ConSentry plans to release software this week that can require both user and device authentication to determine whether a device gains network access, and if so, how much.
With release 3.0 of the ConSentry operating system on which its network access control (NAC) appliances and switches are based, the company makes it possible to link the user's identity with the MAC address of a machine to tighten use of the network.
This makes it possible to grant at least some access, for instance, to a corporate employee who happens to be tapping into the network from a machine not issued by the corporation, says Raffi Jamgotchian, CIO of Canaras Capital in New York City. "You might have a valid person not on a valid device, and you can still provide certain limited access to resources," he says. Employees using their personal laptops might be able to access e-mail but nothing else, for example.
Using the same dual authentication, certain types of devices such as VoIP phones could be restricted to sending only VoIP protocols and accessing a limited number of network resources, such as the VoIP call server. This would prevent access to other network resources by a device that was spoofing a VoIP-phone MAC address, Jamgotchian says.
The Secure LAN Controller NAC appliance sits between workgroup and core switches. It monitors traffic and enforces policies but cannot shut down individual switch ports. If it discovers an outbreak, it has to shut down the entire switch from which the outbreak originates.
The LANShield Switch includes all the functionality of the appliance and includes the switch as well. ConSentry competes most directly with Nevis Networks and Vernier Networks, which also make NAC devices that use existing switches as enforcement points.
The 3.0 software release can restrict devices such as printers and card readers that don't require explicit authentication to the network by assigning access policies to them as a group. Again, this restricts the resources and activities for which these types of devices are authorized so if they are spoofed, the risk to the network is lessened.
The software increases the number of end devices the ConSentry LAN Controllers support. The number for the CS2400 model is boosted from 1,000 to 2,000 and the number for the CS1000 jumps from 400 to 800. This means customers can support larger deployments with fewer devices.
ConSentry also is expanding the availability of its InSight management platform so it is now available as software only that can be deployed on customers' own hardware. This gives customers the ability to store more data about traffic than was possible on InSight appliances.
The software-only option cuts the base price of InSight from US$17,500 to US$8,000.