Secure Switch NAC--Security At The Ingress Point

Steve Hultquist at InfoWorld recently posted a review of ConSentry Network's LANShield Switch. The review is largely positive, as was my review of ConSentry's LANShield Controller, its in-band NAC product which sports many similar features. I think ConSentry, along with Nevis Networks, which has a competing product line, are on to something. First off, I admit that I am biased toward protective measures that are close to the threat source. In the NAC world, the threat source is the host computer and user accessing the network. A secure switch that has port-based protective features like stateful packet filtering, anomaly detection, 802.1X, and authentication snooping, for example, means the attacks can be detected at the ingress port and access controls can block traffic before malicious packets or hosts can even access the network. I'd prefer port-based security simply because the bad guys are trapped before damage can be done.

Other NAC strategies, like DHCP and MAC enforcement, VLAN steering, and capture portals, often grant hosts some network access before any assessment can be performed. In addition, some NAC products can't take action based on user activity after the user has been granted access to the network until another assessment or authentication is forced. These other strategies are effective at stopping the casual user, but I am loath to give a determined and skilled attacker any access. Let me add that enforcement methods like DHCP and MAC control, as well as VLAN steering, can be strengthened using features in modern switches that snoop DHCP requests, enforce DHCP addresses on a port, and lock dynamically discovered MAC addresses. These advanced capabilities vary based on switch vendor, model, and firmware, but those features are worth looking into.

Traditional switch vendors -- the Ciscos, Extremes, and HPs of the world -- have been adding port-based security features such as port-based stateless ACLs and traffic anomaly detection to their access switch line. More advanced detection, such as IDS and sophisticated network anomaly detection integration, requires extra software for analysis, command, and control.

From a feature standpoint, both ConSentry's LANShield Switch and Nevis' LANenforcer Secure Switch are more thorough and effective. Having tested both products recently with their management stations (see ConSentry and Nevis reviews), the policy-building functions are relatively easy to use and seem to scale well. You can define objects, use them multiple times, and changes made once are applied to all instances of the object. The reporting detection and reporting either in the company's management station or events exported to an external server is more than adequate to get a deep view of network activity where it is originating.

There are, of course, some legitimate concerns by enterprises about the longevity and stability of a small company, as well as concerns about the stability and flexibility of an access switch. Switching is one of those IT functions that no one thinks about until it fails, and then your day goes from good to bad in a heartbeat. Vendors like Cisco, Extreme, and HP have years of experience building switches and, more important, those switches have been field tested and the vendors can point to those years as a testament to how reliable their gear is.Breaking into the switch market is tough, but if NAC is a major concern and you're in the process of a switch upgrade, you should consider a secure switch as an alternative. There is a price premium for the additional features and you will have to shell out the money for a management station (I wouldn???t recommend not getting a management station unless you have the time and skills to master their CLI), but even if they are deployed at key points in your network, like public areas and meeting rooms, you can reap the benefits of targeted protections with minimal impact on your network.