Compare us to Cisco NAC




	Compare us to Cisco NAC

ConSentry LANShield versus Cisco NAC Appliance

Cisco markets its NAC appliance as an easy way to secure your LAN. But marketing sometimes stretches reality. Not only is the initial setup harder than it looks (it takes 17 steps just to get system connectivity and one role established), but also the dependence on multiple products makes ongoing operations very complex (four products from three acquisitions), and the feature set is actually really limited (VLANs and ACLs).

A Feature Comparison

A combination of architecture and capabilities contribute to the feature set a given product can support. The following list compares the feature sets of the Cisco NAC Appliance and the ConSentry LANShield platforms.

Feature	Cisco NAC Appliance	ConSentry LANShield
Authentication	passive: requires CCA Agent active: Captive Portal 802.1X	passive: Windows login active: Captive Portal 802.1X
Posture Check	CCA agent (pre-installed permanent agent complicates deployment and cannot accommodate unmanaged machines)	dissolvable agent or integration with already installed endpoint software (e.g., Vista)
Identity-based Control (role-based LAN segmentation)	limited to VLANs and ACLs	full identity-based control on any combination of username, MAC and IP addresses, role, application, location, time of day, and endpoint posture
Application Fluency	none in NAC appliance (requires external devices such as Cisco MARS)	to Layer 7 (enables distinction of IM vs. web-based Oracle, for example)
Incident Response	limited to endpoint posture incidents in NAC appliance (broader incident response requires Cisco MARS and other capabilities)	all incidents resolved to username, policy involved, and transaction history
Role-derivation	learned from Cisco ACS (requires Cisco proprietary RADIUS server)	learned from Active-Directory or RADIUS
Enforcement by role	VLAN as a proxy for role, cannot accommodate multiple roles (e.g., CIO as IT plus exec)	full support, including multiple roles via groups in Active-Directory, RADIUS attributes
Enforcement by application	Layer 4 info only	full Layer 7 decode
Enforcement by time of day	None	Supported
Enforcement by location	None	Supported
Anomaly detection	None. (Requires purchase of Cisco MARS)	supported for zero-day malware detection, application anomalies, inappropriate traffic sent to or from non-user devices
Reporting	limited – NetFlow data of IP source and destination, byte counts, time	extensive – username, application name, server address or name, filename in CIFS or FTP transactions, URL in web sessions, policy violation

Continue to page 2 Download full PDF Request a 20 minute Demo




	Network Access Control \| LAN Segmentation \| Network Visibility and Control \| Intelligent Control
	Home \| Products \| Solutions \| Partners \| News \| Support \| Site Map \| Privacy \| En Garde Blog
	Copyright © 2008, ConSentry Networks. All rights reserved. \| 1690 McCandless Drive, Milpitas, CA 95035 \| +1 408-956-2100 \| 1-866-841-9100