Smart Network AccessIntelligent and secure Network Access

for people and devices

The number of connected devices in enterprise networks is growing fast. In addition, „Internet of Things“, which is widely discussed will also have a huge impact on corporate networks, when all kind of machines, devices or building control systems will be connected to the company network.

The IT desk used to be responsible for the provision of a performant and secure internet access of company-controlled de-vices. Nowadays, even mobile devices of staff, guests and suppliers do require access. Consequently, the administrative expense increases and security matters arise:

• Who does get access to the corporate network from which location?

• How can access rights for private devices be granted individually?

Why Smart Network Access?

• Who can ensure that the access rights of departing employees are deleted in due time?

• How can the administrative burden be effectively re-duced for access rights that are limited in time?

To fulfill the stringent requirements in terms of security and compliance, despite of the continually rising cost pressures, a growing number of companies is implementing an automated Network Access Control (NAC).

Common challenges in practice

Visitors, Partner, Customers, Supplier ...require a temporary and controlled internet access. This should be gran-ted without administration effort, but conforming to the law and misuse excluded.

Private Device of Employees ...need access to the internet, email/calendar, file shares, ERP-systems or the company’s databases. The implementation of a BYOD-strategy that features a self-service management for employees does represent a great challenge for the IT desk.

Company-Controlled End Devices ... such as laptops should get access via multi-level, certificate-based methods that can ensure authentication of persons as well as devices (802.1x). Successfully authenticated devices are assigned to the respec-tive VLANs.

Not the Complete Range of Devices ...such as printers and medical devices do support 802.1x. In this case, a MAC-based access control which includes an automatic assignment to dedicated VLANs provides effective support. A solution should be multi-tenant and feature interfaces to CMDB / inventory systems.

Employees, Suppliers, Consultants ...require external remote-access to sub-areas of the corporate network. For this purpose, a detached account administration should grant the access, instead of allocating of internal accounts.

Computer with Virtual Machines ...as well as unmanaged hub/switches or IP-phones connected to compu-ters do require special authentication procedures so that each (virtual) device can be assigned to its respective VLAN.

Intranet

wireless

wired

Sponsor / DevicePortal

mpp

DMZ

User / Device ManagementAuthentication ServerData-Center• IEEE 802.1x• MAC Authentication Bypass

Authentication Gateway• Captive-Portal• Router• Firewall• QoS

• Manage Guest Accounts• Manage “My Devices”• Manage “Equipment” macman

Macman is a Radius server that authenticates devices and dynamically assigns them to a network segment(VLAN). Thus, usage of private devices can be individually managed. For instance, the permitted number, Qua-lity-of-Service, automatic deletion of access rights and many more criteria are definable.

MPP is a Captive-Portal/Router/Firewall/Content-Filter, which is responsible for the user authentication via web browser and the compliance with legal regulations.

Solution

Smart Network Access is a highly flexible and straightforward overall solution which automates administrative tasks to a great extent and fully complies with high security standards. It consists of the following components: Macman, MPP and the Sponsoring/Device Portal

The Sponsoring/Device Portal represents a multi-tenant web application in the intranet which empowers emplo-yees to create guest accounts and manage their private and company-controlled devices.

All three components are synchronized automatically, so that once identified devices/persons can be authenticated via other procedures in the future.

Scenario 1

If employees use company-controlled devices within com-pany premises, full access is granted.

Who Authenticated Employee Where Company Premises What Company-controlled Device

Scenario 2

If employees use company-controlled devices outside the company premises, access can be limited.

Who Authenticated Employee Where Outside Company Premises What Company-controlled Device

Scenario 3

Guests and visitors are provided with a controlled Public WLAN service with SMS authentication.

Who Guest Where Company Premises What Private Device

Scenario 4

Impersonal devices such as machines, printers, medical devices etc. are automatically assigned to the respective VLAN or security zone.

Who Unknown Where Company Premises What Impersonal Device

Secure and flexible

Other NAC solutions apply the „all or nothing” principle, which means that a network access is either fully granted or denied. CloudGuard‘s Smart Network Access, however, is based on a dynamic approach. Each device gets as much access as it deserves trust. Thus, multi-level zone concepts are realizable.

The following scenarios depict possible rules for a secure access to your company’s network:

The Service Level you receive• Quality of Service (QoS)• Bandwidth Management

What device are you on?• Secure Device• Protected Container (MDM)• Private Device (BYOD)• Public Device (e.g. Internet Station)

What you can do• Firewall• Content Filter

Where are you?• Access Location (wireless, wired, VPN)

Who are you?• Authenticate the user (Certificates, Passwords, SSO)

Where you can go• Source based Routing• Access control lists (ACL)

DEFINES

The Smart Network Access solution of CloudGuard manages the appropriate network access for all people and their devices, independent of their place of use.

Controlled Internet Access

Functional Required Access

Full Access

Slightly Limited Access

CloudGuard products - the optimal „Add-on“ for existing environments

CloudGuard Add-on for Your „Guest Access“

• Straightforward self-registration via SMS authentication• Multi-level authentication (e.g. password and SMS)• Payment access (voucher, credit card, premium SMS)• Individually configurable, location-specific landing pages (e.g. for local information, advertisements)• Automatic recognition of guests (no multiple login)• Multi-tenant user/ device management with individual access rights• Individual QoS-profiles based on guest types (VIP, standard guest, etc.)• Strictly separated storage of account data for external and internal accounts• Integration into customer-specific databases (clinic information systems, hospitality solutions such as Amadeus, Fidelio, etc.)• Compliance with local/legal requirements• Decentralized satellites for local break-out or Internet traffic in branches / subsidiaries

CloudGuard Add-on for Your „BYOD Strategy“

• Straightforward password generation for private devices (no installation of apps or certificates)• No internal (AD) credentials on private devices (security)• No multiple logins (automatic re-connect)• Strictly separated storage of account data for „unsecured“ and company controlled devices• Possibility to limit the number of private devices allowed per employee• Automatic blocking of departing employees’ devices• Automatic import from or synchronization with inventory databases and CMDB (e.g. mobile phones, tablets, medical

devices etc.)

• Intuitive interface for the management of private devices

• Highest usability

CloudGuard Add-on for the Management of Internal Devices

• Straightforward, multi-tenant delegation of the device management to departments and customers• 802.1x, MAC authentication bypass (MAB) and web authentication • Simple on-boarding of all devices (WLAN and fixed network)• Automatic assignment of the devices to the respective VLANs or security zones• Multi-domain authentication (for IP-Tel/PCs, Hubs and PC with VMs)• Automatic import from or synchronization with inventory databases and CMDB (e.g. mobile phones, tablets, medical

devices etc.)• Comprehensive reporting and monitoring possibilities

Many customers already have security solutions of leading suppliers in place. However, they are often unhappy with the complexity of the product’s administration. Sometimes, it also happens that important functions are simply missing like the self-registration, straightforward onboarding or compliance issues related to local laws. For these and further rea-sons, the solutions of CloudGuard can offer real value add to your existing installation.:

Advantages of CloudGuard‘s Smart Network Access

CloudGuard offers the currently most flexible Net-

work Access Control solution on the market. The

unique solution is customized to our client’s needs

and is subject to further development.

Thanks to its flexibility, the solution can be optimally

integrated into existing environments. Active

Directory, LDAP- or Radius Server and user-specific

databases, etc. allow for the automatic transfer of

user data.

Reduced administrative overhead regarding manage-

ment of devices, guests and external employees

thanks to multi-tenant delegation of administration

and various self-service applications.

All conventional authentication methods are

supported: 802.1x, MAC-Authentication,

Web-Authentication, SMS-Authentication,

Voucher, credit cards etc.

Voucher

MAC/WEB/SMS

Credit Card

Control remains with the network manager who benefits from overviews of authorized accesses and extensive logging capabilities for traceability purposes.

Summary

CloudGuard‘s Smart Network Access is the optimal network access control solution for complex company environ-ments with a lot of requirements and devices. Furthermore, it is an ideal enhancement to existing solutions such as Identity Services Engine (ISE) from Cisco Systems®*, Meraki®* or Aruba ClearPass Access Management System®™. Hence, missing functionalities such as the integration into a company-specific ERP, CMDB systems or the multi-tenant delegation of administration can be realized. Tell us your plans and requirements. It is pleasure for us to support your Network Access Control project.

Who is CloudGuard?

Since 2004, CloudGuard has been developing software solutions for Network Access Control (NAC), Bring-Your-Own-Device (BYOD), Guest Access and wireless communication in public transportation means. By now, more than 100 companies (such as banks, insurances, hospitals and transportation companies) benefit from the advantages of Cloud-Guard’s software.

Extract from our Customer List

Universitätsspitäler Basel, Zürich

and Bern Guest Access

Aargauische Kantonalbank Guest Access, BYOD

SBB, Postauto WiFi Access for passengers

Flughafen Zürich Device Management

The Dolder Grand Hotel Device Management, Guest Access

Opernhaus Zürich Guest Access

Fachhochschule Nordwestschweiz Network Access Control

Migros Guest Access, BYOD

*Cisco® Identity Services Engine (ISE) und Meraki® are registered trademarks of Cisco Systems, Inc. in the United

States and certain other countries.

CloudGuard Software AG • Zurich • Switzerland

Tel: +41 55 214 18 00 • info@cloudguard.ch

www.cloudguard.ch