Traditionally, enterprise networks have been built on trust: Anyone connected is assumed to be authorized because they have to be on the premises. But the growing prevalence of wireless networks, remote access, and nonstaff workers have turned networks into easy targets. “The LAN is now the new DMZ,” says Tom Barsi, CEO of ConSentry.
You could replace all your switches with ones that include an authentication mechanism such as 802.1x. But that’s costly. Another option is to use overlay control software to monitor the network and authenticate users as they try to access resources. “But that software is not designed for high-speed networking,” Barsi says. “You’ve got to do this at LAN speeds.”
ConSentry approaches the authentication issue from a new angle. Its LANShield appliance sits right behind the existing intrusion detection system, connected via a bridge that allows it to perform deep packet analysis and inspect traffic all the way to the application layer, even on 10Gbps networks, without requiring new switches — although ConSentry also offers its technology embedded in a switch for customers upgrading their switches anyhow.
ConSentry has automated many functions, including some not available in standard 802.1x. For example, to ensure that desktop systems don’t contain threats that could enter the network, the ConSentry devices can issue temporary agents to scan for known threats, anti-virus definition, service packs, and custom registry keys and files. This frees IT from having to load and manage agents on each desktop.
Used with Windows Active Directory, the ConSentry appliance watches the Kerberos communications involved in the Windows domain log-in to learn the user’s identity and to ascertain whether the user is allowed on the network. Users do not have to change log-in behavior, and IT doesn’t have to worry about training and supporting a new log-in method.
Similarly, when used with RADIUS servers, the ConSentry appliance watches the EAP (Extensible Authentication Protocol) communications between, for example, a wireless access point and an authentication server to learn who the authenticated users are. The appliance also supports active authentication, using captive portal authentication to ensure the user cannot access any network resource without first authenticating.
The companion Insight control center software takes the data gleaned from appliance monitoring and allows you to orchestrate and enforce user-access policies — with capabilities that go beyond standard 802.1x. In essence, it can treat policies as building blocks and can layer on multiple levels of control easily.
ConSentry allows you to see in real time what users are doing, the resources they are accessing, and who is violating your acceptable-use policy. The amount of information decoded and logged per user is staggering.