkit and versatile enforcement controls. When teamed with ConSentry's InSight Command Center management system, LANShield "controllers" can act as a scalable building block in a corporate NAC environment.
LANShield stretches into many different areas of security, though, with varying success. A partnership with Check Point for endpoint-security assessment gives ConSentry a strong tool out of the starting gate, even if management is not completely integrated. Options for detecting and blocking internal malware such as worms are not well implemented in the version of the product we looked at. We also found that the InSight GUI needed some redesign. Overall, LANShield is astonishingly mature for such a new product and has come a long way in a short time.
Endpoint security-posture assessment
A key driver for NAC in many enterprises is endpoint security: evaluating the posture of devices connecting to the network and restricting access to devices that are not in compliance with corporate policies. ConSentry and Nevis address this requirement, but not to a satisfactory degree.
Nevis' approach to endpoint security with the LANenforcer is to use an ActiveX control pushed down to the user's PC (assuming Windows and Internet Explorer are running, and there are administrator privileges) that checks for operating-system patch levels and the presence of antivirus and antispyware software. Because the principal Nevis authentication method is a captive portal, endpoint-security evaluation happens during the logon sequence as the Web page is loaded. Failure to pass these checks can land you in a quarantine state for user-directed remediation; LANenforcer also can be configured to require periodic reevaluation while the user is logged in.
Unfortunately, using LANenforcer's self-registration facility to avoid going through the captive portal for authentication means there's no opportunity for LANenforcer to push down the endpoint-security posture-assessment tool. In our testing, we ran into a problem: The Nevis endpoint-security tool insisted that we needed a particular patch for our Windows XP laptop, while Microsoft Windows Update Service didn't agree or offer that particular patch. This wasn't as big a problem as were the Nevis interface's opacity and lack of configuration controls. Once we discovered the problem, there was nothing we could do about it, because LANsight can't see the required patch list or manually update or override it.
| Nevis has chosen to emphasize the IPS nature of its LANenforcer controller as much as its NAC features. The product has a well-thought-out set of IPS features designed to catch malware and internal worms. |
ConSentry's approach in its LANShield is almost identical to Nevis', with similar limitations. ConSentry has teamed with Check Point, selling Check Point Integrity Clientless Security as the integrated endpoint security-posture assessment tool. Check Point's Integrity tool is more sophisticated than the Nevis endpoint security tool. For example, it checks for spyware, not just the presence of antispyware software. And you can use it to add other types of checks to your policy. This ConSentry-Check Point combination also supports a wider variety of client platforms, including older versions of Windows and both Java and ActiveX versions of the endpoint-security tool.
Even with a more sophisticated client-posture assessment tool, ConSentry and Nevis have the same issue: The user has to go to a Web page to download the tool. With a captive portal, the interface is as clean as Nevis', but when you are using one of the ConSentry LANShield passive authentication methods (such as watching a Windows domain logon), there's no Web page involved. In that case, LANShield can intercept the next Web connection the client makes and push down the endpoint security tool, but there's no guarantee users will use their Web browser.
Nevis LANenforcer and LANSight Security Manager
Score: 3.35
www.nevisnetworks.com
LANenforcer is a high-speed, high-density firewall and IPS device designed to go in-line between wiring closet switches and the core of the network. With 12 pairs of Gigabit Ethernet ports, the LANenforcer is specified to handle as many as 1,000 users with a top speed of 10Gbps.
Nevis has chosen to emphasize the IPS nature of the LANenforcer as much as the NAC features, and has a well-thought-out set of IPS features designed to catch malware and internal worms.
Being deep in the network presents challenges for both authentication and enforcement, and Nevis has made some design choices that may not be acceptable to enterprise users or network managers. Authentication is done through a captive web portal. This facilitates endpoint-security posture assessment with Nevis' own ActiveX client, but may be too intrusive for many environments. Network managers may also find that the LANsight Security Manager, Nevis' GUI-based management system, is clumsy when it comes to defining complex security policies.
Our greatest concern with LANenforcer is the large number of bugs we found in almost every component, including endpoint security, malware detection, management and in the hardware itself. As with any new product, Nevis may need more time to shake out some of the problems with this release.
Intrusion prevention plays a role
Both Nevis and ConSentry are aware of the issues surrounding assessment of endpoint-security posture and their particular topologies. One solution might be to have an installed, proprietary client that handles both authentication and posture assessment; this is the approach the Cisco NAC framework uses. ConSentry says it is developing its own client, while Nevis is considering adding a client to strengthen its posture assessment.