Network security review: ConSentry LANShield Switch
Policy-based switching and great reporting add muscle to network securityFollow @infoworld
ConSentry LANShield Switch
The ConSentry LANShield Switch is available in both 24- and 48-port versions. The 24-port version includes 24 Gigabit Ethernet ports and two combo SFP (small form-factor pluggable) gigabit ports. The 48-port version includes 44 Gigabit Ethernet ports, four combo SFP gigabit ports, and two 10Gbps ports. Both switches have an option for PoE (power over Ethernet). Functionally, the two switches are identical, offering layer-2 and layer-3 policy control, thereby allowing customers to choose based on their connectivity requirements.
ConSentry also offers the LANShield Controller, a layer-2 device that is designed to sit between the edge and the enterprise network core. LANShield OS is common to the two device configurations.
System management comes via ConSentry InSight, element-management-style software designed to monitor and administer the infrastructure. With InSight, you set up your policies, adjust them when needed, and monitor the state of your devices and infrastructure using the extensive reporting (the best we've seen -- more about this later).
Policy setup and application
ConSentry designed its architecture to interact with back-end AAA (authentication, authorization, and accounting) servers, and its current systems are able to talk to either Microsoft Active Directory Services, LDAP, or RADIUS. PAMs (pluggable authentication modules) allow the system to authenticate Linux, Mac, and Novell users, as well. The switches are able to snoop the traffic to see authentication requests and responses, using the information discovered to determine identity and, thus, apply appropriate policies.
Setting up policies, then, starts with AAA infrastructure integration. Once installed, InSight allows you to see the registered users and groups, then create policies based on them. The policy editor is straightforward, much like a firewall filter editor, allowing you to assign policies of arbitrary granularity. For example, you can select the types of packets that are allowed for specific IP address ranges, type of device, or user group. As with all policy-based networking, designing policies to reflect your requirements before creating them is vital. After policies are established, you can apply one or more policy to any group of users.
Once they're in place, the policies are enforced as expected, with all scenarios tested successfully.
One challenge, however, is the device-based focus on InSight. Policies are pushed to the devices, so you can manage all of your devices at once, but the devices do not respond together to changes in the network, such as the blocking of a specific device or user on the basis of an alert from an IPS. This may be a limitation for larger installations and dynamic environments that require a tighter feedback loop.
Rich reporting options
Put simply, ConSentry has nailed reporting for policy-based networking. Its extensive and comprehensive reports and customizable dashboard present a benchmark for reporting. It is clear at a glance what is happening on the network, how many of what states of devices are connected to the network, what users are doing, and so on. The reporting interface is a clear Java-based graphical system that brings to mind the best of the business metrics management systems available today.