ConSentry Networks' Secure LAN Controller Family

InSight Manager gives you all the information needed to audit user activity, policy violations and malware outbreaks. Its many graphs for visualizing network status help make up for its less than optimal speed.

Out of the box, the CS2400 can identify about 300 network applications. To do this, it uses deep-packet inspection, which means that if you have an in-house app you want the CS2400 to recognize, you must first define the app's network parameters and characteristics manually.

Policy Restrictions

The CS2400 has no preconfigured policies. You create policies that indicate who can do what and where actions can take place on the network. Group and user policies can be set up using directories, including Active Directory, which I used, and RADIUS.

I set up a policy called "Sales" that applied to members of our sales force. The policy let those members surf the Web with HTTP/HTTPS, but banned instant messaging. To test network-access control using the Sales policy, I booted up a Windows XP client, logged in with an AD account from the Sales group and proceeded to surf the Web. Although I could open AOL Instant Messenger, I couldn't connect to the service, much less send messages. On the management end, InSight Manager showed an application violation from the logged-in user.Next, I cleared the cached user information from the InSight Manager status window so it no longer knew the user was logged in. Theoretically, any subsequent network activity seen from the XP client machine would need to be associated with an authenticated user. To test this, I tried surfing the Web as the user, but I was automatically redirected to an internal Web page on the CS2400. The appliance was now acting as an authentication gateway requiring me to log in to the Web page. When I logged in with the same user account, I was shown the related user information in InSight Manager and redirected to the URL I had requested.

Log Jam

The InSight Management Server collects all logs of network activity associated with a particular user by tying the user name with the IP and MAC (Media Access Controller) of the computer being used. I could see entries for the HTTP traffic with the URLs visited by my test-user account. For organizations subject to strict auditing regulations, ConSentry tries to tie all network traffic back to its corresponding user--something the tools netflow and sflow can't do.

Unlike IDSs based on signatures and network anomaly detection systems that rely on baselining network behavior, ConSentry uses advanced algorithms based on malware behavior. These algorithms know how worms behave on the network and can spot anomalies based on factors such as the rate at which a host connects to other hosts and ports.To test the effectiveness of this method, I used the Linux host to simulate a Blaster attack that had been captured in a pcap file. Tcpreplay replayed the attack across the network and was stopped by the CS2400. The InSight Manager interface listed the Linux host as infected and quarantined.

Reports

InSight Manager's reporting lets you choose which items to include for reports on user activity, policy violations and infections. Reports can be generated automatically, and you can set up a separate Web page on your intranet to poll the location of the next report based on the name, day and time. A few enhancements could be made for branding the reports and adding more graphing abilities, but for a first release, ConSentry has made a good effort.

The CS2400 and InSight Manager do a great job tracking users and their network activity, enabling role-based networking and preventing the spread of malware. I look forward to the next release, which promises hooks into third-party host compliance agents, antivirus scanning, more granular policies for users and possible spyware support.

John H. Sawyer is a network security engineer at the University of Florida and a GIAC Certified Firewall Analyst and Incident Handler. Write to him at [email protected].0