NETWORK ACCESS CONTROL. Secured Network Access for Persons and Devices

Transcription

1 NETWORK ACCESS CONTROL Secured Network Access for Persons and Devices

2 The diversity of network-capable devices and related administrative efforts are taking on ever-increasing dimensions. To control the flood of communicating devices, a growing number of institutions introduce a company-wide network access control solution. Problem Devices and people connect via Ethernet, WLAN or VPN to the company's network. The challenge is to automatically provide each terminal with a suitable network access at any location: Company-owned devices which authenticate people and devices should get access via multi-level, most often certificate-based methods (e.g x). Once successfully authenticated, the devices are assigned to the corresponding VLANs. Unfortunately, not all devices (like printers, surveillance cameras, medical devices, central building control system etc.) support x. In such a case, a based access control ensures an automatic device assignment to dedicated VLANs. challenging when employees even need access to internal company resources like file shares, ERP systems or databases. Guests, external employees, suppliers and further groups of people require a temporary and secured internet access. However, granting a secured and tailored access to every person should finally not result in enormous administrative efforts. Providing an appropriate and fully automated access for all different target groups affords a multi-level authentication solution which adapts to device capabilities and fulfills highest safety standards. Employees require access for their private devices to check their /calendar or for internet. The implementation of a "bring-your-own-device" (BYOD) strategy is particularly

3 Solution CloudGuard offers a unique and fully integrated network access control solution which runs totally independently of suppliers. It combines a variety of access methods so that user groups get the appropriate network access. The combination of the two innovative products called the MPP and the MPP results in a most flexible overall solution covering the needs of medium-sized and large companies in terms of network access control implementation. MACMAN: the multi-tenant NAC authentication and agement solution MPP: the flexible web authentication or guest access portal solution The product called the "MPP" is a guest access portal solution for user authentication via web browser. By means of individual authorization profiles and related router/firewall/proxy rules for different user groups, the MPP controls the network access in full detail and stores the legally required boundary data. The product called the "MACMAN" represents a Radius/LDAP server with additional connection options to inventory databases, CMDB, company-specific directories (e.g. Microsoft Active Directory, Open LDAP etc.) as well as to ERP systems such as SAP for settlement purposes. The devices are automatically linked to the correct network segment. The MPP stores the last access locations what facilitates the device localization. A multi-tenant device agement as well as user accounts make it possible to delegate the administrative overhead to departments or user groups. The MACMAN and the MPP communicate together so that once identified devices and persons can be authenticated via other procedures in future. File Server Radius Server

4 Secure and flexible at the same time Enterprise Core Network Access ONLY with 802.1x Authentication Dedicated VLANs Access allowed with MAC Authentication Access to the Internet or /Calendar ONLY Allowed with Web-Authentication (self-service) Other NAC solutions apply the "all or nothing" principle which means that a network access is either fully granted or denied. The NAC solution from CloudGuard, however, is based on a gradual approach. Each device gets as much access as it deserves trust. Thus, multi-level zone concepts are realizable. The only access to the heart of a company network is via an access procedure with highest security levels (mostly certificate-based) which authenticates both the device and the user. Non-802.1x capable devices are authenticated via addresses and routed into dedicated VLANs. Unknown devices (e.g. private smartphones / tablets of employees, visitors etc.) get a temporary internet access provided that the SMS authentication has been successfully executed. Yet, the NAC solution from CloudGuard can dynamically move devices into higher or lower trust zones: When an employee authenticates to the web authentication portal with his/her company password, the device can be automatically moved into a higher trust level (e.g. based authentication). This means that there is no need for the employee to ually authenticate each time he or she uses the device. The access is granted as long as the employee's company account is valid. In case a virus has been detected, the device can automatically be moved into the lowest trust zone. The user can then run the latest update of an anti-virus program. Your Benefits The NAC solution from CloudGuard represents a combination of its two products called the MACMAN and the MPP. It is currently the most flexible NAC solution on the market and allows the implementation of your BYOD strategy in an optimal way. All conventional authentication methods are supported: 802.1X EAP, authentication, web authentication, SMS authentication, voucher, credit cards etc. The NAC solution from CloudGuard can be easily implemented into existing environments by integrating the Active Directory, LDAP- or Radius Server, clinical information system (CIS), E-Gate, hotel reservation systems (Amadeus, Fidelio), CSV Import etc. Reduced administrative overhead regarding agement of devices, guests and external employees thanks to multi-tenant delegation of administration and various self-service applications. Real-time localization of connected devices Control remains with the network ager who benefits from overviews of authorized accesses and extensive logging capabilities for traceability purposes.

5 Conclusion The NAC solution from CloudGuard is the optimal access solution for complex company environments with a lot of requirements and devices. Furthermore, it is an ideal enhancement to existing solutions such as Cisco ACS, ISE. Hence, missing functionalities such as the integration into a company-specific ERP, CMDB systems or the multi-tenant agement delegation can be realized. Please contact us and let us show you how to meet your personal needs in an optimal way. Reference Project The Dolder Grand is a luxury-class city resort in Zurich including hotel suites, banqueting and seminar facilities. Wireless network connectivity must be impeccable, invisible and secure and should only involve minimal administrative efforts. However, different kinds of guests result in different communication needs which need to be fulfilled. In addition, the hotel operates many devices that range from mobile terminals, IP telephones, building control systems and surveillance cameras etc. that must be integrated into the communications network.

6 CloudGuard Software AG Huobstrasse Pfäffikon Tel: Fax: