Everyone agrees that network security is the top priority these days, particularly hardware and software vendors who seem to talk about little else. There's also general agreement about the need to protect the network as a whole, rather than just the perimeter, as mobile systems blur the distinction between the "trusted" internal network and the big bad internet.

Unfortunately there's a lot less agreement about the best way of achieving security. Some vendors say software will provide the answer, in much the same way that traditional antivirus and anti-spam products have in the past.
Others argue that hardware is needed to handle the huge amount of processing involved. And a number of interesting new products add weight to this argument, such as the Secure LAN Controller from US startup Consentry Networks, based on a patented Asic (application-specific integrated circuit) architecture it calls LANShield.

According to Consentry chief executive Tom Barsi, the multi-threading capability of LANShield gives its hardware the processing power to avoid becoming a bottleneck. At the European launch last month he claimed it could analyse packets at wire speed even on 10 Gigabit Ethernet networks. And with an average latency of just 50 microseconds, there is little or no impact on time-sensitive applications such as VoIP, he said.

The Secure LAN Controller also authenticates the data streams passing through it, enabling security controls to be applied at the user and group level. This makes setup and management much easier and allows reporting at a user level for regulatory compliance.

Another big plus is the ability to decode traffic all the way up to Layer 7 (the application layer) and check for malware behaviour in that traffic rather than rely on signature updates.

Of course Consentry isn't the only hardware vendor. There's a lot of big-name competition, including Cisco's Network Admission Control initiative. But Cisco's kit calls for major network changes, whereas the Secure LAN Controller can be installed inline between the backbone and workgroup switches. And unlike other security kit, there's no need for on-the-fly reconfiguration of firewalls and other perimeter defences. If the LAN Controller sees it then it can block it too.

On the downside there are several things the Consentry kit can't do. Most notably, it concentrates on detecting trojans and worms and lacks the ability to detect and block client-side spyware infections, phishing attempts and so on.

Neither can it check for base levels of security at end-points, though Consentry is looking to add this facility, probably using additional client-side software. But in the end it could be that neither hardware nor software alone offers a whole solution, so a combination of the two will be required for complete protection.