ConSentry enforces access policies

ConSentry is introducing a new product that incorporates its network access control hardware and software into an Ethernet switch, making it possible to enforce access policies on a port-by-port basis.

Called CS4048 LANShield Switch, the device performs all the functions of the company’s previous policy appliance called Secure LAN Controller, but can restrict access to individual switch ports rather than entire switches.

Both devices control access to the network, show what each user is doing, manage what resources individuals and groups can reach and stop the spread of viruses and worms.

The new device can more surgically shut down malicious outbreaks, says Steven Olsen, infrastructure manager for the Las Vegas Review-Journal, who uses the Secure LAN Controller and is considering the LANShield Switch as the company upgrades its network to 10G Ethernet. If the security monitoring gear in the switch detects behavior from a desktop that indicates a virus or worm at work, it can shut down the port that machine is connected to without affecting other machines connected to the same switch, he says.

The Secure LAN Controller can’t do that. It sits between workgroup switches and core switches, monitoring traffic and enforcing policies, but cannot shut down individual switch ports, he says. If it discovers an outbreak, it has to shut down the entire switch from which the outbreak originates. “If the controller was connected to a 72-port switch, then connectivity would be lost to all 72 computers on that switch,” Olsen says.

The downside of the new LANShield Switch is that it requires replacing switches, which may mean waiting for the next replacement cycle, says Olsen. An advantage of Secure LAN Controller was that it afforded access protection without requiring other infrastructure upgrades.

Other vendors offer overlay network access control devices that don’t require network upgrades, including DeepNines, Lockdown Networks, Nevis, InfoExpress and Vernier. Nevis offers its gear as a separate appliance or as a security switch.

The new switch can work in tandem with other network access control schemes that focus on endpoint security by making sure devices meet security policies before they are admitted. The new ConSentry gear would conflict with such access control architectures that call for a specific brand of switch to be the enforcement point for controlling access such as Cisco’s network admission control (NAC).

ConSentry gear can check the security posture of endpoints in tandem with Check Point’s Integrity software at $3,000 per Secure LAN Controller. The company says it will migrate to support for Microsoft’s network access protection (NAP) endpoint security scheme as well as the one being developed by the Trusted Computing Group consortium.

ConSentry says it is also open to licensing its software and processors to other switch vendors looking to quickly come up with a way to enforce access policies.

The switching equipment for LANShield Switch is off the shelf, and the security processors and software are custom made by ConSentry. The device scans all traffic to Layer 7 at 10Gbps to enforce policies at 10Gbps, the company says. It can draw on separate policy servers such as Active Directory.

Olsen says the Review-Journal is considering VoIP on its network, and the LANShield Switch’s power-over-Ethernet feature could be used to power the phones.

CS4048 LANShield Switch will be available in the third quarter for $14,995. It includes 44 copper and four fiber Gigabit Ethernet ports and has two optional 10Gbps Ethernet ports. ConSentry has not set the price for the 10Gbps uplinks.