nac macmon secure_2014
TRANSCRIPT
„Why IT Security fails without NAC“
macmon secure GmbH
German vendor of the technology – leadingNAC-solution macmon
Experienced team with development, support and sales located in Berlin, Germany
Development of security technologies and - standards
Cooperating with research institutes and universities
A lot of experience earned and integrated out of a lot of NAC-projects with customers of different sectors and different sizes
Cooperating with further more leading vendors of security technologies
Member of
You already know, what NAC is about!
“… old hat, that never fit right, or a security enhancement you won't miss and that by the way, makes your live easier?”
Targets of NAC:
Systems used in the network have access to LAN-resources, if they have the right to use them and if they are compliant to the actual security policies
NACCompliance
Network Access Control – NAC
Network Access Control – NAC
Why should you implement NAC?
Compliance demands Bundesdatenschutzgesetz (BDSG) Sarbanes-Oxley Act EuroSox (EU Directive No. 8 ) Basel II KonTraG MaRisk DIN EN 80001-1
ISO IT security standard IEC 27001/1779911.4.3 Equipment identification in networks„Automatic equipment identification should be considered as ameans to authenticate connections from specific locations andEquipment“
BSI IT-Security baseline catalogue
Approval procedure for ITcomponents
(Measurement 2.216): „The installationand using of not approved IT-
components has to be permitted and the adherence of the restraining has to be
monitored.“
Network Access Control – NAC
You already know, why you should implement NAC!
…which systems are connected to you LAN?
…that all systems in your LAN are yours?
…that nobody is sniffing your VoIP-Calls ?
…that all your systems are secured and none of them is an entry point for attacks?
Do you knowfor sure…
Nearly funny:
Spy activities, which not could have happened…
WLAN in a Tupperware Outside of the building
buried Not recognized Lasting for years
Replaced printers „faked“ service partner Printer with hard disc
replaced Copy of any printouts
with macmon immediately recognized as new device
through macmon shown as new „MAC“ and by policy blocked
Do you know all systems in your network?
Trend: „Bring your own Device“ (BYOD)
Everyone loves to work with “his” device:
Employees
Guests, Visitors
Service provider,service engineers,consultants...
Dream Nightmare?or
Two different interpretations of „ByoD“
Handling of smartphones and other mobile devices
Network Access Control „NAC“+ ByoD Portal for registration
Mobile Device Management „MDM“
Configuring the devices Control the data Admin – access Remote Wipe
Company property Executive demand
No remote access Grant Network access Protect the network Offering dedicated
resources No company property Executive demand
Network Access Control – NAC
The meaning of NAC in the daily business
The largest part of organizations/companies do not have established any or not sufficient security measurements.
The meaning mainly increases through „Bring Your Own Device“.
The more and more comprehensive and complex becoming networks are often not manageable any more without using suitable control systems.
Network Access Control – NAC
So why is NAC being used so sparely?
Extensive changes in the infrastructure
High investments
High need for administrative support
Small benefit or hard to determine it
complex subject – high invest for education
Fear for locking out the wrong person / system
macmon NAC – smartly simple
No agents or sensors needed No need for changes in the network structure Office branches can easily be included Vendor independent Event based setting of rules Mixed operation with & without 802.1X Time savings through automatisms Protection & Network visibility
Detection and management of devices connected to switch ports – (SNMP, Telnet/ SSH or 802.1X)
NAC – advanced security functions
IP-address-identification by ARP
Network-services DNS and DHCP
Enhanced Device identification Footprinting
Protection against attacks Address-falsification Attacks to switches ARP-Spoofing / MAC-Spoofing
SNMP
macmon vlan manager
„Dynamic VLANs“ The VLAN is defined through the Device(MAC-address ► VLAN-ID).
The users always have the correct access to the network, independent of the physical port.
Simple care, no reconfiguring by movements or mobile users No switch-knowhow needed by the caring administrator
VLAN 2Produktion
VLAN 99Besucher
Guest VLANOffice-VLANProduction-VLAN
macmon IEEE 802.1X
Switch authorizes through RADIUS protocol− MAB (MAC Authentication
Bypass)− Identity and Password
as well AD Accounts− Certificates
Establishing Security Levels VLAN management is done
by macmon! Incidents for unsuccessful
attempts!
SNMP
EAP/ 802.1X
macmon 802.1X
macmon does things differently:
Smartly simple linking with AD / LDAP and other Identity sources through a completely new „mapping“
Possible mixed operation – with and without 802.1X Combination of MAB with macmon „Foot printing“ Configuring groups results in automatic rule settings Intuitive and dynamic setting of rules for exceptions Focusing on endpoint devices results in a minimum of administrative
effort Automatic „learning“ of Devices
Implementing macmon NAC
Creating a Whitelist „learning“ through Active
Directory connection (802.1X) Communicate with all switches Only known systems in the network
Blocking unknown systems / Guest-LAN Appropriate systems switched into
defined VLAN smart GUI – intelligence in the backend
Time savings through automatisms Protection & Network visibility
overview, control & comfort
macmon graphical topology
„effective graphical overview“ macmon has all information just by working as usual:
automatic arrangement and complementing of new devices
filtering by properties such as IP-Address, name, VLAN, e.g.
save, load and export as .SVG
find misconfigurations and maintain manual uplinks
macmon guest service
You should call it „Access-Portal“
Individual layout of the captive portal Implementing distributed entities with different layouts Independent of the WLAN infrastructure vendor Localization of the devices (which access-point) Reactive disconnecting of devices Self registering with mobile no. and user-name Voucher code per SMS on the mobile phone Creating voucher-lists to be stored at the
Reception Sponsor Portal & BYOD-Portal AD / LDAP integration
macmon „agentless multiple“ compliance
Open API for connecting with, vendor independent data sources antivirus connector – Linking with leading anti-virus systems Active measurement with the macmon compliance agent Integrated IF-MAP Technology Instant raise of the ROI by using all already implemented security solutions
Endpoint security systems
e.g. WSUS or SCCM
Everything else, which „knows“ a compliance status
IDS/IPS, Firewall SystemsVulnerability-, SIEM Systems
macmon client compliance
compliance agent
macmon client compliance option
scan results
compliant
non-compliantscan jobs
Reducing use of energy & raising productivity
macmon switches the energy profiles & wackes up the PC‘s through WakeOnLan− operated by time: e. g. working days from 6:00 pm / 8:00 am− operated by event through the physical access control− operated by the user with the macmon energy calender
» Holidays, time of absence etc. may be configured
- to avoid risky situations such as:» attacks, virus outbreaks, exploit as bot
− For executing automatic maintenance and support tasks such as:» software-updates, full virus scans, backups
macmon energy
macmon NAC – Technology partner / Linking
macmon product family
Customers
LandratsamtAugsburg
Landesamt für Steuern und
Finanzen
LandratsamtSigmaringen
Customers about the…
…advantages of macmon-NAC:
Instant network overview with graphical reports & topology Implementation within 1 day & easy daily operating Mixed operating with and without 802.1X Intelligent AD integration with a dynamic setting of rules Highly flexible „guest“ - portal Useful integrations with other leading security products Vendor independent Excellent vendor support
Customer – Production
Important facts Proprietary communication systems (Feldbus, Interbus, Profibus,…)
are replaced by Ethernet because of the associated costs Robots and machines can not be protected with normal techniques
(no patch-management, virus protection, password protection, login) Consultants need to have network access for maintenance
and repair jobs Security incidents may cause personal and physical damage
Customer - Finance & Insurance
Important facts MaRisk is in place since 1st January 2008 (Through BSI- and ISO-
standards – high security demand) Protection of public area with guest access is needed ATMs and other “NAC-GAP” systems in the network have to be
involved into security measures The wide area of branch offices can be controlled effectively through
out the live monitoring
Customer - Government
Important facts Strict requirements from BSI and others have to be fulfilled Through out the handling of sensitive and often personal data, a very
high need for security results The live monitoring enables and facilitates the control and
management in large organizational structures – even world wide macmon allows the administration with very small personal effort
LandratsamtAugsburg
Landesamt für Steuern
und Finanzen
LandratsamtSigmaringen
Customer - Healthcare
Important facts The IT-network, throughout the integration of medical devices,
becomes into a medical IT-network and thereby is coveredby medical product laws
Medical IT-network and common IT-network have to be separated (DIN EN 80001-1, Risk management for IT-networks with medical devices).
Protection of patient data and patient – doctor relationship For private institutes: Coming with the rating with Basel II (in the future
as well EURO-SOX), the IT-infrastructure is related directly to the grant of financial resources; deficits in the security will reduce the bank line
Customer - Media
Important facts Many mobile working places, which often are used outside
or even in foreign countries Many guests and external employees on the company area The live monitoring enables and facilitates the control and
management in large organizational structures – even world wide macmon allows the administration with very small personal effort
Contact
We are looking forward to talking to you!
macmon secure GmbH
Charlottenstr. 16D-10117 Berlin
Fon +49 30 23257770Fax +49 30 2325777-200