„Why IT Security fails without NAC“
macmon secure GmbH
German vendor of the technology – leading
NAC-solution macmon
 Experienced team with development, supp...
You already know, what NAC is about!
“… old hat, that never fit right, or a security enhancement you won't miss
and that b...
Network Access Control – NAC
Why should you implement NAC?
Compliance demands
 Bundesdatenschutzgesetz (BDSG)
 Sarbanes-...
Network Access Control – NAC
You already know, why you should implement NAC!
…which systems are connected to you
LAN?
…tha...
Nearly funny:
Spy activities, which not could have happened…
WLAN in a Tupperware
 Outside of the building
buried
 Not r...
Do you know all systems in your network?
Trend: „Bring your own Device“ (BYOD)
Everyone loves to work with “his” device:
...
Two different interpretations of „ByoD“
Handling of smartphones and other mobile devices
Network Access Control „NAC“
+ By...
Network Access Control – NAC
The meaning of NAC in the daily business
 The largest part of organizations/companies do not...
Network Access Control – NAC
So why is NAC being used so sparely?
 Extensive changes in the infrastructure
 High investm...
macmon NAC – smartly simple
 No agents or sensors needed
 No need for changes in the network structure
 Office branches...
NAC – advanced security functions
IP-address-
identification
by ARP
Network-
services DNS
and DHCP
Enhanced Device identif...
macmon vlan manager
„Dynamic VLANs“ The VLAN is defined through
the Device
(MAC-address ► VLAN-ID).
The users always have ...
macmon IEEE 802.1X
 Switch authorizes through
RADIUS protocol
− MAB (MAC Authentication
Bypass)
− Identity and Password
a...
macmon 802.1X
macmon does things differently:
 Smartly simple linking with AD / LDAP and other Identity sources
through a...
Implementing macmon NAC
 Creating a Whitelist
 „learning“ through Active
Directory connection (802.1X)
 Communicate wit...
macmon graphical topology
„effective graphical overview“ macmon has all information
just by working as usual:
 automatic ...
macmon guest service
You should call it „Access-Portal“
 Individual layout of the captive portal
 Implementing distribut...
macmon „agentless multiple“ compliance
 Open API for connecting with, vendor independent data sources
 antivirus connect...
macmon client compliance
compliance agent
macmon client
compliance option
scan results
compliant
non-compliantscan jobs
Reducing use of energy & raising productivity
macmon switches the energy profiles & wackes up the PC‘s through
WakeOnLan
−...
macmon NAC – Technology partner / Linking
macmon product family
Customers
Landratsamt
Augsburg
Landesamt für
Steuern und
Finanzen
Landratsamt
Sigmaringen
Customers about the…
…advantages of macmon-NAC:
 Instant network overview with graphical reports & topology
 Implementat...
Customer – Production
Important facts
 Proprietary communication systems (Feldbus, Interbus, Profibus,…)
are replaced by ...
Customer - Finance & Insurance
Important facts
 MaRisk is in place since 1st January 2008 (Through BSI- and ISO-
standard...
Customer - Government
Important facts
 Strict requirements from BSI and others have to be fulfilled
 Through out the han...
Customer - Healthcare
Important facts
 The IT-network, throughout the integration of medical devices,
becomes into a medi...
Customer - Media
Important facts
 Many mobile working places, which often are used outside
or even in foreign countries
...
Contact
We are looking forward to talking to you!
macmon secure GmbH
Charlottenstr. 16
D-10117 Berlin
Fon +49 30 23257770
...
of 31

Nac macmon secure_2014

NAC - G
Published on: Mar 3, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Nac macmon secure_2014

  • 1. „Why IT Security fails without NAC“
  • 2. macmon secure GmbH German vendor of the technology – leading NAC-solution macmon  Experienced team with development, support and sales located in Berlin, Germany  Development of security technologies and - standards  Cooperating with research institutes and universities  A lot of experience earned and integrated out of a lot of NAC-projects with customers of different sectors and different sizes  Cooperating with further more leading vendors of security technologies  Member of
  • 3. You already know, what NAC is about! “… old hat, that never fit right, or a security enhancement you won't miss and that by the way, makes your live easier?” Targets of NAC: Systems used in the network have access to LAN-resources,  if they have the right to use them and  if they are compliant to the actual security policies NAC Compliance Network Access Control – NAC
  • 4. Network Access Control – NAC Why should you implement NAC? Compliance demands  Bundesdatenschutzgesetz (BDSG)  Sarbanes-Oxley Act  EuroSox (EU Directive No. 8 )  Basel II  KonTraG  MaRisk  DIN EN 80001-1 ISO IT security standard IEC 27001/17799 11.4.3 Equipment identification in networks „Automatic equipment identification should be considered as a means to authenticate connections from specific locations and Equipment“ BSI IT-Security baseline catalogue Approval procedure for IT components (Measurement 2.216): „The installation and using of not approved IT- components has to be permitted and the adherence of the restraining has to be monitored.“
  • 5. Network Access Control – NAC You already know, why you should implement NAC! …which systems are connected to you LAN? …that all systems in your LAN are yours? …that nobody is sniffing your VoIP- Calls ? …that all your systems are secured and none of them is an entry point for attacks? Do you know for sure…
  • 6. Nearly funny: Spy activities, which not could have happened… WLAN in a Tupperware  Outside of the building buried  Not recognized  Lasting for years Replaced printers  „faked“ service partner  Printer with hard disc replaced  Copy of any printouts with macmon immediately recognized as new device through macmon shown as new „MAC“ and by policy blocked
  • 7. Do you know all systems in your network? Trend: „Bring your own Device“ (BYOD) Everyone loves to work with “his” device:  Employees  Guests, Visitors  Service provider, service engineers, consultants... Dream Nightmare?or
  • 8. Two different interpretations of „ByoD“ Handling of smartphones and other mobile devices Network Access Control „NAC“ + ByoD Portal for registration Mobile Device Management „MDM“  Configuring the devices  Control the data  Admin – access  Remote Wipe  Company property  Executive demand  No remote access  Grant Network access  Protect the network  Offering dedicated resources  No company property  Executive demand
  • 9. Network Access Control – NAC The meaning of NAC in the daily business  The largest part of organizations/companies do not have established any or not sufficient security measurements.  The meaning mainly increases through „Bring Your Own Device“.  The more and more comprehensive and complex becoming networks are often not manageable any more without using suitable control systems.
  • 10. Network Access Control – NAC So why is NAC being used so sparely?  Extensive changes in the infrastructure  High investments  High need for administrative support  Small benefit or hard to determine it  complex subject – high invest for education  Fear for locking out the wrong person / system
  • 11. macmon NAC – smartly simple  No agents or sensors needed  No need for changes in the network structure  Office branches can easily be included  Vendor independent  Event based setting of rules  Mixed operation with & without 802.1X  Time savings through automatisms  Protection & Network visibility Detection and management of devices connected to switch ports – (SNMP, Telnet/ SSH or 802.1X)
  • 12. NAC – advanced security functions IP-address- identification by ARP Network- services DNS and DHCP Enhanced Device identification  Footprinting Protection against attacks  Address-falsification  Attacks to switches  ARP-Spoofing / MAC-Spoofing SNMP
  • 13. macmon vlan manager „Dynamic VLANs“ The VLAN is defined through the Device (MAC-address ► VLAN-ID). The users always have the correct access to the network, independent of the physical port.  Simple care, no reconfiguring by movements or mobile users  No switch-knowhow needed by the caring administrator VLAN 2 Produktion VLAN 99 Besucher Guest VLAN Office-VLAN Production-VLAN
  • 14. macmon IEEE 802.1X  Switch authorizes through RADIUS protocol − MAB (MAC Authentication Bypass) − Identity and Password as well AD Accounts − Certificates  Establishing Security Levels  VLAN management is done by macmon!  Incidents for unsuccessful attempts! SNMP EAP/ 802.1X
  • 15. macmon 802.1X macmon does things differently:  Smartly simple linking with AD / LDAP and other Identity sources through a completely new „mapping“  Possible mixed operation – with and without 802.1X  Combination of MAB with macmon „Foot printing“  Configuring groups results in automatic rule settings  Intuitive and dynamic setting of rules for exceptions  Focusing on endpoint devices results in a minimum of administrative effort  Automatic „learning“ of Devices
  • 16. Implementing macmon NAC  Creating a Whitelist  „learning“ through Active Directory connection (802.1X)  Communicate with all switches  Only known systems in the network  Blocking unknown systems / Guest-LAN  Appropriate systems switched into defined VLAN  smart GUI – intelligence in the backend  Time savings through automatisms  Protection & Network visibility overview, control & comfort
  • 17. macmon graphical topology „effective graphical overview“ macmon has all information just by working as usual:  automatic arrangement and complementing of new devices  filtering by properties such as IP-Address, name, VLAN, e.g.  save, load and export as .SVG  find misconfigurations and maintain manual uplinks
  • 18. macmon guest service You should call it „Access-Portal“  Individual layout of the captive portal  Implementing distributed entities with different layouts  Independent of the WLAN infrastructure vendor  Localization of the devices (which access-point)  Reactive disconnecting of devices  Self registering with mobile no. and user-name  Voucher code per SMS on the mobile phone  Creating voucher-lists to be stored at the Reception  Sponsor Portal & BYOD-Portal  AD / LDAP integration
  • 19. macmon „agentless multiple“ compliance  Open API for connecting with, vendor independent data sources  antivirus connector – Linking with leading anti-virus systems  Active measurement with the macmon compliance agent  Integrated IF-MAP Technology  Instant raise of the ROI by using all already implemented security solutions Endpoint security systems e.g. WSUS or SCCM Everything else, which „knows“ a compliance status IDS/IPS, Firewall Systems Vulnerability-, SIEM Systems
  • 20. macmon client compliance compliance agent macmon client compliance option scan results compliant non-compliantscan jobs
  • 21. Reducing use of energy & raising productivity macmon switches the energy profiles & wackes up the PC‘s through WakeOnLan − operated by time: e. g. working days from 6:00 pm / 8:00 am − operated by event through the physical access control − operated by the user with the macmon energy calender » Holidays, time of absence etc. may be configured - to avoid risky situations such as: » attacks, virus outbreaks, exploit as bot − For executing automatic maintenance and support tasks such as: » software-updates, full virus scans, backups macmon energy
  • 22. macmon NAC – Technology partner / Linking
  • 23. macmon product family
  • 24. Customers Landratsamt Augsburg Landesamt für Steuern und Finanzen Landratsamt Sigmaringen
  • 25. Customers about the… …advantages of macmon-NAC:  Instant network overview with graphical reports & topology  Implementation within 1 day & easy daily operating  Mixed operating with and without 802.1X  Intelligent AD integration with a dynamic setting of rules  Highly flexible „guest“ - portal  Useful integrations with other leading security products  Vendor independent  Excellent vendor support
  • 26. Customer – Production Important facts  Proprietary communication systems (Feldbus, Interbus, Profibus,…) are replaced by Ethernet because of the associated costs  Robots and machines can not be protected with normal techniques (no patch-management, virus protection, password protection, login)  Consultants need to have network access for maintenance and repair jobs  Security incidents may cause personal and physical damage
  • 27. Customer - Finance & Insurance Important facts  MaRisk is in place since 1st January 2008 (Through BSI- and ISO- standards – high security demand)  Protection of public area with guest access is needed  ATMs and other “NAC-GAP” systems in the network have to be involved into security measures  The wide area of branch offices can be controlled effectively through out the live monitoring
  • 28. Customer - Government Important facts  Strict requirements from BSI and others have to be fulfilled  Through out the handling of sensitive and often personal data, a very high need for security results  The live monitoring enables and facilitates the control and management in large organizational structures – even world wide  macmon allows the administration with very small personal effort Landratsamt Augsburg Landesamt für Steuern und Finanzen Landratsamt Sigmaringen
  • 29. Customer - Healthcare Important facts  The IT-network, throughout the integration of medical devices, becomes into a medical IT-network and thereby is covered by medical product laws  Medical IT-network and common IT-network have to be separated (DIN EN 80001-1, Risk management for IT-networks with medical devices).  Protection of patient data and patient – doctor relationship  For private institutes: Coming with the rating with Basel II (in the future as well EURO-SOX), the IT-infrastructure is related directly to the grant of financial resources; deficits in the security will reduce the bank line
  • 30. Customer - Media Important facts  Many mobile working places, which often are used outside or even in foreign countries  Many guests and external employees on the company area  The live monitoring enables and facilitates the control and management in large organizational structures – even world wide  macmon allows the administration with very small personal effort
  • 31. Contact We are looking forward to talking to you! macmon secure GmbH Charlottenstr. 16 D-10117 Berlin Fon +49 30 23257770 Fax +49 30 2325777-200 sales@macmon.eu www.macmon.eu

Related Documents