Network Computingwww.networkcomputing.com

Rolling Review: Consentry Networks LANShield Controller CS2400 and Consentry InSight

Posted by Mike Fratto, Editor
October 19, 2007

Tags: InSight, LANShield, Mike Fratto, in-band NAC, review, Access Control, Authentication, ConSentry, Data Protection, Data Security, Security and Privacy

Channel: Data Protection

The Upshot In-line NAC products are superior to their out-of-band brethren because they can both monitor and filter all traffic passing through the appliance, and they require no network changes other than re-cabling. Network visibility also means in-line products can act on malicious traffic such as worms, scans and DoS attacks. The argument over the best NAC deployment style is fundamentally based on two principles: When does assessment occur, and how is access control enforced? Out-of-band NAC products generally place hosts on networks based on device condition, while in-band NAC devices tend to restrict access to network resources based on a variety of criteria. Think of in-band NAC more like a port-based firewall. The strength of ConSentry's LANShield Controller lies in its robust policy development; a number of host conditions can be factored into access-control decisions. We also like that it does in-line blocking, much like a per-host firewall. However, the LANShield's user-based access control is weak because it doesn't detect log-offs. Reporting in InSight is near useless for troubleshooting, and Layer 7 application detection is severely limited. Consentry Networks LANShield Controller CS2400 and Consentry InSight

ConSentry's CS2400 LANShield Controller, the first entry in our in-line NAC Rolling Review, is a passive in-line NAC device that applies access controls based on a variety of user-defined criteria. The Controller is a good port-based firewall and has the potential to be a powerful user-based access control system, as evidenced by its robust definition engine. However, because it cannot detect log-offs, the device fails to live up to ConSentry's claim of enabling NAC based on making ACL decisions by user. We also found its logging capabilities lacking.

The CS2400 model that we tested ships with 10 paired SFP GBIC ports supporting 10/100/1000 copper and single- and multi-mode fiber. An out-of-band Gigabit Ethernet port provides for management. Appliances can be deployed in an active/active configuration, sharing user authentication state. In addition, the devices can be set to either pass or block traffic in the event of hardware failure. We used ConSentry's InSight Command Center to manage the Controller.

Paired ports pass bridge traffic through the CS2400; each port is defined as either host-oriented or network-oriented. The distinction is important because the LANShield Controller looks for authentication traffic on host ports. Reversing the ports, as we accidentally did, causes access-control issues. Unlike with out-of-band NAC products, we didn't have to reconfigure our switch or router. The Controller detected our 802.1Q trunks.

Roles and Holes

Related Reading

More data-protection Insights