Exclusive: ConSentry keeps a watchful eye on users

LAN Controller enforces policies at the hardware level

Network security is going through a paradigm shift. It is no longer enough to secure just the network edge against unknown attackers trying to break in; traffic inside the network must come under increased scrutiny, as well, to ensure that users are following established policy or meeting regulatory requirements. And when users misbehave, there must be a way to enforce the policy by denying access to sites, applications, and protocols.

One way to do this is with the Secure LAN Controller family of products from ConSentry Networks. The LAN Controller is an appliance that installs between network users and the core backbone switches in the wiring closet. It inspects -- in real time and at wire speed -- all LAN traffic from Layer 2 to Layer 7, associating users with applications and then applying access-control policies.

Two versions are available: a 10-port model that can handle as many as 200 concurrent users and 2Gbps of traffic, and another that has 24-ports, scales to 1,000 users, and handles 10Gbps traffic. The heart of the controller is the highly scalable proprietary LANShield ASICs. ConSentry designed this processor with 128 multithreaded cores on a single chip to handle the demanding traffic flows.

I had the opportunity to take an exclusive look at the ConSentry CS2400 Secure LAN Controller in my lab and found the system more than capable of enforcing various user

policies. Through the use of the InSight management tool, I was able to create a global policy that defined what resources were available for different groups of users.

I could also see, in real time, what my users were doing, the resources they were accessing, and the users who were violating my acceptable use policy. The amount of information decoded and logged per user was staggering.

I was impressed by how well the system sniffed out malicious traffic and quickly clamped down on it.

For example, I ran a simulated worm attack from a client PC. The attack was quickly detected based on a number of criteria by ConSentry and clamped down at the LAN Controller. Interestingly, the LAN Controller denied the worm’s traffic (blocked the port and application flow) but did not interrupt legitimate traffic from the same host. I was still able to browse the Internet and access shared resources even while the attack was in progress.

Many similar security systems would simply deny the PC access to the network, thereby stopping the worm, but ConSentry is much more granular and can block just the offending application.

Know thy user

Part of what makes the Secure LAN Gateway so powerful is its capability of positively identifying users. It does this by using the authentication systems already in place: Windows Domains (Active Directory) or RADIUS. The Secure LAN Controller decodes packets all the way to the application layer, and upon a successful user log-on, associates the user ID to the device’s MAC (media access control) address and IP address.

After authentication, ConSentry retrieves any group memberships from the authentication server and compares them against its own set of policies. Enforcement can be based on resource (which resources a user can access), application (which applications a user can use), or group (which groups of users can communicate with one another).

The combination of these three types of enforcement criteria allows for very flexible, yet granular policies. For instance, a policy can take the form of denying traffic between engineering and finance users or allowing selective access to servers and databases.

Other combinations include enforcing no IM outside the enterprise or simply denying file attachments via IM or Web mail. ConSentry’s capability to “see” to Layer 7 in each packet provides a wide range of options when defining security policies.

For users such as contractors or business partners who need to access the network but aren’t part of the local user authentication system, ConSentry provides a Web-based system called Captive Portal. Basically a catch-all log-on system, Captive Portal authenticates against a RADIUS server and helps maintain control of users not directly managed or maintained in the enterprise directory. This allows IT to create a “visitor” profile and set of policies to manage these users directly.

In the event that a user does not successfully authenticate, depending on the ConSentry policy, the Secure LAN Controller can deny the user access to all network resources or allow access to specific resources. For example, a user who fails to log in might be redirected to an informational page for remediation or simply allowed to browse the Internet and nothing else.

Hands off

To accomplish this level of user control, IT must decide either to install additional hardware in the wiring closet or to deploy a software agent to all enterprise users. Another high-end user access control system, Elemental Compliance System, relies on a client-side agent for policy enforcement. All of ConSentry’s enforcement is done in the Secure LAN Controller without any need to install and maintain a software agent on the client PCs.

Unlike Elemental, ConSentry cannot perform any host-compliancy checks as part of its policy enforcement, because it doesn’t directly interact with the host device. It does, however, work with any third-party system, such as Cisco’s Trust Agent -- part of the Cisco NAC (Network Admission Control)  initiative and the Trusted Computing Group agent specification.

This best-of-breed approach allows ConSentry to fit into already established host compliance systems while making the best use of the information gathered from the hosts. The company plans to provide a clientless host-checking solution in the near future to handle devices that do not have an agent installed.

One advantage the ConSentry solution has over the Elemental Compliance System is that it is hardware agnostic. It will enforce access policies on users whether they are on PCs, PDAs, smart phones, or other non-traditional network devices.

A view from the top

Policy creation is done via the ConSentry InSight Management System. This Java-based tool runs on a Windows PC and can manage as many as 10 Secure LAN Controllers. With the current release, only global policies can be set through InSight. Security admins must use the command line interface to create and manage individual user and group policies. The CLI is reminiscent of Cisco Internetwork Operating System, so text junkies will feel right at home.

It is through InSight that admins have user application visibility. Each user session is exposed to the admin including application, destination, and session information. During my tests, I was able to see that a user was accessing a peer-to-peer application, how long he was connected, how many bytes had been transferred, which mail servers he was connected to, and how many e-mails per minute he was sending. The amount of information logged was staggering and provides the kind of digital forensics necessary to identify misuse of network resources.

The ConSentry Secure LAN Controller is a terrific piece of hardware backed by a good management platform. As long as all of your user traffic passes through the controller, policy enforcement is rock solid. It won’t, however, help out in local workgroup situations, so plan your deployment accordingly and ConSentry will handle the rest. But for true real-time visibility into network traffic, the Secure LAN Controller can’t be beat.

InfoWorld Scorecard
Value (10.0%)
Reporting (20.0%)
Scalability (15.0%)
Policy Management (20.0%)
Ease of use (10.0%)
Policy Enforcement (25.0%)
Overall Score (100%)
ConSentry CS2400 Secure LAN Controller 9.0 9.0 9.0 9.0 9.0 10.0 9.2