Start-ups ConSentry Networks and Nevis Networks have stepped into the network access control ring with in-line enforcement products that promise high levels of security with minimal impact on existing network infrastructures.LANShield CS2400 Controller V2.2 and InSight Command CenterOVERALL RATING3.78Company: ConSentry Networks. Cost: $38,500 for LanShield and $8,000 for InSight. Pros: Excellent policy definition tools; versatile authentication and enforcement options. Con: Weak intrusion-protection system functionality.LANenforcer 2024 V2.0 and LANsight Security ManagerOVERALL RATING3.35Company: Nevis Networks. Cost: $35,000 for LANenforcer and $7,000 for LANsight. Pros: Network security visibility; role assignment versatility. Cons: Policy definition clumsy; captive portal authentication only real option.The breakdown\u00a0ConSentryNevisAuthentication\/authorization 20%43Endpoint security 25%3.53.5Enforcement and IPS 25%43.5System management 20%3.53.5Stability\/maturity 20%43TOTAL SCORE3.783.35Network World Buyer's Guides: Research your NAC product options in the NWW IT Buyer's Guide. Click here.Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subparThe use case goes like this: Enterprises want to implement NAC, but they want to minimize changes and upgrades to their installed LAN switching infrastructure. The LANShield and LANenforcer boxes we tested have 10 and 12 pairs, respectively, of Gigabit Ethernet ports. Install either device next to your core switch. For each uplink from a wiring closet, use a port pair to run the traffic through the device before passing it to the core switch. This gives you a control point -- both companies call their devices controllers rather than security switches -- to authenticate users, apply highly detailed per-user stateful firewall controls, and use as an internal IPS.We looked at these products as NAC devices and focused on four areas critical for any NAC deployment: authentication and authorization, endpoint-security posture assessment, traffic enforcement, and system management (see "How we tested NAC products"). We are assessing the performance of these products in a separate test and will post those results when they are available.Authentication and authorizationAuthentication is a difficult piece of the NAC picture for LANShield and LANenforcer to master. Because they sit deeper in the network, there is no simple answer to how users will authenticate to the devices. The most obvious approach is to use a Web-based captive portal, and both products support this as an authentication method. With a captive portal, the user connects to the network, gets an IP address, then launches a Web browser and tries to open a Web page. LANShield and LANenforcer intercept this communication and redirect a user's browser to a page that lets him authenticate.ConSentry's LANShield controller is a high-speed, high-density in-line firewall coupled with a flexible set of authentication options that give companies versatile enforcement controls.We found a major design flaw in LANenforcer's captive portal. The version we tested does not let you use your own certificate authority or a well-known trusted certificate authority to sign the SSL certificate. Without a trusted certificate authority, you're asking people to connect to your network and give their user name and password to an unauthenticated system they don't know, not the best idea under any circumstances. Nevis says it is adding the capability to use your own digital certificate and certificate authority in its next release.Captive portals generally are fine for hotels and hot spots, but aren't a particularly user-friendly approach for authenticating to enterprise networks. For this reason, LANenforcer lets the network manager enable self-registration, in which LANenforcer remembers the media access control (MAC) address of an authenticated user for some configurable period of time (eight hours to one year) and doesn't require reauthentication.Our tests show that while this feature works perfectly, it's not a universal remedy for the problems associated with captive portals. Because MAC-based authentication offers such poor security -- MAC addresses are easily stolen and spoofed -- the self-registration approach takes an intrusive authentication method and significantly weakens an overall security model.ConSentry has a better approach to the authentication problem: passive authentication as an alternative to a captive portal. If users are logging into a Windows domain or are using authentication for wireless or wired LAN access, LANShield watches that authentication pass through and infers the identity of users (in the case of Windows logons) or the groups they belong to (in the case of 802.1X authentication).In our authentication testing, we found problems in both products. LANShield initially wouldn't work with our Funk (Juniper) server (the problem was fixed with a newer version of the software), and LANenforcer has design issues and bugs related to the assignment of groups from RADIUS and Lightweight Directory Access Protocol () servers. If you are using a Windows Active Directory server for authentication, you should be fine with LANenforcer, but our tests show you may not be able to assign group membership from LDAP or RADIUS even with common, off-the-shelf configurations.We also were disappointed to see that when Nevis' LANsight Security Manager is used to configure devices, all authentications are proxied by the LANsight server. This makes for a frightening single point of failure, because the management server is simply a Linux server. We discovered this issue when our LANsight server lost communications with LANenforcer, losing most configuration information and requiring a reinstallation and reconfiguration of LANenforcer.Once a user is authenticated, the ConSentry and Nevis boxes need a way to assign the right security-enforcement policies. ConSentry maps each user to a single role using a flexible system that includes the authentication group, time of day and access method. Nevis has a less-flexible system, assigning roles based on the group returned from the authentication server.However, if you are using LDAP for authentication and a user is in multiple groups, Nevis has a well-designed system for merging different security policies. This capability will be extremely attractive to network managers who want to have very fine-grained security enforcement scaled to a large number of groups, because Nevis lets each group have a more precise policy.ConSentry LANShield Controller and InSight Command CenterScore: 3.78www.consentry.comLANShield is a high-speed, high-density firewall with 10 pairs of Gigabit Ethernet ports. ConSentry has positioned it as a NAC device, placing it in-line between wiring closet switches and the core of your network to authenticate users and enforce security policies.LANShield's authentication options range from the unobtrusive (such as watching a Windows domain login go by) to active authentication using a captive Web portal. This flexibility in authentication goes along with a well-designed policy definition toolkit and versatile enforcement controls. When teamed with ConSentry's InSight Command Center management system, LANShield "controllers" can act as a scalable building block in a corporate NAC environment.LANShield stretches into many different areas of security, though, with varying success. A partnership with Check Point for endpoint-security assessment gives ConSentry a strong tool out of the starting gate, even if management is not completely integrated. Options for detecting and blocking internal malware such as worms are not well implemented in the version of the product we looked at. We also found that the InSight GUI needed some redesign. Overall, LANShield is astonishingly mature for such a new product and has come a long way in a short time.Endpoint security-posture assessmentA key driver for NAC in many enterprises is endpoint security: evaluating the posture of devices connecting to the network and restricting access to devices that are not in compliance with corporate policies. ConSentry and Nevis address this requirement, but not to a satisfactory degree.Nevis' approach to endpoint security with the LANenforcer is to use an ActiveX control pushed down to the user's PC (assuming Windows and Internet Explorer are running, and there are administrator privileges) that checks for operating-system patch levels and the presence of antivirus and antispyware software. Because the principal Nevis authentication method is a captive portal, endpoint-security evaluation happens during the logon sequence as the Web page is loaded. Failure to pass these checks can land you in a quarantine state for user-directed remediation; LANenforcer also can be configured to require periodic reevaluation while the user is logged in.Unfortunately, using LANenforcer's self-registration facility to avoid going through the captive portal for authentication means there's no opportunity for LANenforcer to push down the endpoint-security posture-assessment tool. In our testing, we ran into a problem: The Nevis endpoint-security tool insisted that we needed a particular patch for our Windows XP laptop, while Microsoft Windows Update Service didn't agree or offer that particular patch. This wasn't as big a problem as were the Nevis interface's opacity and lack of configuration controls. Once we discovered the problem, there was nothing we could do about it, because LANsight can't see the required patch list or manually update or override it.Nevis has chosen to emphasize the IPS nature of its LANenforcer controller as much as its NAC features. The product has a well-thought-out set of IPS features designed to catch malware and internal worms.ConSentry's approach in its LANShield is almost identical to Nevis', with similar limitations. ConSentry has teamed with Check Point, selling Check Point Integrity Clientless Security as the integrated endpoint security-posture assessment tool. Check Point's Integrity tool is more sophisticated than the Nevis endpoint security tool. For example, it checks for spyware, not just the presence of antispyware software. And you can use it to add other types of checks to your policy. This ConSentry-Check Point combination also supports a wider variety of client platforms, including older versions of Windows and both Java and ActiveX versions of the endpoint-security tool.Even with a more sophisticated client-posture assessment tool, ConSentry and Nevis have the same issue: The user has to go to a Web page to download the tool. With a captive portal, the interface is as clean as Nevis', but when you are using one of the ConSentry LANShield passive authentication methods (such as watching a Windows domain logon), there's no Web page involved. In that case, LANShield can intercept the next Web connection the client makes and push down the endpoint security tool, but there's no guarantee users will use their Web browser.Nevis LANenforcer and LANSight Security ManagerScore: 3.35www.nevisnetworks.comLANenforcer is a high-speed, high-density firewall and IPS device designed to go in-line between wiring closet switches and the core of the network. With 12 pairs of Gigabit Ethernet ports, the LANenforcer is specified to handle as many as 1,000 users with a top speed of 10Gbps.Nevis has chosen to emphasize the IPS nature of the LANenforcer as much as the NAC features, and has a well-thought-out set of IPS features designed to catch malware and internal worms.Being deep in the network presents challenges for both authentication and enforcement, and Nevis has made some design choices that may not be acceptable to enterprise users or network managers. Authentication is done through a captive web portal. This facilitates endpoint-security posture assessment with Nevis' own ActiveX client, but may be too intrusive for many environments. Network managers may also find that the LANsight Security Manager, Nevis' GUI-based management system, is clumsy when it comes to defining complex security policies.Our greatest concern with LANenforcer is the large number of bugs we found in almost every component, including endpoint security, malware detection, management and in the hardware itself. As with any new product, Nevis may need more time to shake out some of the problems with this release.Intrusion prevention plays a roleBoth Nevis and ConSentry are aware of the issues surrounding assessment of endpoint-security posture and their particular topologies. One solution might be to have an installed, proprietary client that handles both authentication and posture assessment; this is the approach the Cisco NAC framework uses. ConSentry says it is developing its own client, while Nevis is considering adding a client to strengthen its posture assessment.A second solution would be to add intrusion-prevention capabilities into the products, identifying and quarantining (or blocking) systems that are infected with malware. This approach is more successful than traditional endpoint-security assessment, because it is inherently cross-platform and nonintrusive, and has a better chance of detecting a compromised system. After all, having an antivirus engine installed with up-to-date signatures says nothing about whether you're infected with a virus. ConSentry and Nevis both have gone down this path, with Nevis taking the lead in building a sophisticated IPS into LANenforcer.The Nevis IPS, marketed as Threat Control, is a combination of three IPS technologies: protocol anomaly detection, traffic anomaly detection and signature-based detection for specific malware. Because LANenforcer sits between users and corporate resources, the IPS feature set focuses on specific, internal-network types of threats. For example, worm containment is a big piece of the picture, with dozens of settings that can be used to adjust thresholds if the defaults don't work. Threat Control provides the option of triggering actions on LANenforcer itself, such as blocking all traffic from a misbehaving IP address for some period of time.We had mixed success with Threat Control's threat-mitigation features. When we set loose SQL Slammer, the canonical out-of-control worm, on our network, Nevis found and isolated it and raised an alarm. However, when we installed NetRaider, one of the backdoor Trojan horse applications used by hackers to take control of a system, LANenforcer didn't see it, even though there are two signatures for NetRaider enabled in the LANsight management system. (Like many proprietary IPSs, the signatures are opaque, so we couldn't debug why the LANenforcer missed our Trojan horse.) We also found a bug when we turned on sequence-number randomization, a common firewall-obfuscation technique, because the Nevis box then refused to let anyone on the network.LANShield has a much less-sophisticated IPS feature set, with no configuration capability other than the ability to turn it on or off. ConSentry labels its IPS features as malware protection. To the network manager, it will be a black box. Although LANShield did identify and block our SQL Slammer worm, we wouldn't feel comfortable setting loose such an undocumented and uncontrollable feature in a real network. For now, LANShield's malware features should be considered more of a promise of things to come than a fully baked capability.EnforcementThe huge advantage that both of these products have over most other NAC solutions is their enforcement capabilities, based on full stateful firewalling. Rather than be content with putting different users on different virtual LANs (VLAN), the most commonly bandied-about NAC strategy, Nevis and ConSentry give the network manager not only very fine-grained access controls, but also stateful firewalling. This puts ConSentry and Nevis in a very small circle of such vendors as Juniper and Vernier that are advocating such a high level of security.We did not validate exhaustively the correct enforcement by either firewall, but we did discover that neither LANenforcer nor LANShield has common application-layer gateways within its enforcement capabilities. This means that protocols requiring an application-layer gateway -- for example, FTP or VoIP using and Realtime Streaming Protocol -- aren't supported directly. You can still run these protocols through the devices, but your policy will have to punch bigger holes in the firewall to support them, and you won't have the same level of control. Because these products are designed for internal use with primarily trusted users, this doesn't seem an unreasonable restriction.While the basics you'd expect in any firewall -- source or destination IP addresses, subnets and network zones -- are present, ConSentry has gone further than Nevis in providing powerful enforcement rules. For example, you can define enforcement rules in terms of or FTP file names or HTTP content types, something ConSentry calls application filters. These filters are a good start, though there are some big gaps. For example, you can't write a filter based on an HTTP URL.LANenforcer has an enforcement vocabulary that's closer to a traditional firewall, with enforcement rules expressed in terms of destination IP addresses and services.ManagementBoth LANenforcer and LANShield are manageable via a command-line interface (CLI), but we tested them using the separate management tools provided. With Nevis' LANsight Security Manager, we had only to touch the CLI for installation and debugging. ConSentry's graphical management tool is nearly as complete, but not all the product's functionality is available from that interface. We had to dive into the CLI a number of times during initial setup for some of the basic configuration elements.LANsight has its good and bad sides. Its monitoring system is well designed. With only a few clicks, we found it easy to get an idea of who is logged on, see their policy, log them off and look at where traffic is flowing. Once LANenforcer is configured, LANsight gives you a quick overview of what is happening.The bad side is that it's slow. The problem does not seem to be the management tool itself, but the choice of Adobe Flash for displaying the GUI. On our dual-CPU, 2.3GHz management client, going from screen to screen took between four and 10 seconds, just long enough to be frustrating.Where LANsight really fell down was in configuration tasks, such as the creation, replication and configuration of enforcement policies. Because the whole point of these systems is to give administrators the ability to apply better enforcement to users, this is a significant problem. For example, suppose you wanted to define access to printers (or Web servers or file servers -- anything you want to consider as an atomic unit from the point of view of policy). If the printers are not all in consecutive IP addresses, you would have to create dozens or hundreds of policies, one for each printer, rather than making a single policy covering all printers. The management system should facilitate the implementation of the enterprise security policy, not discourage it.ConSentry's InSight Command Center has a good monitoring system, with superior visibility into what is happening on the network in terms of both security and bandwidth. With a Java-based GUI, we found its performance to be snappier overall than LANsight's.InSight's policy configuration was very well put together. Although the difficulty of configuring a firewall with policies for every user seems a daunting task, InSight has the right level of abstraction and object-oriented design to make it easy to match the configuration with the policy we wanted.Where InSight disappoints is in basic human-interface design and in consistency. For example, when you click on something, you may or may not see what the current configuration or properties are, unless you select to edit that item, and then you can see them all. But the design is inconsistent, and sometimes you see details without having to edit the object. InSight also has a clumsy way of managing configuration versions. ConSentry wanted to be able to define configuration and push it to a device all at once, but the mechanism to do that more often will frustrate and confuse, rather than simplify the process.ConclusionNetwork managers looking for tighter access control than the usual VLAN switching allows should keep ConSentry and Nevis on their radar screens, in addition to veterans Juniper and Vernier, which also offer products in this particular NAC space.ConSentry's LANShield offers great flexibility in deployment and an outstanding design for policy management in its GUI, although it has limited sets of malware protection. Nevis' LANenforcer brought a broad set of intrusion-prevention capabilities to the table, but design flaws and bugs in critical functions made for disappointing test results.The pace of change for both start-ups is fast and furious, and the issues we found in testing these versions may be a thing of the past before this time next year. Like wine and cheese, both these should improve with age.Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com. Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com\/alliance.