ConSentry Connects to Directories for NAC

By Dave Nixon

Secure networking developer ConSentry Networks has introduced what it terms its Intelligent Switch architecture - fundamentally, a firmware upgrade which adds application and role-based control within the network.

The ConSentry devices already had the ability to extract a user’s profile out of an identity store such as MS Active Directory, RADIUS or LDAP, and use this to control network and application access.

The originality, alleged the company’s CTO Jeff Prince, is it can now automatically calculate access rights and privileges, based on role data stored in the directory.

“The system now uses roles, and enforces without you having to program ACLs into switches, set up VLANs or anything. The IT manager doesn’t have to get involved,” he added. “In effect, it writes your business policies to the switch.”

He said this means an organisation can strengthen its security permissions in a single resource - the directory - with the ConSentry system automatically binding changes into the network.

This is already effective, said Lou Owayni, global network and telecom manager at Adaptec, which has a Cisco core with ConSentry LANShield edge switches.

“With LANShield, when new users are placed in Active Directory, I can safely and automatically add them to the LAN and implement access controls with a single touch,” Owayni added.

Similar to alternative flow-based network devices such as WAN accelerators and IPS, the ConSentry switch includes a deep packet inspection (DPI) processor capable of identifying applications at Layer 7, not only by port number. The system can also associate with ID management software and manage non-user devices such as printers, Prince said.

Prince noted that ConSentry does still sell NAC appliances, in particular to companies which aren’t prepared to renew their edge switches and want to add security seemlessly.

He said though that this application and role-based security ideally belongs within the edge switch, and envisaged that other vendors would follow ConSentry’s direction over time.

“Cisco with Trustsec has acknowledged the need to bring in user and role data, and so does Juniper’s announcement this week,” he said.

Juniper already has comparable security technology, in its UAC (user access control) devices, and is about to initiate a new range of enterprise switching products.

Prince said that the Intelligent Switch firmware is already shipping within ConSentry’s 24 and 48-port switches, and will be a free upgrade for switch or controller customers with a support contract.