Nac macmon secure_2014
-
Upload
hansx -
Category
Technology
-
view
23 -
download
0
Transcript of Nac macmon secure_2014
![Page 1: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/1.jpg)
„Why IT Security fails without NAC“
![Page 2: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/2.jpg)
macmon secure GmbH
German vendor of the technology – leadingNAC-solution macmon
Experienced team with development, support and sales located in Berlin, Germany
Development of security technologies and - standards
Cooperating with research institutes and universities
A lot of experience earned and integrated out of a lot of NAC-projects with customers of different sectors and different sizes
Cooperating with further more leading vendors of security technologies
Member of
![Page 3: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/3.jpg)
You already know, what NAC is about!
“… old hat, that never fit right, or a security enhancement you won't miss and that by the way, makes your live easier?”
Targets of NAC:
Systems used in the network have access to LAN-resources, if they have the right to use them and if they are compliant to the actual security policies
NACCompliance
Network Access Control – NAC
![Page 4: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/4.jpg)
Network Access Control – NAC
Why should you implement NAC?
Compliance demands Bundesdatenschutzgesetz (BDSG) Sarbanes-Oxley Act EuroSox (EU Directive No. 8 ) Basel II KonTraG MaRisk DIN EN 80001-1
ISO IT security standard IEC 27001/1779911.4.3 Equipment identification in networks„Automatic equipment identification should be considered as ameans to authenticate connections from specific locations andEquipment“
BSI IT-Security baseline catalogue
Approval procedure for ITcomponents
(Measurement 2.216): „The installationand using of not approved IT-
components has to be permitted and the adherence of the restraining has to be
monitored.“
![Page 5: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/5.jpg)
Network Access Control – NAC
You already know, why you should implement NAC!
…which systems are connected to you LAN?
…that all systems in your LAN are yours?
…that nobody is sniffing your VoIP-Calls ?
…that all your systems are secured and none of them is an entry point for attacks?
Do you knowfor sure…
![Page 6: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/6.jpg)
Nearly funny:
Spy activities, which not could have happened…
WLAN in a Tupperware Outside of the building
buried Not recognized Lasting for years
Replaced printers „faked“ service partner Printer with hard disc
replaced Copy of any printouts
with macmon immediately recognized as new device
through macmon shown as new „MAC“ and by policy blocked
![Page 7: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/7.jpg)
Do you know all systems in your network?
Trend: „Bring your own Device“ (BYOD)
Everyone loves to work with “his” device:
Employees
Guests, Visitors
Service provider,service engineers,consultants...
Dream Nightmare?or
![Page 8: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/8.jpg)
Two different interpretations of „ByoD“
Handling of smartphones and other mobile devices
Network Access Control „NAC“+ ByoD Portal for registration
Mobile Device Management „MDM“
Configuring the devices Control the data Admin – access Remote Wipe
Company property Executive demand
No remote access Grant Network access Protect the network Offering dedicated
resources No company property Executive demand
![Page 9: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/9.jpg)
Network Access Control – NAC
The meaning of NAC in the daily business
The largest part of organizations/companies do not have established any or not sufficient security measurements.
The meaning mainly increases through „Bring Your Own Device“.
The more and more comprehensive and complex becoming networks are often not manageable any more without using suitable control systems.
![Page 10: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/10.jpg)
Network Access Control – NAC
So why is NAC being used so sparely?
Extensive changes in the infrastructure
High investments
High need for administrative support
Small benefit or hard to determine it
complex subject – high invest for education
Fear for locking out the wrong person / system
![Page 11: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/11.jpg)
macmon NAC – smartly simple
No agents or sensors needed No need for changes in the network structure Office branches can easily be included Vendor independent Event based setting of rules Mixed operation with & without 802.1X Time savings through automatisms Protection & Network visibility
Detection and management of devices connected to switch ports – (SNMP, Telnet/ SSH or 802.1X)
![Page 12: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/12.jpg)
NAC – advanced security functions
IP-address-identification by ARP
Network-services DNS and DHCP
Enhanced Device identification Footprinting
Protection against attacks Address-falsification Attacks to switches ARP-Spoofing / MAC-Spoofing
SNMP
![Page 13: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/13.jpg)
macmon vlan manager
„Dynamic VLANs“ The VLAN is defined through the Device(MAC-address ► VLAN-ID).
The users always have the correct access to the network, independent of the physical port.
Simple care, no reconfiguring by movements or mobile users No switch-knowhow needed by the caring administrator
VLAN 2Produktion
VLAN 99Besucher
Guest VLANOffice-VLANProduction-VLAN
![Page 14: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/14.jpg)
macmon IEEE 802.1X
Switch authorizes through RADIUS protocol− MAB (MAC Authentication
Bypass)− Identity and Password
as well AD Accounts− Certificates
Establishing Security Levels VLAN management is done
by macmon! Incidents for unsuccessful
attempts!
SNMP
EAP/ 802.1X
![Page 15: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/15.jpg)
macmon 802.1X
macmon does things differently:
Smartly simple linking with AD / LDAP and other Identity sources through a completely new „mapping“
Possible mixed operation – with and without 802.1X Combination of MAB with macmon „Foot printing“ Configuring groups results in automatic rule settings Intuitive and dynamic setting of rules for exceptions Focusing on endpoint devices results in a minimum of administrative
effort Automatic „learning“ of Devices
![Page 16: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/16.jpg)
Implementing macmon NAC
Creating a Whitelist „learning“ through Active
Directory connection (802.1X) Communicate with all switches Only known systems in the network
Blocking unknown systems / Guest-LAN Appropriate systems switched into
defined VLAN smart GUI – intelligence in the backend
Time savings through automatisms Protection & Network visibility
overview, control & comfort
![Page 17: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/17.jpg)
macmon graphical topology
„effective graphical overview“ macmon has all information just by working as usual:
automatic arrangement and complementing of new devices
filtering by properties such as IP-Address, name, VLAN, e.g.
save, load and export as .SVG
find misconfigurations and maintain manual uplinks
![Page 18: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/18.jpg)
macmon guest service
You should call it „Access-Portal“
Individual layout of the captive portal Implementing distributed entities with different layouts Independent of the WLAN infrastructure vendor Localization of the devices (which access-point) Reactive disconnecting of devices Self registering with mobile no. and user-name Voucher code per SMS on the mobile phone Creating voucher-lists to be stored at the
Reception Sponsor Portal & BYOD-Portal AD / LDAP integration
![Page 19: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/19.jpg)
macmon „agentless multiple“ compliance
Open API for connecting with, vendor independent data sources antivirus connector – Linking with leading anti-virus systems Active measurement with the macmon compliance agent Integrated IF-MAP Technology Instant raise of the ROI by using all already implemented security solutions
Endpoint security systems
e.g. WSUS or SCCM
Everything else, which „knows“ a compliance status
IDS/IPS, Firewall SystemsVulnerability-, SIEM Systems
![Page 20: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/20.jpg)
macmon client compliance
compliance agent
macmon client compliance option
scan results
compliant
non-compliantscan jobs
![Page 21: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/21.jpg)
Reducing use of energy & raising productivity
macmon switches the energy profiles & wackes up the PC‘s through WakeOnLan− operated by time: e. g. working days from 6:00 pm / 8:00 am− operated by event through the physical access control− operated by the user with the macmon energy calender
» Holidays, time of absence etc. may be configured
- to avoid risky situations such as:» attacks, virus outbreaks, exploit as bot
− For executing automatic maintenance and support tasks such as:» software-updates, full virus scans, backups
macmon energy
![Page 22: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/22.jpg)
macmon NAC – Technology partner / Linking
![Page 23: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/23.jpg)
macmon product family
![Page 24: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/24.jpg)
Customers
LandratsamtAugsburg
Landesamt für Steuern und
Finanzen
LandratsamtSigmaringen
![Page 25: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/25.jpg)
Customers about the…
…advantages of macmon-NAC:
Instant network overview with graphical reports & topology Implementation within 1 day & easy daily operating Mixed operating with and without 802.1X Intelligent AD integration with a dynamic setting of rules Highly flexible „guest“ - portal Useful integrations with other leading security products Vendor independent Excellent vendor support
![Page 26: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/26.jpg)
Customer – Production
Important facts Proprietary communication systems (Feldbus, Interbus, Profibus,…)
are replaced by Ethernet because of the associated costs Robots and machines can not be protected with normal techniques
(no patch-management, virus protection, password protection, login) Consultants need to have network access for maintenance
and repair jobs Security incidents may cause personal and physical damage
![Page 27: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/27.jpg)
Customer - Finance & Insurance
Important facts MaRisk is in place since 1st January 2008 (Through BSI- and ISO-
standards – high security demand) Protection of public area with guest access is needed ATMs and other “NAC-GAP” systems in the network have to be
involved into security measures The wide area of branch offices can be controlled effectively through
out the live monitoring
![Page 28: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/28.jpg)
Customer - Government
Important facts Strict requirements from BSI and others have to be fulfilled Through out the handling of sensitive and often personal data, a very
high need for security results The live monitoring enables and facilitates the control and
management in large organizational structures – even world wide macmon allows the administration with very small personal effort
LandratsamtAugsburg
Landesamt für Steuern
und Finanzen
LandratsamtSigmaringen
![Page 29: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/29.jpg)
Customer - Healthcare
Important facts The IT-network, throughout the integration of medical devices,
becomes into a medical IT-network and thereby is coveredby medical product laws
Medical IT-network and common IT-network have to be separated (DIN EN 80001-1, Risk management for IT-networks with medical devices).
Protection of patient data and patient – doctor relationship For private institutes: Coming with the rating with Basel II (in the future
as well EURO-SOX), the IT-infrastructure is related directly to the grant of financial resources; deficits in the security will reduce the bank line
![Page 30: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/30.jpg)
Customer - Media
Important facts Many mobile working places, which often are used outside
or even in foreign countries Many guests and external employees on the company area The live monitoring enables and facilitates the control and
management in large organizational structures – even world wide macmon allows the administration with very small personal effort
![Page 31: Nac macmon secure_2014](https://reader034.fdocuments.us/reader034/viewer/2022042615/55cdf464bb61eb9e1b8b46b6/html5/thumbnails/31.jpg)
Contact
We are looking forward to talking to you!
macmon secure GmbH
Charlottenstr. 16D-10117 Berlin
Fon +49 30 23257770Fax +49 30 2325777-200