RSS
Email
Print
ShareRolling Review: Consentry Networks LANShield Controller CS2400 and Consentry InSight
Posted by Mike Fratto, Editor on October 19, 2007
|
The Upshot
 In-line NAC products are superior to their out-of-band brethren because they can both monitor and filter all traffic passing through the appliance, and they require no network changes other than re-cabling. Network visibility also means in-line products can act on malicious traffic such as worms, scans and DoS attacks.  The argument over the best NAC deployment style is fundamentally based on two principles: When does assessment occur, and how is access control enforced? Out-of-band NAC products generally place hosts on networks based on device condition, while in-band NAC devices tend to restrict access to network resources based on a variety of criteria. Think of in-band NAC more like a port-based firewall.  The strength of ConSentry's LANShield Controller lies in its robust policy development; a number of host conditions can be factored into access-control decisions. We also like that it does in-line blocking, much like a per-host firewall. However, the LANShield's user-based access control is weak because it doesn't detect log-offs. Reporting in InSight is near useless for troubleshooting, and Layer 7 application detection is severely limited. Consentry Networks LANShield Controller CS2400 and Consentry InSight |
ConSentry's CS2400 LANShield Controller, the first entry in our in-line NAC Rolling Review, is a passive in-line NAC device that applies access controls based on a variety of user-defined criteria. The Controller is a good port-based firewall and has the potential to be a powerful user-based access control system, as evidenced by its robust definition engine. However, because it cannot detect log-offs, the device fails to live up to ConSentry's claim of enabling NAC based on making ACL decisions by user. We also found its logging capabilities lacking.
The CS2400 model that we tested ships with 10 paired SFP GBIC ports supporting 10/100/1000 copper and single- and multi-mode fiber. An out-of-band Gigabit Ethernet port provides for management. Appliances can be deployed in an active/active configuration, sharing user authentication state. In addition, the devices can be set to either pass or block traffic in the event of hardware failure. We used ConSentry's InSight Command Center to manage the Controller.
Paired ports pass bridge traffic through the CS2400; each port is defined as either host-oriented or network-oriented. The distinction is important because the LANShield Controller looks for authentication traffic on host ports. Reversing the ports, as we accidentally did, causes access-control issues. Unlike with out-of-band NAC products, we didn't have to reconfigure our switch or router. The Controller detected our 802.1Q trunks.
Roles and Holes
ConSentry's role definition is very flexible. We could combine a variety of criteria, including authentication type, RADIUS attributes, network information and time of day, to assign a user to a role. Role assignment could be as simple as tying your Active Directory group membership to InSight's roles, or you could take into account network address or host condition. Roles are assigned access-control policies that determine what a user or host can do within the network. The flexibility lies with the product's role hierarchy, where each child role inherits access controls from its parent. Rules are then processed from the lowest matching child rule to the All Users role. Access-control rules are essentially firewall rules allowing or denying network traffic.
Add Your Comment: