ConSentry Combines Security, LAN Switching

New offering from ConSentry streamlines user authentication at the network edge.

ConSentry Networks on Jan. will borrow a page from Enterasys Networks when it launches its approach to integrating security with LAN switching.

While Enterasys has marketed LAN switches for years that integrate security functions into the core switching fabric, security upstart ConSentry believes it has taken the right approach with the new Intelligent Switching architecture in its LANShield edge switches.

Legacy LAN switches use Access Control Lists, VLANs and sample Netflow data to try to control access to resources and monitor user activity on the network. But they are limited to Layer 4 port numbers, such as port 80, and there is no real context for the applications. With newer applications now moving from port to port, it is difficult to map ACLs and VLANs to business policies, according to Jeff Prince, founder and chief technology officer of the Milpitas, Calif., company.

"We embedded into the switch the ability to see and understand users and devices -- not just IP addresses," Prince said. "We understand the roles of users from central directory stores that are already there such as (Microsoft's) Active Directory or Radius. We now have a switching architecture that can bind into that store for a simpler way to add business context to the network."

The LANShield switches using the new Intelligent Switching architecture monitor Active Directory logons to learn the name of users and then the switch queries the Active Directory database to learn what type of user each one is. Customers can set up policies for different user types using ConSentry's Insight Management server, and those role-specific policies can be applied to users as they enter the network.

Also embedded in the LANShield switches is application visibility that can get as granular as recognizing file names, Web addresses and File Transfer Protocol file transfers. And the switches can recognize destinations such as an engineering server or Web address, rather than relying on IP addresses.

Policies can be written and applied for each of those concepts. To insure that such packet inspection happens at wire rates, ConSentry uses a proprietary multi-threaded processor that has 192 processor cores on a single chip. "We can do packet inspection at LAN data rates up to 10G bps," said Prince. And rather than inspecting IP and MAC addresses in a packet to forward to the appropriate destination, the switch can see and control traffic flows in hardware.