ConSentry Networks on Jan. will borrow a page from Enterasys Networks when it launches its approach to integrating security with LAN switching.
While Enterasys has marketed LAN switches for years that integrate security functions into the core switching fabric, security upstart ConSentry believes it has taken the right approach with the new Intelligent Switching architecture in its LANShield edge switches.
Legacy LAN switches use Access Control Lists, VLANs and sample Netflow data to try to control access to resources and monitor user activity on the network. But they are limited to Layer 4 port numbers, such as port 80, and there is no real context for the applications. With newer applications now moving from port to port, it is difficult to map ACLs and VLANs to business policies, according to Jeff Prince, founder and chief technology officer of the Milpitas, Calif., company.
“We embedded into the switch the ability to see and understand users and devices — not just IP addresses,” Prince said. “We understand the roles of users from central directory stores that are already there such as (Microsoft’s) Active Directory or Radius. We now have a switching architecture that can bind into that store for a simpler way to add business context to the network.”
The LANShield switches using the new Intelligent Switching architecture monitor Active Directory logons to learn the name of users and then the switch queries the Active Directory database to learn what type of user each one is. Customers can set up policies for different user types using ConSentry’s Insight Management server, and those role-specific policies can be applied to users as they enter the network.
Also embedded in the LANShield switches is application visibility that can get as granular as recognizing file names, Web addresses and File Transfer Protocol file transfers. And the switches can recognize destinations such as an engineering server or Web address, rather than relying on IP addresses.
Policies can be written and applied for each of those concepts. To insure that such packet inspection happens at wire rates, ConSentry uses a proprietary multi-threaded processor that has 192 processor cores on a single chip. “We can do packet inspection at LAN data rates up to 10G bps,” said Prince. And rather than inspecting IP and MAC addresses in a packet to forward to the appropriate destination, the switch can see and control traffic flows in hardware.
Going Up Against Cisco
“We can now understand how much bandwidth specific applications are consuming. If you don’t want a user running BitTorrent, we have a new level of granularity to control that user and that application,” Prince said.
ConSentry believes it has an opportunity to gain a foothold with its new architecture at the edge of the network, bringing access control closer to the user and simplifying the process of setting and applying control policies. Because there’s no need to manually separate traffic onto different VLANs, create and maintain ACLs or configure Quality of Service policies, the Intelligent Switching architecture simplifies the process of rolling out new applications and supporting users as they come and go.
While the company hopes to displace Cisco at the network’s edge with its upgraded 24- and 48-port LANShield switch families, the core of the network is all Cisco’s.
That’s just fine with new customers at Adaptec, which intends to install the ConSentry switches at the edge of their network and keep Cisco in the core, according to Lou Owayni, global network/telecom manager in Milpitas, Calif.
“I was concerned about interoperability and we had a couple of glitches, but the ConSentry engineers where all over it. Their dedication to solving issues was unmatched. I feel very comfortable that any issues that might arise in the future ConSentry will address in an expedient fashion,” Owayni said.
With a lot of enterprises now refreshing their LANs to support new VOIP (voice over IP) or wireless implementations, ConSentry may just have a shot, believes Jim Metzler, vice president of Ashton Metzler & Associates in Sanibel Island, Fla.
But Cisco too is touting the need for greater intelligence in the network, and the market is beginning to see new innovation in LAN switching for the first time in years.
“I think there will be an interesting battle for what kind of intelligence needs to be added where in the network,” said Metzler. “The LAN used to be fast and dumb. That’s not acceptable anymore. I can’t assume if you’re on my LAN you’re a good guy. I think we’ll see exciting times in the LAN in the next 24 months.”
ConSentry’s new Intelligent Switching architecture, which exploits existing processing power in the LANShield switches, is available now as an upgrade to its LANShield OS.