Network Computingwww.networkcomputing.com

Consentry's updates LANshield OS

Posted by Mike Fratto, Editor on December 28, 2007

Consentry's incremental update of its LANshield OS appliance OS adds more active authentication options, authentication server cascading, support for Microsoft NAP, log-off detection, and dashboard support. Taken in total, the updates make a good NAC product better.

Before any policy can be applied to a user, you first have to authenticate them. LANshield 3.2, adds support for active authentication using Active Directory and LDAP, additional authentication methods to the local data base and RADIUS. The new authentication methods integrate tighter with existing infrastructure. Multiple authentication systems can be used simultaneously with authentication maps defining the order that servers should be used based on domain name, port, or VLAN. In addition, user attribute lookup uses the same cascading look-up model. These features are useful for enterprises with multiple administrative domains and simplifies authentication policy.

Extending their passive snooping model, 3.2 also adds support for Microsoft NAP when using DHCP as the enforcement model by passively sniffing the health status returned from the Microsoft policy server and applying an access control model. The NAP integration further tightens access control from subnet to specific hosts and services and should simplify integrated policy development.

LANshield also passively detects user log-offs in addition to logins. This feature only works when users login and log-off through the network to Active Directory. To take advantage of this feature, you will need to disable cached credentials on hosts and deny users the capability to logon locally. Consentry's LANshield Swtich can also use link down events on the switch to log-off users. Link down detection is available only on the switch because the LANshield ties a user identity to a switch port.

Gimme data

Consentry has also added rich reporting capabilities in the update with the ability to report are activity by role. Taken in aggregate, knowing what resources a group of people are using, viewing common access violations, and trending over time help to manage users and adapt to role based needs. Role based reporting may also useful for audit and compliance requirements.

Additional reports include application usage including common application s on non-standard ports like SSH on high numbered ports or applications that use port 80 as a way to by-pass firewalls. The new reporting can also break out the user agents using HTTP as a transport—a useful feature for determining what browsers are in the network, determining network device types and monitoring activity. Consentry has also added the capability to decode more IM protocols and report on Skype usage by name.

Consentry also introduce the LANshield CS 4024 swtich. With 24 ports of 10/100/1000 and two SFP cages, and an optional 230 watt PoE model, the switch makes a good workgroup replacement. The CS4024 uses the same LANshield OS as the other switch models so integration is a snap. The CS4024 is priced at $6,995 for the switch and $7,995 for the PoE model.

RELATED LINKS Review: Consentry Networks LANShield Controller CS2400 and Consentry InSight A good port-based firewall with potential to be a powerful user-based access control system, LANShield fails to live up to ConSentry's claim of enabling NAC based on making ACL decisions by user.