By eweek  |  Posted 2006-10-16 Print this article Print

ConSentry Networks LANShield Controller CS2400, now with LANShield OS 2.2, provides perimeter-level network access and security controls within the LAN. The solution also takes specific aim at high-value networks frequented by transient users, such as contractors and auditors, but IT managers will need to learn its command-line interface to gain full advantage.

Because LANShield devices almost always are deployed throughout a network, we tested ours along with ConSentrys InSight Command Center, which has been newly enhanced with privacy protection filters that can mask user names and other sensitive information from general network administrators who use the product for troubleshooting.

Released on Sept. 18, the $27,995 LANShield Controller CS2400 is a 1U (1.75-inch) appliance equipped with custom chips and 10 pairs of 10G-bps, SFP (small form-factor pluggable) modules for either copper or single-mode or multimode fiber connections. The module pairs operate as a bump in the wire between the edge and the core of the network. This in-line placement is what allowed us to see all network traffic, including Layer 7 application traffic, along with user authentication and authorization transactions.

The unit we tested came equipped with dual power supplies. This is a good thing because if LANShield Controller CS2400 loses power, it fails, cutting off any network traffic to or from the protected network resources.

Tight Access Control

Lanshield Controller CS2400 saw and understood our user authentication transactions. LANShield Controller CS2400 uses a 128-core custom chip to perform deep packet inspection that enables it to tie MAC (media access control) and IP address information to user IDs. In this way, the product ties users to network traffic, allowing IT managers to create extensive policies that tightly control access to LAN network resources.

It took some doing for us to apply policies to users, and IT managers should factor in at least a month of pretty constant work to fine-tune their own LANShield Controller CS2400 policies.

LANShield Controller 2400 runs in one of three modes: monitor, pass-through and protect. Pass-through mode simply passes network traffic, while protect mode is the mode in which the product is run after users are placed into roles and policies are fine-tuned.

We first put the product in monitor mode, to learn what applications, traffic patterns and users were on our network. ConSentry Networks officials said that IT managers should plan on running in monitor mode for a minimum of one week to collect enough data to start making network policy rule sets.

We were able to construct rule sets that parsed users into roles—such as contractor, sales and administrator—based on directory attributes using a new feature called Role Derivations, which integrates with Microsofts Active Directory. Role Derivations AD integration certainly made it easier than it would have been otherwise to put users into roles, but it still required us to spend quite a bit more time than we would have liked tweaking policies. In fact, this process was the most difficult aspect of using the product.

As with many network security tools, the principles that govern the configuration of LANShield Controller CS2400 follow along the same lines as firewall configuration: Policies are constructed that permit or deny network traffic based on source, destination and user authorization.

During tests, LANShield Controller CS2400 policies, along with the user policies that we created, were applied following an order of administrator-set precedence. We found it relatively time--consuming to set the order of precedence so that permitted traffic was specified and then associated—via a LANShield Controller CS2400 policy statement—with the correct user role.

As we worked with the product, it became clear to us that IT managers should consider a ConSentry Networks professional services engagement for assistance in getting the device up and running smoothly. One trick we learned during our tests was to ensure that unauthenticated clients were able to connect to the network to process DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name System) and RADIUS requests so that the authentication process could begin.

Among the important functions of the product that must be configured from the command line is EPV (endpoint validation).

When our client systems tripped the EPV trigger, a temporary agent was downloaded to our systems. The agent checks for the presence and version of anti-virus software; the Windows operating system version, and the presence and version of firewall software.

In our case, when these components were missing, our EPV policy redirected the client to our remediation file share, where the correct versions of the necessary client software were available.

Next page: Evaluation Shortlist: Related Products.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel