Network Access Control Software

Convenient and automatic visualization

Infrastructures are becoming more and more complex and confusing: With macmon NAC Topology, you get a graphical representation of your network that allows you to always keep track of all connected devices.

Your advantages with macmon NAC Topology:

• Effective network overview through automatic visualization
• Manufacturer-agnostic fit for any environment
• Fulfillment of requirements from revisions and audits for network visualization
• Combination of SNMP and 802.1X
• Error prevention: Filter by device properties, detect configuration errors, and clarify device connections
• Combination with VLAN management: Highlighting and selecting switches and endpoints by known or unknown VLANs
• Support for network planning: better planning of network expansions and reconstructions, manual setting of missing uplinks between network components
• Integration with reporting: Filter by location, create, store, update, and export separate views, further edit with tools such as Visio or SVG tools

Related links:

• Video
• Datasheet (English)
• Datasheet (German)

The extra level of network security

macmon NAC Advanced Security provides a comprehensive overview of the network through simple categorization and advanced identification of endpoints. In conjunction with NAC, the information obtained is synchronized in the background to prevent address manipulation and other attempted attacks completely.

Your benefits with macmon NAC Advanced Security:

• Determination of endpoint information: Operating systems of endpoints, domains, names, and open or closed ports
• Collection and correlation of network device measurement data such as ARP caches, DHCP and DNS data
• Detailed identification of endpoints and monitoring of changes by scanning via WMI (domain, host name, operating system), SNMP (sysDescription, sysLocation, sysName), footprinting (IP protocol stack, port scans) and fingerprinting (SSH, TLS)
• Detection and effective resistance against security incidents such as ARP spoofing, MAC IP mismatch, MAC address flooding and MAC spoofing

Related links:

• White paper: Advanced Security
• Case study: Rohrer (English)
• Case study: Rohrer (German)
• Case study: Automotive (English)
• Case study: Automotive (German)
• Case study: Automotive (French)

Efficient network access control

The NAC solution protects your network from intrusion by unwanted devices, provides an overview of all devices in your network, and thus offers you up-to-date IT inventory management. Through the central administration of all company switches via SNMP or SSH/Telnet, macmon NAC ensures that you are in control of your network.

Your benefits with Network Access Control:

• Switch port-specific rules: Management of network access
• Up-to-date evaluations through comprehensive and user-specific reporting
  
  

Related links:

• Video
• macmon NAC lifecycle (English)
• macmon NAC lifecycle (German)

Simple and dynamic VLAN management

With the macmon VLAN Manager, you can centrally and easily utilize all the advantages of network segmentation. The feature enables static and dynamic VLAN concepts to be introduced and operated with little effort. The Common Criteria recommend switching off unused ports (or into an unassigned VLAN) and only making them productive when required is fully supported.

Your benefits with macmon NAC VLAN Manager:

• Offer mobile users their usual resources anywhere in the company
• Simplify the relocation of departments, offices or specific systems
• Guarantee guest access in public areas
• Access for service providers to dedicated resources
• Protecting sensitive resources from general access
• Flexibility and security

Related links:

• Datasheet (English)
• Datasheet (German)
• Webinar: No Panic on the Titanic

Secure authentication according to the 802.1X standard

The Institute of Electrical and Electronics Engineers (IEEE) is a global association with committees for the standardization of technologies, hardware and software. The 802.1X standard represents a mature recommendation for the secure authentication of devices in networks. macmon supports this standard and facilitates its introduction and operation.

Your benefits with 802.1X:

• Dynamic and hybrid operation possible - with and without 802.1X, gradual introduction of 802.1X
• Flexible security level depending on the authentication method
• Device localization through communication with the switches and access points
• Integration into existing infrastructure: connection of AD/LDAP and other identity sources
• Dynamic & automatic set of rules
• Simple implementation & easy operation
• Group-based configuration instead of a comprehensive set of rules
• Establishment & implementation of concepts for security zones
• Authentication via RADIUS server via MAC address, username/password or certificate
• Provision of additional rules for layer 3 switches

Related links:

• Video
• Datasheet (English)
• Datasheet (German)

Open the network in a controlled manner!

Mobile employees, service providers, suppliers, and customers often require more detailed access to certain company resources, so that neither UMTS & LTE nor a completely separate guest network is a sufficient solution. macmon NAC Guest Service can grant external devices access to the network flexibly and as required, to definable resources, revocable, time-limited and traceable.

Your benefits with macmon NAC Guest Service:

• Intelligent BYOD solution: Mobile device management for employee devices
• Manufacturer-agnostic fit for any environment
• Quick and easy commissioning and simple administration
• Use and operation of existing processes
• Relief of the IT department through delegated approvals (sponsor portal)
• Secure and controlled integration of external devices: highly flexible access control for every situation
• Up-to-date and complete overview of all guest devices
• Central administration for complex company structures

Related links:

• Video
• Datasheet (English)
• Datasheet (German)

Isolation of dangerous devices

A detailed review of authorized systems for compliance with security guidelines is becoming increasingly important to minimize the attack surface of businesses. A permanent check of the “compliance status” and the automated enforcement of IT compliance are therefore essential. macmon NAC Compliance offers the option of using multiple, linkable components to enforce company guidelines effectively.

Crucially, 99% of organizations already have systems in place that can determine the compliance status of endpoints and notify administrators of deviations. However, what almost all of them have in common is that effective enforcement of IT compliance usually must be done manually or at least reactively. Our Network Access Control solution provides crucial support to automate these processes.

Your benefits with macmon NAC Compliance:

• Open interface to any data source: Use of multiple, arbitrary, manufacturer-agnostic sources to transmit the compliance status of an endpoint to macmon
• Independent isolation of endpoints classified as not secure according to the policies
• Update security status in a protected environment (quarantine or remediation VLAN)
• Connection of leading anti-virus systems (Kaspersky^®, Sophos^®, Symantec^®, McAfee^®, G-Data^®, F-Secure^®, TrendMicro^®)
• macmon's own compliance agent
• Integrated IF-MAP technology

Related links:

• Datasheet (English)
• Datasheet (German)

Collection and preparation of data

macmon NAC Past Viewer also offers the option of collecting and processing data that is usually discarded during Network Access Control in a structured manner to obtain a historical view in addition to the live view. For each endpoint, it is possible to display when and where the device was operated in the network, which IP addresses and names it had, or which VLAN it was in.

Historical data is often valuable both for forensic analyses in the past and for future-oriented considerations. macmon NAC Past Viewer collects information about your network or network connections over long periods (optionally also over a period of years). Based on events, it logs which devices were in the network when and where, including corresponding properties.

Your benefits with macmon NAC Past Viewer:

• Data collection over long periods
• Structuring of data
• Historical data view
• Forensic analyses

Related links:

• Datasheet (English)
• Datasheet (German)

More details and increased security

macmon NAC Switch Viewer is available as an add-on and extends macmon NAC with additional network management functions.

The details of the existing network components, such as serial numbers, port configurations , operating mode, VLANs, interface details, and location are read out and offered for synchronization with existing CMDBs or asset management systems using the macmon REST API. Additional inventory data and complete switch configuration data are backed up centrally with macmon.

Your benefits with macmon NAC Switch Viewer:

• Read out detailed information about the network components
• Synchronization with CMDBs or asset management systems via REST API
• Central backup of inventory and configuration data

Related links:

• Datasheet (English)
• Datasheet (German)

Highly available macmon NAC scenarios

Depending on the use of a Network Access Control solution and the technologies used, there are different requirements for the availability of this solution. macmon meets these requirements by offering the option of operating with a distributed server structure and using different architectures or design variants.

The deployment depends heavily on the requirements and objectives. From the “hidden master” principle to simple fail-safety and compensation for WAN connection failures, the availability of macmon NAC is ensured. Each macmon server can be provided either by a virtual or a physical appliance.

Your benefits with macmon NAC Scalability

• Flexible server architecture: macmon NAC supports a distributed server structure, in different architecture and design variants
• Adaptation to individual requirements: from high availability to protection against WAN connection failures
• Flexible deployment: macmon server operation as a virtual or physical appliance

Related links:

• Datasheet (English)
• Datasheet (German)

Yes, macmon operates completely independent of the manufacturer. This means that all the SNMP manageable switches and routers can be controlled using macmon. Therefore we can completely cover even highly heterogeneous environments.

Yes, macmon can be used in hybrid operation. This means that only the MAC address is used for authentication in some areas and more properties are used in other areas, like e.g., the IP address, host name and operating system, and in still other areas, even certificates in conjunction with 802.1X.

No, this is not necessary. There are a few details that need to be set up, both the macmon partners and macmon support will be happy to provide information about what is needed as well as appropriate support.

Our requirements are minimal. It should be possible to manage the switches and routers using SNMP V1, V2c or V3 (read and write) or using SSH / Telnet.

Yes, the measure 2.216 of the basic BSI baseline security catalog* and of Article 9.1.2 and 13.1.3 (german) of the ISO 27001:2015-03 standard ("Automatic equipment identification should be considered as a means to authenticate connections from specific locations and equipment") can be completely covered.

*The installation and use of unapproved IT components should be prohibited and the compliance with this prohibition should be checked regularly.

macmon can considerably simplify the implementation and administration of 802.1X. The implementation is often made possible through macmon by using its own RADIUS server, a simple web GUI and covering even areas that are not 802.1X-compliant. Additional features like VLAN management or event-based responses are impossible or very difficult without the support of macmon.

Supplementary features such as topology display or compliance checking and enforcement are further added values that macmon provides.

The implementation with 802.1X is considered very secure, but I do not want to setup a PKI. Can macmon still be used accordingly?

Yes, the standard can be used with certificates as well as with MAC addresses (MAB Mac Authentication Bypass) or username and password. macmon can therefore use other authentication options than the certificate. Additionally, there is the possibility to cover network areas, which are not able to use the 802.1X standard through the macmon mixed mode. Those areas can then switch to 802.1X gradually, related to modernizing the systems "step by step".

Another option used by many of our customers is to connect to the ActiveDirectoy to use the existing AD device accounts for secure authentication. This provides a significant increase in security compared to the use of MAC addresses.

You have several options for working with macmon. The virtual appliance can be quickly integrated with VMWare or HyperV and can be used directly. Alternatively, you can obtain a machine from us or your system vendor. You can obtain the necessary trial license also directly from your partner or from us.

Start your trial now

macmon is sold only indirectly across the world. This means that the solution cannot be purchased directly from macmon secure GmbH, but through one of our partners, who also provide support for testing, licensing and implementing the solution. As a partner you can purchase our products and services through our Value Added Distributor.

Contact us