ConSentry edges out Nevis in in-line NAC appliance test

Our tests show that while this feature works perfectly, it’s not a universal remedy for the problems associated with captive portals. Because MAC-based authentication offers such poor security — MAC addresses are easily stolen and spoofed — the self-registration approach takes an intrusive authentication method and significantly weakens an overall security model.

ConSentry has a better approach to the authentication problem: passive authentication as an alternative to a captive portal. If users are logging into a Windows domain or are using authentication for wireless or wired LAN access, LANShield watches that authentication pass through and infers the identity of users (in the case of Windows logons) or the groups they belong to (in the case of 802.1X authentication).

In our authentication testing, we found problems in both products. LANShield initially wouldn’t work with our Funk (Juniper) server (the problem was fixed with a newer version of the software), and LANenforcer has design issues and bugs related to the assignment of groups from RADIUS and Lightweight Directory Access Protocol () servers. If you are using a Windows Active Directory server for authentication, you should be fine with LANenforcer, but our tests show you may not be able to assign group membership from LDAP or RADIUS even with common, off-the-shelf configurations.

We also were disappointed to see that when Nevis’ LANsight Security Manager is used to configure devices, all authentications are proxied by the LANsight server. This makes for a frightening single point of failure, because the management server is simply a Linux server. We discovered this issue when our LANsight server lost communications with LANenforcer, losing most configuration information and requiring a reinstallation and reconfiguration of LANenforcer.

Once a user is authenticated, the ConSentry and Nevis boxes need a way to assign the right security-enforcement policies. ConSentry maps each user to a single role using a flexible system that includes the authentication group, time of day and access method. Nevis has a less-flexible system, assigning roles based on the group returned from the authentication server.

However, if you are using LDAP for authentication and a user is in multiple groups, Nevis has a well-designed system for merging different security policies. This capability will be extremely attractive to network managers who want to have very fine-grained security enforcement scaled to a large number of groups, because Nevis lets each group have a more precise policy.

ConSentry LANShield Controller and InSight Command Center

Score: 3.78

www.consentry.com

LANShield is a high-speed, high-density firewall with 10 pairs of Gigabit Ethernet ports. ConSentry has positioned it as a NAC device, placing it in-line between wiring closet switches and the core of your network to authenticate users and enforce security policies.

LANShield’s authentication options range from the unobtrusive (such as watching a Windows domain login go by) to active authentication using a captive Web portal. This flexibility in authentication goes along with a well-designed policy definition toolkit and versatile enforcement controls. When teamed with ConSentry’s InSight Command Center management system, LANShield “controllers” can act as a scalable building block in a corporate NAC environment.

LANShield stretches into many different areas of security, though, with varying success. A partnership with Check Point for endpoint-security assessment gives ConSentry a strong tool out of the starting gate, even if management is not completely integrated. Options for detecting and blocking internal malware such as worms are not well implemented in the version of the product we looked at. We also found that the InSight GUI needed some redesign. Overall, LANShield is astonishingly mature for such a new product and has come a long way in a short time.

Endpoint security-posture assessment

A key driver for NAC in many enterprises is endpoint security: evaluating the posture of devices connecting to the network and restricting access to devices that are not in compliance with corporate policies. ConSentry and Nevis address this requirement, but not to a satisfactory degree.

Nevis’ approach to endpoint security with the LANenforcer is to use an ActiveX control pushed down to the user’s PC (assuming Windows and Internet Explorer are running, and there are administrator privileges) that checks for operating-system patch levels and the presence of antivirus and antispyware software. Because the principal Nevis authentication method is a captive portal, endpoint-security evaluation happens during the logon sequence as the Web page is loaded. Failure to pass these checks can land you in a quarantine state for user-directed remediation; LANenforcer also can be configured to require periodic reevaluation while the user is logged in.

Unfortunately, using LANenforcer’s self-registration facility to avoid going through the captive portal for authentication means there’s no opportunity for LANenforcer to push down the endpoint-security posture-assessment tool. In our testing, we ran into a problem: The Nevis endpoint-security tool insisted that we needed a particular patch for our Windows XP laptop, while Microsoft Windows Update Service didn’t agree or offer that particular patch. This wasn’t as big a problem as were the Nevis interface’s opacity and lack of configuration controls. Once we discovered the problem, there was nothing we could do about it, because LANsight can’t see the required patch list or manually update or override it.

ConSentry’s approach in its LANShield is almost identical to Nevis’, with similar limitations. ConSentry has teamed with Check Point, selling Check Point Integrity Clientless Security as the integrated endpoint security-posture assessment tool. Check Point’s Integrity tool is more sophisticated than the Nevis endpoint security tool. For example, it checks for spyware, not just the presence of antispyware software. And you can use it to add other types of checks to your policy. This ConSentry-Check Point combination also supports a wider variety of client platforms, including older versions of Windows and both Java and ActiveX versions of the endpoint-security tool.

Even with a more sophisticated client-posture assessment tool, ConSentry and Nevis have the same issue: The user has to go to a Web page to download the tool. With a captive portal, the interface is as clean as Nevis’, but when you are using one of the ConSentry LANShield passive authentication methods (such as watching a Windows domain logon), there’s no Web page involved. In that case, LANShield can intercept the next Web connection the client makes and push down the endpoint security tool, but there’s no guarantee users will use their Web browser.

Nevis LANenforcer and LANSight Security Manager

Score: 3.35

www.nevisnetworks.com

LANenforcer is a high-speed, high-density firewall and IPS device designed to go in-line between wiring closet switches and the core of the network. With 12 pairs of Gigabit Ethernet ports, the LANenforcer is specified to handle as many as 1,000 users with a top speed of 10Gbps.

Nevis has chosen to emphasize the IPS nature of the LANenforcer as much as the NAC features, and has a well-thought-out set of IPS features designed to catch malware and internal worms.

Being deep in the network presents challenges for both authentication and enforcement, and Nevis has made some design choices that may not be acceptable to enterprise users or network managers. Authentication is done through a captive web portal. This facilitates endpoint-security posture assessment with Nevis’ own ActiveX client, but may be too intrusive for many environments. Network managers may also find that the LANsight Security Manager, Nevis’ GUI-based management system, is clumsy when it comes to defining complex security policies.

Our greatest concern with LANenforcer is the large number of bugs we found in almost every component, including endpoint security, malware detection, management and in the hardware itself. As with any new product, Nevis may need more time to shake out some of the problems with this release.

Intrusion prevention plays a role

Both Nevis and ConSentry are aware of the issues surrounding assessment of endpoint-security posture and their particular topologies. One solution might be to have an installed, proprietary client that handles both authentication and posture assessment; this is the approach the Cisco NAC framework uses. ConSentry says it is developing its own client, while Nevis is considering adding a client to strengthen its posture assessment.

A second solution would be to add intrusion-prevention capabilities into the products, identifying and quarantining (or blocking) systems that are infected with malware. This approach is more successful than traditional endpoint-security assessment, because it is inherently cross-platform and nonintrusive, and has a better chance of detecting a compromised system. After all, having an antivirus engine installed with up-to-date signatures says nothing about whether you’re infected with a virus. ConSentry and Nevis both have gone down this path, with Nevis taking the lead in building a sophisticated IPS into LANenforcer.

The Nevis IPS, marketed as Threat Control, is a combination of three IPS technologies: protocol anomaly detection, traffic anomaly detection and signature-based detection for specific malware. Because LANenforcer sits between users and corporate resources, the IPS feature set focuses on specific, internal-network types of threats. For example, worm containment is a big piece of the picture, with dozens of settings that can be used to adjust thresholds if the defaults don’t work. Threat Control provides the option of triggering actions on LANenforcer itself, such as blocking all traffic from a misbehaving IP address for some period of time.

We had mixed success with Threat Control’s threat-mitigation features. When we set loose SQL Slammer, the canonical out-of-control worm, on our network, Nevis found and isolated it and raised an alarm. However, when we installed NetRaider, one of the backdoor Trojan horse applications used by hackers to take control of a system, LANenforcer didn’t see it, even though there are two signatures for NetRaider enabled in the LANsight management system. (Like many proprietary IPSs, the signatures are opaque, so we couldn’t debug why the LANenforcer missed our Trojan horse.) We also found a bug when we turned on sequence-number randomization, a common firewall-obfuscation technique, because the Nevis box then refused to let anyone on the network.

LANShield has a much less-sophisticated IPS feature set, with no configuration capability other than the ability to turn it on or off. ConSentry labels its IPS features as malware protection. To the network manager, it will be a black box. Although LANShield did identify and block our SQL Slammer worm, we wouldn’t feel comfortable setting loose such an undocumented and uncontrollable feature in a real network. For now, LANShield’s malware features should be considered more of a promise of things to come than a fully baked capability.

Enforcement

The huge advantage that both of these products have over most other NAC solutions is their enforcement capabilities, based on full stateful firewalling. Rather than be content with putting different users on different virtual LANs (VLAN), the most commonly bandied-about NAC strategy, Nevis and ConSentry give the network manager not only very fine-grained access controls, but also stateful firewalling. This puts ConSentry and Nevis in a very small circle of such vendors as Juniper and Vernier that are advocating such a high level of security.

We did not validate exhaustively the correct enforcement by either firewall, but we did discover that neither LANenforcer nor LANShield has common application-layer gateways within its enforcement capabilities. This means that protocols requiring an application-layer gateway — for example, FTP or VoIP using and Realtime Streaming Protocol — aren’t supported directly. You can still run these protocols through the devices, but your policy will have to punch bigger holes in the firewall to support them, and you won’t have the same level of control. Because these products are designed for internal use with primarily trusted users, this doesn’t seem an unreasonable restriction.

While the basics you’d expect in any firewall — source or destination IP addresses, subnets and network zones — are present, ConSentry has gone further than Nevis in providing powerful enforcement rules. For example, you can define enforcement rules in terms of or FTP file names or HTTP content types, something ConSentry calls application filters. These filters are a good start, though there are some big gaps. For example, you can’t write a filter based on an HTTP URL.

LANenforcer has an enforcement vocabulary that’s closer to a traditional firewall, with enforcement rules expressed in terms of destination IP addresses and services.

Management

Both LANenforcer and LANShield are manageable via a command-line interface (CLI), but we tested them using the separate management tools provided. With Nevis’ LANsight Security Manager, we had only to touch the CLI for installation and debugging. ConSentry’s graphical management tool is nearly as complete, but not all the product’s functionality is available from that interface. We had to dive into the CLI a number of times during initial setup for some of the basic configuration elements.

LANsight has its good and bad sides. Its monitoring system is well designed. With only a few clicks, we found it easy to get an idea of who is logged on, see their policy, log them off and look at where traffic is flowing. Once LANenforcer is configured, LANsight gives you a quick overview of what is happening.

The bad side is that it’s slow. The problem does not seem to be the management tool itself, but the choice of Adobe Flash for displaying the GUI. On our dual-CPU, 2.3GHz management client, going from screen to screen took between four and 10 seconds, just long enough to be frustrating.

Where LANsight really fell down was in configuration tasks, such as the creation, replication and configuration of enforcement policies. Because the whole point of these systems is to give administrators the ability to apply better enforcement to users, this is a significant problem. For example, suppose you wanted to define access to printers (or Web servers or file servers — anything you want to consider as an atomic unit from the point of view of policy). If the printers are not all in consecutive IP addresses, you would have to create dozens or hundreds of policies, one for each printer, rather than making a single policy covering all printers. The management system should facilitate the implementation of the enterprise security policy, not discourage it.

ConSentry’s InSight Command Center has a good monitoring system, with superior visibility into what is happening on the network in terms of both security and bandwidth. With a Java-based GUI, we found its performance to be snappier overall than LANsight’s.

InSight’s policy configuration was very well put together. Although the difficulty of configuring a firewall with policies for every user seems a daunting task, InSight has the right level of abstraction and object-oriented design to make it easy to match the configuration with the policy we wanted.

Where InSight disappoints is in basic human-interface design and in consistency. For example, when you click on something, you may or may not see what the current configuration or properties are, unless you select to edit that item, and then you can see them all. But the design is inconsistent, and sometimes you see details without having to edit the object. InSight also has a clumsy way of managing configuration versions. ConSentry wanted to be able to define configuration and push it to a device all at once, but the mechanism to do that more often will frustrate and confuse, rather than simplify the process.

Conclusion

Network managers looking for tighter access control than the usual VLAN switching allows should keep ConSentry and Nevis on their radar screens, in addition to veterans Juniper and Vernier, which also offer products in this particular NAC space.

ConSentry’s LANShield offers great flexibility in deployment and an outstanding design for policy management in its GUI, although it has limited sets of malware protection. Nevis’ LANenforcer brought a broad set of intrusion-prevention capabilities to the table, but design flaws and bugs in critical functions made for disappointing test results.

The pace of change for both start-ups is fast and furious, and the issues we found in testing these versions may be a thing of the past before this time next year. Like wine and cheese, both these should improve with age.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.