Exclusive: ConSentry keeps a watchful eye on users
LAN Controller enforces policies at the hardware level
The combination of these three types of enforcement criteria allows for very flexible, yet granular policies. For instance, a policy can take the form of denying traffic between engineering and finance users or allowing selective access to servers and databases.
Other combinations include enforcing no IM outside the enterprise or simply denying file attachments via IM or Web mail. ConSentry’s capability to “see” to Layer 7 in each packet provides a wide range of options when defining security policies.
For users such as contractors or business partners who need to access the network but aren’t part of the local user authentication system, ConSentry provides a Web-based system called Captive Portal. Basically a catch-all log-on system, Captive Portal authenticates against a RADIUS server and helps maintain control of users not directly managed or maintained in the enterprise directory. This allows IT to create a “visitor” profile and set of policies to manage these users directly.
In the event that a user does not successfully authenticate, depending on the ConSentry policy, the Secure LAN Controller can deny the user access to all network resources or allow access to specific resources. For example, a user who fails to log in might be redirected to an informational page for remediation or simply allowed to browse the Internet and nothing else.
To accomplish this level of user control, IT must decide either to install additional hardware in the wiring closet or to deploy a software agent to all enterprise users. Another high-end user access control system, Elemental Compliance System, relies on a client-side agent for policy enforcement. All of ConSentry’s enforcement is done in the Secure LAN Controller without any need to install and maintain a software agent on the client PCs.
Unlike Elemental, ConSentry cannot perform any host-compliancy checks as part of its policy enforcement, because it doesn’t directly interact with the host device. It does, however, work with any third-party system, such as Cisco’s Trust Agent -- part of the Cisco NAC (Network Admission Control) initiative and the Trusted Computing Group agent specification.
This best-of-breed approach allows ConSentry to fit into already established host compliance systems while making the best use of the information gathered from the hosts. The company plans to provide a clientless host-checking solution in the near future to handle devices that do not have an agent installed.
One advantage the ConSentry solution has over the Elemental Compliance System is that it is hardware agnostic. It will enforce access policies on users whether they are on PCs, PDAs, smart phones, or other non-traditional network devices.
A view from the top
Policy creation is done via the ConSentry InSight Management System. This Java-based tool runs on a Windows PC and can manage as many as 10 Secure LAN Controllers. With the current release, only global policies can be set through InSight. Security admins must use the command line interface to create and manage individual user and group policies. The CLI is reminiscent of Cisco Internetwork Operating System, so text junkies will feel right at home.