 |
LANShield™ OS
Intelligent Switching Software
ConSentry Networks delivers intelligent switching, making it easy for IT to control users and applications on the LAN. The ConSentry LANShield OS drives the company’s LANShield architecture, the custom programmable silicon at the heart of the LANShield product family. The ConSentry’s LANShield platforms – the LANShield Switch and LANShield Controller — tie together user, device, role, application, and destination to provide a level of business context not possible with legacy switch architectures. The LANShield OS provides this integrated context, enabling IT to align the LAN with the business and deliver the services needed to make their companies more efficient, accountable, and agile.
The LANShield silicon and OS are common to both the LANShield Switch and LANShield Controller. Both platforms provide total user and application control without sacrificing performance and with minimal impact on the existing infrastructure. ConSentry leverages existing OS authentication mechanisms, such as the Windows login. The LANShield OS enables the LANShield platforms to enforce policy directly, without the need for VLANs or ACLs in the network or supplicants or agents on the clients.
LANShield Architecture
The ConSentry LANShield OS drives the massive parallel processing capabilities of the LANShield silicon. The 128-core LANShield CPU processes 128 threads simultaneously, enabling deep packet inspection and policy enforcement. The accompanying programmable ASICs provide wire-speed forwarding on already inspected flows and session tracking for reporting and auditing. Together, the LANShield CPU and ASICs deliver full user and application control at 10 Gbps rates, maintaining wire-speed performance.
For each traffic flow, the LANShield OS binds together username, device, role, addresses, applications, and destination and applies policy. As a result, all reporting and control ties back to the user, device, and role. The OS enables active or passive authentication for users, automatically derives the role for each user or devices, and recognizes and classifies applications. LANShield OS names more than 300 applications at Layer 4, and it inspects more than 30 at Layer 7. The LANShield devices then use that application knowledge to apply policies that control what users can access.
Integration with ConSentry InSight
The LANShield OS coordinates the processing onboard a LANShield device and also interfaces with the ConSentry InSight Command Center software. InSight sends policies to the LANShield platforms via the LANShield OS, and the OS sends back to InSight extensive data about incidents, session information, user status, and other LAN security data collected by the LANShield silicon.
The OS also provides an industry-standard command line interface (CLI) for access to LANShield devices. The CLI allows IT to configure the ConSentry platform, apply user control policies, and learn user and incident information.
LANShield OS Features
| Authentication, Posture Check, Role Derivation |
Visibility |
Authentication
Passive
- Kerberos snooping
- Windows Active Directory
- Linux
- Macintosh
- RADIUS snooping
- Trusted DHCP server
Active
- Customizable captive portal
- MAC-based via RADIUS
- Whitelists of approved devices
- by MAC/IP address (including wildcards), port, or VLAN
Host Posture Check
- Dissolvable agent
Scans for known threats, anti-virus definition, servicepacks,
and custom registry keys and files
- Role-based policy
Designate which users to check
Role Derivation
- RADIUS
- Microsoft Active Directory attributes
- Physical location
- DHCP attributes
- Time of day
- Combination of above
|
Identity Awareness
- Bind username to IP/MAC address and applications
Application Classification
- Identifies 300+ applications at Layer 4
- Identifies the following applications at Layer 7
- Business Applications
· Oracle TNS
· SAP R/3
- VoIP
· SIP
· H.323
· Cisco SCCP (Skinny)
- Web/Mail
· HTTP
· SMTP
· POP3
· IMAP
- File Transfer
· FTP, FTP-Data, TFTP
· CIFS/SMB/NetBIOS
- Network Services
· DNS
· DHCP/BOOTP
· Kerberos
· SUNRPC Portmapper
· MS-RPC
· RADIUS
- Connectivity
· SSH
· Telnet
· VNC
· RTSP
· MS-Media
- IM
· MSN
· Yahoo
· AOL
- P2P
· BitTorrent
· eDonkey 2000
· Gnutella
· WinNY
· eMule
· Kazaa
· AppleJuice
· DirectConnect
|
| Identity-based Control – Policy Enforcement |
Threat Control |
Policy Features
- LANShield platforms
- integrate policy decision and policy enforcement
- Policies stored on each LANShield device
- Centralized configuration and policy distribution with ConSentry InSight Command Center
- Granular policies
- including Layer 4, Layer 7, and Layer 7 attributes (such
as file name)
Enforcement Actions
- Allow
- Deny
- TCP reset
- Mirroring, logging
Logging and Reporting
- Detailed security syslog messages
- Formatted for SIEM integration
- Integrates with ConSentry InSight Command Center
|
Worm Containment
- Prevents network meltdown by detecting and blocking worm spread
- Custom malware detection algorithms for zero-hour
and known worms
- IT can block only infected application vs. entire user
- Near-zero tuning – pre-tuned per application category
- Allows user to maintain network connectivity during
clean-up
Threat Detection
- Detects network recognizance scans
- Detects DoS attacks against servers
Packet Validity Checks
- LAND Attack
- Empty Fragment
- Micro Fragment
- ICMP Ping Of Death
- UDP Port Loopback
- Bad IP Header Len
- Bad IP Flags
- Bad IP TTL
- Bad IP Payload Len
- Bad IP Fragment Ofs
- Oversize IP Payload
- Bad IP Checksum
- Bad TCP Urgent Ofs
- TCP Short Header
- TCP Null Scan
- TCP Fragmented Hdr
- UDP Short Header
- Bad UDP Length
- TCP XMAS Scan
Management and Control
- Managed by ConSentry InSight Command Center
- SNMP v1/v2c
- Industry-standard Command Line Interface (CLI)
- Formatted syslog to multiple destinations
- Telnet
- SSH
- TFTP
- Dual administrator access levels
- RADIUS administrator authentication
|
|
|
»
