ConSentry Networks has rolled out a security-fortified LAN switch, a move that will help kick off a trend giving
enterprises role- and application-based control over every user on their networks, no matter where users are located.
The Milpitas, Calif.-based networking vendor has combined its LANShield silicon architecture and security software with off-the-shelf switching silicon to develop the enterprise-class CS4048 switch, which integrates the security features needed to secure every user and every port on the LAN.
Because the LANShield silicon architecture is common to both the new LANShield Switch and the already shipping LANShield Controller (formerly the Secure LAN Controller), the new switch supports all the security features currently delivered in the Controller. The LANShield silicon consists of a 128-core processor and two programmable ASICs, which work together to provide per-flow inspection and enforcement at 10 Gbps -- including network admission control to restrict who can come onto the LAN, full Layer 7 visibility into all user activities, control over user access to authorized resources through role-based provisioning, and threat control to prevent zero-hour attacks from compromising network availability.
This rollout leads a likely trend to deliver integrated security to a hungry market.
"Integrated security will absolutely be a trend," said Joel Conover, an analyst with Current Analysis. "In fact, I would go so far as to argue that if you don't have integrated security inside the next three years, you will be relegated to commodity infrastructure competition."
As for what's available today, Conover said that the best example of competition is Cisco's intrusion-detection blade for the Catalyst 6500 switch. Combined with Cisco's Network Admission Control, you end up with a solution that approaches ConSentry. But the Catalyst 6500 solution is multi-component and, of course, it requires a big Catalyst 6500 switch. Meanwhile, Conover said, ConSentry's edge solution is elegant and relatively simple.
Nevis Networks is a ConSentry competitor that has a similar approach, "but they are a lot 'younger' than ConSentry, and I haven't actually seen their product in the field anywhere yet competitively," Conover said.
Previously, ConSentry's security technology was available in the LANShield Controller, which provided visibility into and control over who could access networks and resources. ConSentry has now consolidated LAN security and switching into a single platform, a move that reduces the number of devices on a network. The product is targeted especially at enterprises ready to make a wholesale switch upgrade.
"The Controller has helped us out because we have to have different policy sets for different user groups," said Steven Olson, infrastructure manager with the Las Vegas Review Journal. "It's always been difficult to maintain policy for the different groups because we previously had static IP addressing and applied it to everybody in that group."
ConSentry technology supports policies based on a user's Windows login and role and enforces where users can go on the LAN based on that information. So everybody logging into the Journal's network has the appropriate access permissions automatically applied. Before the Journal deployed ConSentry, a user "could get out of the classified or business department and sit down [somewhere else] and have access that you didn't have from the other room," Olson said. With ConSentry, the access policies "applies to you no matter where you are."
The Las Vegas Review Journal is implementing a new 10-Gigabit Ethernet network core and will replace closet switches in the process. Should it opt for ConSentry's LANShield switch -- a strong possibility, Olson said -- he will then have this security technology at the edge of the network instead of at the core, so any unknown anomalies, such as hackers, will be isolated and shut down.
"We are subject to attack every day," Olson said. "ConSentry's platform offers more flexibility because it is able to tie into the Windows logins. We can allow roaming users and maintain policy across the board."