Network security review: ConSentry LANShield Switch
Policy-based switching and great reporting add muscle to network securityFollow @infoworld
Traditionally, many IT specialists have seen networks as an open channel. They allow an infinite variety of devices to communicate, and the best networks make communication simple, free, and instantaneous -- like the air we breathe. Back in the early days of the Internet, shell accounts were gratis for the asking. Few people used passwords. It was an easy and altruistic era.
But that was a long time ago.
We have long since learned that we have to protect ourselves from the more aggressive Internet users, whether those who do it for nefarious purposes or those who contend that they are just trying to make us aware of our vulnerability. Firewalls, traffic filters, intrusion detection and prevention, and other security devices are now assumed components of a responsible network infrastructure. We feel protected from those external forces. The problem is that those forces have ways of getting inside our perimeter. So we need more protection.
This is where policy-based networking enters the fray. Comprising a range of technologies, including NAC (network access control), traffic analysis, filtering, and reporting, policy-based networks proactively address both organizational requirements and the realities of an unfriendly world. The goal of a well-designed policy-based network is to look free and open to all valid traffic, while coming across as a bit bucket to anything unauthorized.
In earlier NAC reviews (see "NAC smorgasbord: Four ways to police the network" for our reviews of Enterasys, McAfee, Symantec, and Trend Micro, and "NAC appliances reveal who's rapping at your network door" for a look at Caymas -- now Citrix -- as well as Lockdown, Nevis, and Vernier), we began the process of differentiating approaches to policy-based network solutions even as the hype around NAC grew to a fever pitch. After all, the point is solving the business and security problems.
In this and a series of companion upcoming reviews, we will look at the continually evolving world of NAC and policy-based networking. There is some confusion in terminology, since Cisco Network Admission Control (CNAC) is a Cisco-proprietary solution for network access control. We will be reviewing a wide range of NAC solutions (including CNAC), so all references to NAC refer to the more generic concept of controlling access to a network. For each review, we look at the product's ability to address a set of typical enterprise policies and distinguish the ways in which the product does that. As you read all of these articles, the key is to consider your requirements from within the universe of possible policies, especially in terms of the granularity of both the policies and their enforcement. You will also want to consider how you want to interact with the system and whether ease of policy creation, policy modification, or reporting are your most vital requirements.
For this test, we followed the same testing scenarios as in the February 2007 tests.