ConSentry edges out Nevis in in-line NAC appliance test

Pair offers increased access control with minimal impact on existing networks.

1 2 Page 2
Page 2 of 2

A second solution would be to add intrusion-prevention capabilities into the products, identifying and quarantining (or blocking) systems that are infected with malware. This approach is more successful than traditional endpoint-security assessment, because it is inherently cross-platform and nonintrusive, and has a better chance of detecting a compromised system. After all, having an antivirus engine installed with up-to-date signatures says nothing about whether you're infected with a virus. ConSentry and Nevis both have gone down this path, with Nevis taking the lead in building a sophisticated IPS into LANenforcer.

The Nevis IPS, marketed as Threat Control, is a combination of three IPS technologies: protocol anomaly detection, traffic anomaly detection and signature-based detection for specific malware. Because LANenforcer sits between users and corporate resources, the IPS feature set focuses on specific, internal-network types of threats. For example, worm containment is a big piece of the picture, with dozens of settings that can be used to adjust thresholds if the defaults don't work. Threat Control provides the option of triggering actions on LANenforcer itself, such as blocking all traffic from a misbehaving IP address for some period of time.

We had mixed success with Threat Control's threat-mitigation features. When we set loose SQL Slammer, the canonical out-of-control worm, on our network, Nevis found and isolated it and raised an alarm. However, when we installed NetRaider, one of the backdoor Trojan horse applications used by hackers to take control of a system, LANenforcer didn't see it, even though there are two signatures for NetRaider enabled in the LANsight management system. (Like many proprietary IPSs, the signatures are opaque, so we couldn't debug why the LANenforcer missed our Trojan horse.) We also found a bug when we turned on sequence-number randomization, a common firewall-obfuscation technique, because the Nevis box then refused to let anyone on the network.

LANShield has a much less-sophisticated IPS feature set, with no configuration capability other than the ability to turn it on or off. ConSentry labels its IPS features as malware protection. To the network manager, it will be a black box. Although LANShield did identify and block our SQL Slammer worm, we wouldn't feel comfortable setting loose such an undocumented and uncontrollable feature in a real network. For now, LANShield's malware features should be considered more of a promise of things to come than a fully baked capability.

Enforcement

The huge advantage that both of these products have over most other NAC solutions is their enforcement capabilities, based on full stateful firewalling. Rather than be content with putting different users on different virtual LANs (VLAN), the most commonly bandied-about NAC strategy, Nevis and ConSentry give the network manager not only very fine-grained access controls, but also stateful firewalling. This puts ConSentry and Nevis in a very small circle of such vendors as Juniper and Vernier that are advocating such a high level of security.

We did not validate exhaustively the correct enforcement by either firewall, but we did discover that neither LANenforcer nor LANShield has common application-layer gateways within its enforcement capabilities. This means that protocols requiring an application-layer gateway -- for example, FTP or VoIP using Session Initiation Protocol and Realtime Streaming Protocol -- aren't supported directly. You can still run these protocols through the devices, but your policy will have to punch bigger holes in the firewall to support them, and you won't have the same level of control. Because these products are designed for internal use with primarily trusted users, this doesn't seem an unreasonable restriction.

While the basics you'd expect in any firewall -- source or destination IP addresses, subnets and network zones -- are present, ConSentry has gone further than Nevis in providing powerful enforcement rules. For example, you can define enforcement rules in terms of Common Internet File System or FTP file names or HTTP content types, something ConSentry calls application filters. These filters are a good start, though there are some big gaps. For example, you can't write a filter based on an HTTP URL.

LANenforcer has an enforcement vocabulary that's closer to a traditional firewall, with enforcement rules expressed in terms of destination IP addresses and services.

Management

Both LANenforcer and LANShield are manageable via a command-line interface (CLI), but we tested them using the separate management tools provided. With Nevis' LANsight Security Manager, we had only to touch the CLI for installation and debugging. ConSentry's graphical management tool is nearly as complete, but not all the product's functionality is available from that interface. We had to dive into the CLI a number of times during initial setup for some of the basic configuration elements.

LANsight has its good and bad sides. Its monitoring system is well designed. With only a few clicks, we found it easy to get an idea of who is logged on, see their policy, log them off and look at where traffic is flowing. Once LANenforcer is configured, LANsight gives you a quick overview of what is happening.

The bad side is that it's slow. The problem does not seem to be the management tool itself, but the choice of Adobe Flash for displaying the GUI. On our dual-CPU, 2.3GHz management client, going from screen to screen took between four and 10 seconds, just long enough to be frustrating.

Where LANsight really fell down was in configuration tasks, such as the creation, replication and configuration of enforcement policies. Because the whole point of these systems is to give administrators the ability to apply better enforcement to users, this is a significant problem. For example, suppose you wanted to define access to printers (or Web servers or file servers -- anything you want to consider as an atomic unit from the point of view of policy). If the printers are not all in consecutive IP addresses, you would have to create dozens or hundreds of policies, one for each printer, rather than making a single policy covering all printers. The management system should facilitate the implementation of the enterprise security policy, not discourage it.

ConSentry's InSight Command Center has a good monitoring system, with superior visibility into what is happening on the network in terms of both security and bandwidth. With a Java-based GUI, we found its performance to be snappier overall than LANsight's.

InSight's policy configuration was very well put together. Although the difficulty of configuring a firewall with policies for every user seems a daunting task, InSight has the right level of abstraction and object-oriented design to make it easy to match the configuration with the policy we wanted.

Where InSight disappoints is in basic human-interface design and in consistency. For example, when you click on something, you may or may not see what the current configuration or properties are, unless you select to edit that item, and then you can see them all. But the design is inconsistent, and sometimes you see details without having to edit the object. InSight also has a clumsy way of managing configuration versions. ConSentry wanted to be able to define configuration and push it to a device all at once, but the mechanism to do that more often will frustrate and confuse, rather than simplify the process.

Conclusion

Network managers looking for tighter access control than the usual VLAN switching allows should keep ConSentry and Nevis on their radar screens, in addition to veterans Juniper and Vernier, which also offer products in this particular NAC space.

ConSentry's LANShield offers great flexibility in deployment and an outstanding design for policy management in its GUI, although it has limited sets of malware protection. Nevis' LANenforcer brought a broad set of intrusion-prevention capabilities to the table, but design flaws and bugs in critical functions made for disappointing test results.

The pace of change for both start-ups is fast and furious, and the issues we found in testing these versions may be a thing of the past before this time next year. Like wine and cheese, both these should improve with age.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.NW Lab Alliance

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Learn more about this topic

NAC Buyer's Guide

ConSentry upgrades its NAC software, boosts capacity

11/06/06

Compatibility with legacy equipment key to NAC's future

06/12/06

Start-ups look to horn in on net control

11/14/05

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
IT Salary Survey: The results are in