ConSentry Impresses In Second Go-Round

There's a growing population of IT managers who are demanding more from their Ethernet switching vendors, and while the Ciscos and Extremes of the world are more than happy to sell you switches with greater speeds and port counts, good luck finding additional capabilities outside of core Ethernet switching functionality packaged into a single chassis. Emerging players like ConSentry are wading into waters that the larger players are strategically unwilling to swim in, and the result bodes well for small and midsize enterprises that need to make every dollar count in 2009.

On the surface, the ConSentry CS4024 loosely resembles most edge switches on the market today. The CS4024 comes in two flavors, either Power over Ethernet or non-PoE, with both models sporting 24 ports of 10/100/1000 copper, two of which are shared copper/fiber ports for uplinks to core or distribution switches. Of course, if all ConSentry had to offer was an Ethernet switch, we wouldn't be wasting your time with a review of commodity hardware. It's what's under the hood of the CS4024 that's worth a closer look.

Using a combination of custom ASICs and intelligent switching code, the ConSentry line of switches provides network access control, deep packet inspection, and threat and user access control all in one package. ConSentry and other smart switch vendors are attempting to do something that firewalls, virus engines, malware-prevention tools, and URL filters can't do: enforce policy at the switch port. It's a strategy that more and more IT managers are adopting -- because after all, wouldn't you prefer to subdue a would-be robber before he breaks into your home?

ConSentry's intelligent switch last made its way through the InformationWeek labs in October 2007. At the time, our very own Mike Fratto took a miter saw to the prior generation of the CS4024 and exposed some serious security flaws that he humorously described as a hole "big enough to drive a truck through."

Our analysis of ConSentry's security flaws did not go unnoticed, because 18 months and two code revisions later, we see a much improved smart switch that addresses or works around almost every security hole that we reported in late 2007.

As a switching and security product that's meant to be deployed at the edge, we found a nice spot in one of our enterprise network wiring closets for the CS4024 and quickly proceeded to unleash its full capabilities on unsuspecting users. Deployment of the CS4024 is relatively painless, although it's not nearly as plug-and-play as Napera's N24 NAC switch. ConSentry's feature set is also much more complex and robust. Before putting the CS4024 into production, it's necessary to install the ConSentry InSight centralized policy management and distribution component on a server-class machine.

Our Take

CONSENTRY CS4024

The ConSentry CS4024 is a worthy competitor to Cisco NAC and as an edge switch is certainly cheaper and more functional than most Cisco Catalyst and Extreme Summit switches.Built-in Layer 7 awareness along with Kerberos authentication snooping allows the CS4024 to capture login credentials and apply security policy based on Active Directory login ID.P2P application protection worked extremely well in the lab, we were unable to port hop outside the switch using many flavors of file-sharing applications.Negatives include lack of ability to create custom application objects and inability to easily check for individual Windows updates during health checks.

One of the strongest features of the CS4024 is the robustness of its endpoint health checking capabilities. Unlike many products that simply health check Windows Update policy, virus signatures, and firewall status, the LANShield switch and InSight Manager take NAC several steps further. Broad categories for enforcing system health include multi-OS support along with a wide variety of antivirus, spyware, and firewall applications. In addition, we had the ability to check for particular files, running processes, and registry keys present as added tools for determining system health. Once defined, NAC policy can be immediately pushed out to all LANShield switches, and client enforcement can be accomplished with the help of a locally installed agent or via a Java-enabled agent that enforces system health via captive portal when a browser is opened.

If a client fails a health check, there's no need for virtual LAN switching, because the CS4024 can dynamically enforce access policy, negating the need to maintain quarantined VLANs or access lists for unhealthy systems. All NAC features worked well in the lab environment; the only knock we had was that we didn't have the ability to enforce policy on specific Windows updates, although the ability to check for certain registry keys, files, and processes provided an acceptable workaround.

ConSentry's full Layer 7 awareness, coupled with the ability to snoop in on the Kerberos authentication process, gives administrators the ability to define custom application usage polices and roles based on Active Directory user ID, group membership, or other parameters contained within an Active Directory object. With code release 3.4, ConSentry has greatly improved on its user access control since we saw revision 3.2 back in late 2007, and it now only seems to fall short in one area.

Fratto discovered during his lab work with 3.2 that full network access could be obtained by plugging into a switch port with cached credentials on a port previously enabled with full network access by a legitimate user. Thankfully, ConSentry has closed that hole somewhat with some additional safeguards, including the ability to timeout an active session or terminate it entirely if Layer 1 connectivity is broken. This is certainly a great start for preventing intruders from, for example, walking up to a network printer, or an IP phone, and pulling its network cord in an attempt to gain full system access. Unfortunately, we were still able to crack ConSentry's logoff mechanism by logging off a user with full network access on the domain, and logging back in with a local user account, without physically unplugging the network connection. While the switch was able to detect and reapply policy when logging in with another domain account, it was unable to detect a domain logoff and a local login.

While that's an issue, the malicious user would still need credentials on the domain in order to authenticate to domain resources, so without credentials, the hacker is limited to rummaging through local system files or poorly secured network shares.

Layer 7 application filtering features, while not very customizable, were more than sufficient for protecting against the vast majority of port-hopping peer-to-peer threats out there. The CS4024 impressively stymied every attempt to port hop out to the Internet using various P2P clients. L7 awareness allows the controller to peel deep into the packet payload to check for those unmistakable application signatures that prevalent file-sharing protocols in use today leave behind. P2P protocol support includes Gnutella, Direct Connect, BitTorrent, WINNY, and IM file transfer.

While ConSentry's P2P protection capability performed well, we would love to see ConSentry give users more options for defining custom applications to enforce policy on. As of now, if you want to apply policy to new applications, you'll need to send packet captures to the ConSentry lab for analysis and development of a protection mechanism.

Those familiar with managing a Cisco infrastructure will immediately take to the ConSentry command-line interface, which looks and feels much like a Cisco Catalyst. The ConSentry CLI falls a tad short on logging and debugging, and we had a hard time getting live debugs to the console working properly for various events for which we were clearly generating activity. But on the whole, the CLI itself was rather robust and its similarity to the Cisco IOS will surely make for an easy transition for most network engineers. Reporting in InSight is well presented in dashboard-like fashion and offers a good amount of analytics on traffic and application usage, policy incidents, along with reports on system health and authentication issues.

Enterprises looking to concentrate their defenses at the very edge of the network will find the CS4024 to be a fairly robust solution for enforcing system health, applying usage and quality-of-service policies, and preventing malicious applications from traversing the switch port.

The CS4024 starts at $4,995 and goes up from there based on additional security and enforcement options available for purchase à la carte.

Randy George is an industry analyst covering security and infrastructure topics.