|
|
... |
Intelligent Switching
User and application control to align the
LAN with the business
Todays competitive business pressures are forcing IT to deal with
more complexity, be more accountable and responsive, and do more with
less. IT is constantly being asked to support a more dynamic and diverse
workforce while still protecting assets, rapidly troubleshoot issues,
and support new LAN services such as VoIP and wireless.
Todays network makes these tasks hard if not impossible because
standard LAN switches arent smart enough to understand users and
applications. Legacy switches operate on IP addresses and ports. But to
align with the business, IT needs smarter networks that operate on user
idenity, roles, and applications and tie that information together to
deliver true business context.
The key to smarter networks is intelligent switching,
which gives you complete user and application control, right in the
wiring closet.
|
|
LANShield Switches provide
integrated user and application control without compromising on
switch functionality.
» Learn more
|
| LANShield
Intelligent Switch Product Comparision |
|
Model
|
Ports
|
PoE |
Port Speed
|
Uplinks
|
Redundant Power
|
Authenticated Users
|
| CS4024 POE
|
24 |
Yes |
10/100/1000 |
Two 1 Gbps SFP
|
No
|
100
|
|
CS4024 |
24 |
No |
10/100/1000 |
Two 1 Gbps SFP |
No
|
100
|
| CS4048X POE
|
48 |
Yes |
10/100/1000 |
Two 10 Gbps XFP
Four 1 Gbps SFP |
Yes
|
200
|
| CS4048X |
48 |
No |
10/100/1000
|
Two 10 Gbps XFP
Four 1 Gbps SFP |
Yes
|
200
|
| |
|
|
LANShield
Controllers augment existing switches with user and application
control and require no changes to existing switches.
» Learn more
|
| LANShield
Intelligent Controller Product Comparision |
|
Model
|
Ports Pairs
|
Port Speed
|
Extensibility Ports
|
Redundant Power
|
Authenticated Users
|
| CS1000 |
4 SFP |
1 Gbps |
2 SFP |
Yes |
400 (upgradeable to 800)
|
|
CS2400 |
10 SFP |
1 Gbps |
4 SFP |
Yes |
1000 (upgradeable to 2000)
|
| |
|
|
ConSentry InSight
Command Center provides IT with a
view of the overall health of the LAN, all user activity, and all
security incidents, providing per-user, per-role, and
per-application views.
» Learn
more
|
| ConSentry InSight
Command Center Software |
|
Management
|
Reporting |
Data Archiving
|
LANShield Devices Supported
|
|
Centralized
|
Customizable |
Yes |
Up to 50 per instance
|
|
Compare us to Cisco NAC
Comparing ConSentry with Cisco NAC Appliance
Cisco markets its NAC appliance as an easy way to secure your LAN. But
marketing sometimes stretches reality. Not only is the initial setup harder
than it looks (it takes 17 steps just to get system connectivity and one
role established), but also the dependence on multiple products makes
ongoing operations very complex (four products from three acquisitions), and
the feature set is actually really limited (VLANs and ACLs).
- Network World: Cisco Switches Don't Make the Grade
- Cisco's 17 steps versus ConSentry's 5 steps
A combination of architecture and capabilities contribute to the feature
set a given product can support. The following list compares the feature
sets of the Cisco NAC Appliance and the ConSentry LANShield platforms.
A Feature Comparison
| Feature |
Cisco NAC Appliance
|
ConSentry LANShield
|
| Authentication |
passive: requires CCA
Agent
active: Captive Portal
802.1X |
passive: Windows login
active: Captive Portal
802.1X |
| Posture Check |
CCA agent (pre-installed permanent agent complicates deployment and
cannot accommodate unmanaged machines) |
dissolvable agent or integration with already installed endpoint
software (e.g., Vista) |
| Identity-based Control (role-based LAN segmentation) |
limited to VLANs and ACLs |
full identity-based control on any combination of username, MAC and
IP addresses, role, application, location, time of day, and endpoint
posture |
| Application Fluency
|
none in NAC appliance (requires external devices such as Cisco MARS)
|
to Layer 7 (enables
distinction of IM vs. web-based Oracle, for example) |
| Incident Response
|
limited to endpoint posture incidents in NAC appliance (broader
incident response requires Cisco MARS and other capabilities) |
all incidents resolved to username, policy involved, and transaction
history |
| Role-derivation |
learned from Cisco ACS (requires Cisco proprietary RADIUS server)
|
learned from Active-Directory or RADIUS
|
| Enforcement by role
|
VLAN as a proxy for role, cannot accommodate multiple roles (e.g.,
CIO as IT plus exec) |
full support, including multiple roles via groups in
Active-Directory, RADIUS attributes |
| Enforcement by application
|
Layer 4 info only |
full Layer 7 decode |
| Enforcement by time of day |
None |
Supported |
| Enforcement by location
|
None |
Supported |
| Anomaly detection
|
None. (Requires purchase of Cisco MARS) |
supported for zero-day malware detection, application anomalies,
inappropriate traffic sent to or from non-user devices |
| Reporting |
limited NetFlow data of IP source and destination, byte counts,
time |
extensive username, application name, server address or name,
filename in CIFS or FTP transactions, URL in web sessions, policy
violation |
|
