Nac macmon secure_2014

„Why IT Security fails without NAC“

macmon secure GmbH

German vendor of the technology – leadingNAC-solution macmon

Experienced team with development, support and sales located in Berlin, Germany

Development of security technologies and - standards

Cooperating with research institutes and universities

A lot of experience earned and integrated out of a lot of NAC-projects with customers of different sectors and different sizes

Cooperating with further more leading vendors of security technologies

Member of

You already know, what NAC is about!

“… old hat, that never fit right, or a security enhancement you won't miss and that by the way, makes your live easier?”

Targets of NAC:

Systems used in the network have access to LAN-resources, if they have the right to use them and if they are compliant to the actual security policies

NACCompliance

Network Access Control – NAC


Why should you implement NAC?

Compliance demands Bundesdatenschutzgesetz (BDSG) Sarbanes-Oxley Act EuroSox (EU Directive No. 8 ) Basel II KonTraG MaRisk DIN EN 80001-1

ISO IT security standard IEC 27001/1779911.4.3 Equipment identification in networks„Automatic equipment identification should be considered as ameans to authenticate connections from specific locations andEquipment“

BSI IT-Security baseline catalogue

Approval procedure for ITcomponents

(Measurement 2.216): „The installationand using of not approved IT-

components has to be permitted and the adherence of the restraining has to be

monitored.“


You already know, why you should implement NAC!

…which systems are connected to you LAN?

…that all systems in your LAN are yours?

…that nobody is sniffing your VoIP-Calls ?

…that all your systems are secured and none of them is an entry point for attacks?

Do you knowfor sure…

Nearly funny:

Spy activities, which not could have happened…

WLAN in a Tupperware Outside of the building

buried Not recognized Lasting for years

Replaced printers „faked“ service partner Printer with hard disc

replaced Copy of any printouts

with macmon immediately recognized as new device

through macmon shown as new „MAC“ and by policy blocked

Do you know all systems in your network?

Trend: „Bring your own Device“ (BYOD)

Everyone loves to work with “his” device:

Employees

Guests, Visitors

Service provider,service engineers,consultants...

Dream Nightmare?or

Two different interpretations of „ByoD“

Handling of smartphones and other mobile devices

Network Access Control „NAC“+ ByoD Portal for registration

Mobile Device Management „MDM“

Configuring the devices Control the data Admin – access Remote Wipe

Company property Executive demand

No remote access Grant Network access Protect the network Offering dedicated

resources No company property Executive demand


The meaning of NAC in the daily business

The largest part of organizations/companies do not have established any or not sufficient security measurements.

The meaning mainly increases through „Bring Your Own Device“.

The more and more comprehensive and complex becoming networks are often not manageable any more without using suitable control systems.


So why is NAC being used so sparely?

Extensive changes in the infrastructure

High investments

High need for administrative support

Small benefit or hard to determine it

complex subject – high invest for education

Fear for locking out the wrong person / system

macmon NAC – smartly simple

No agents or sensors needed No need for changes in the network structure Office branches can easily be included Vendor independent Event based setting of rules Mixed operation with & without 802.1X Time savings through automatisms Protection & Network visibility

Detection and management of devices connected to switch ports – (SNMP, Telnet/ SSH or 802.1X)

NAC – advanced security functions

IP-address-identification by ARP

Network-services DNS and DHCP

Enhanced Device identification Footprinting

Protection against attacks Address-falsification Attacks to switches ARP-Spoofing / MAC-Spoofing

SNMP

macmon vlan manager

„Dynamic VLANs“ The VLAN is defined through the Device(MAC-address ► VLAN-ID).

The users always have the correct access to the network, independent of the physical port.

Simple care, no reconfiguring by movements or mobile users No switch-knowhow needed by the caring administrator

VLAN 2Produktion

VLAN 99Besucher

Guest VLANOffice-VLANProduction-VLAN

macmon IEEE 802.1X

Switch authorizes through RADIUS protocol− MAB (MAC Authentication

Bypass)− Identity and Password

as well AD Accounts− Certificates

Establishing Security Levels VLAN management is done

by macmon! Incidents for unsuccessful

attempts!

SNMP

EAP/ 802.1X

macmon 802.1X

macmon does things differently:

Smartly simple linking with AD / LDAP and other Identity sources through a completely new „mapping“

Possible mixed operation – with and without 802.1X Combination of MAB with macmon „Foot printing“ Configuring groups results in automatic rule settings Intuitive and dynamic setting of rules for exceptions Focusing on endpoint devices results in a minimum of administrative

effort Automatic „learning“ of Devices

Implementing macmon NAC

Creating a Whitelist „learning“ through Active

Directory connection (802.1X) Communicate with all switches Only known systems in the network

Blocking unknown systems / Guest-LAN Appropriate systems switched into

defined VLAN smart GUI – intelligence in the backend

Time savings through automatisms Protection & Network visibility

overview, control & comfort

macmon graphical topology

„effective graphical overview“ macmon has all information just by working as usual:

automatic arrangement and complementing of new devices

filtering by properties such as IP-Address, name, VLAN, e.g.

save, load and export as .SVG

find misconfigurations and maintain manual uplinks

macmon guest service

You should call it „Access-Portal“

Individual layout of the captive portal Implementing distributed entities with different layouts Independent of the WLAN infrastructure vendor Localization of the devices (which access-point) Reactive disconnecting of devices Self registering with mobile no. and user-name Voucher code per SMS on the mobile phone Creating voucher-lists to be stored at the

Reception Sponsor Portal & BYOD-Portal AD / LDAP integration

macmon „agentless multiple“ compliance

Open API for connecting with, vendor independent data sources antivirus connector – Linking with leading anti-virus systems Active measurement with the macmon compliance agent Integrated IF-MAP Technology Instant raise of the ROI by using all already implemented security solutions

Endpoint security systems

e.g. WSUS or SCCM

Everything else, which „knows“ a compliance status

IDS/IPS, Firewall SystemsVulnerability-, SIEM Systems

macmon client compliance

compliance agent

macmon client compliance option

scan results

compliant

non-compliantscan jobs

Reducing use of energy & raising productivity

macmon switches the energy profiles & wackes up the PC‘s through WakeOnLan− operated by time: e. g. working days from 6:00 pm / 8:00 am− operated by event through the physical access control− operated by the user with the macmon energy calender

» Holidays, time of absence etc. may be configured

- to avoid risky situations such as:» attacks, virus outbreaks, exploit as bot

− For executing automatic maintenance and support tasks such as:» software-updates, full virus scans, backups

macmon energy

macmon NAC – Technology partner / Linking

macmon product family

Customers

LandratsamtAugsburg

Landesamt für Steuern und

Finanzen

LandratsamtSigmaringen

Customers about the…

…advantages of macmon-NAC:

Instant network overview with graphical reports & topology Implementation within 1 day & easy daily operating Mixed operating with and without 802.1X Intelligent AD integration with a dynamic setting of rules Highly flexible „guest“ - portal Useful integrations with other leading security products Vendor independent Excellent vendor support

Customer – Production

Important facts Proprietary communication systems (Feldbus, Interbus, Profibus,…)

are replaced by Ethernet because of the associated costs Robots and machines can not be protected with normal techniques

(no patch-management, virus protection, password protection, login) Consultants need to have network access for maintenance

and repair jobs Security incidents may cause personal and physical damage

Customer - Finance & Insurance

Important facts MaRisk is in place since 1st January 2008 (Through BSI- and ISO-

standards – high security demand) Protection of public area with guest access is needed ATMs and other “NAC-GAP” systems in the network have to be

involved into security measures The wide area of branch offices can be controlled effectively through

out the live monitoring

Customer - Government

Important facts Strict requirements from BSI and others have to be fulfilled Through out the handling of sensitive and often personal data, a very

high need for security results The live monitoring enables and facilitates the control and

management in large organizational structures – even world wide macmon allows the administration with very small personal effort

LandratsamtAugsburg

Landesamt für Steuern

und Finanzen

LandratsamtSigmaringen

Customer - Healthcare

Important facts The IT-network, throughout the integration of medical devices,

becomes into a medical IT-network and thereby is coveredby medical product laws

Medical IT-network and common IT-network have to be separated (DIN EN 80001-1, Risk management for IT-networks with medical devices).

Protection of patient data and patient – doctor relationship For private institutes: Coming with the rating with Basel II (in the future

as well EURO-SOX), the IT-infrastructure is related directly to the grant of financial resources; deficits in the security will reduce the bank line

Customer - Media

Important facts Many mobile working places, which often are used outside

or even in foreign countries Many guests and external employees on the company area The live monitoring enables and facilitates the control and

management in large organizational structures – even world wide macmon allows the administration with very small personal effort

Contact

We are looking forward to talking to you!

macmon secure GmbH

Charlottenstr. 16D-10117 Berlin

Fon +49 30 23257770Fax +49 30 2325777-200

[email protected]