Secure Defined Perimeter Suite
macmon Secure Defined Perimeter (SDP) Suite is the key for secure access to all company resources whether they are local or in clouds. macmon SDP ensures a Zero Trust Network Access (ZTNA) that is getting more and more important in IT and OT. ZTNA is based on the IT approach of not trusting a device or a user until it is definitively authenticated, to minimalize threat vectors. As our working environment is increasingly reshaped by mobile working, digitalization, the Internet of Things and the outsourcing of various services to clouds, ZTNA must continue to be a key component of integrative IT security solutions in the future. The macmon SDP Suite takes this change into account.
Features & Benefits
- Ensures Zero Trust Network Access approach: ZTNA in both IT and OT environments to significantly minimize attack vectors.
- Secure and direct communication: Additional Security through multi-factor authentication and time saving through Single Sign-on.
- One solution for access to all company resources: Whether in the local network or in the private or public cloud.
- A software that supports all networks: No initial investments in hardware necessary.
-
TECHNICAL DETAIL
-
Features
-
FAQs
Belden macmon SDP features
-
Securing local resources
The macmon SDP feature "Next Generation VPN" is used to control access to traditional local resources in the corporate network.
Devices or users that want to have access must have the macmon SDP agent installed, which establishes a connection to the cloud controller (macmon SDP Controller). In contrast to the classic VPN, both the agent and the user authenticate themselves at the macmon SDP controller.
If agent and user are validly and successfully authenticated at the controller, the connection to the SDP gateway is established, and access to the network can be granted. The gateway is usually located in the DMZ of the company. It can be decided which IP address ranges, and which protocols the user is allowed to access. This results in segmentation, which determines which user is allowed to access which internal resources with which device.
In addition to the identity, the security status of the endpoint used is also checked and considered in the decision. With flexible policies, sensitive resources can be accessed depending on the security level.
-
Private cloud protection
Secure and direct communication with resources in private cloud
A private cloud is a cloud environment that is operated exclusively for an organization, a company, or is intended to be accessible. Access to these cloud resources is either via the macmon Cloud-SDP Gateway or with a separate, self-managed SDP gateway.
To establish a connection to the cloud resources, the user and the agent installed on the endpoint first authenticate themselves on the macmon SDP controller. If the authentication is successful, a connection to the corresponding SDP gateway is established, and thus a connection to the shared cloud resources.
Which services are accessible to the respective user can be defined individually with policies. In addition, the security status of the endpoint is also included, so that, for example, despite valid authentication, the resources are not made accessible due to a poor security status.
-
Public cloud protection
Secure and Direct Communication with Resources in the Public Cloud
The "public cloud" generally refers to resources that are freely accessible on the Internet. However, since these services are used for the company's purposes and usually also contain company data, access control is essential in terms of cybersecurity.
To gain access to the cloud resources, the user first authenticates himself at the macmon SDP controller. Depending on requirements and policies, valid authentication of the agent on the endpoint can also be required, so that the use of certain devices or at least a certain level of security can be enforced even for publicly accessible services. If authentication is successful services can be accessed in the public cloud. Access to these resources can take place both through an encrypted tunnel via a macmon SDP gateway or directly via the Internet.
Using the Identity Access Management function of macmon SDP, the access is controlled and at the same time single sign-on is enabled via standards such as SAML and OpenID as well as other technologies. Since the communication takes place exclusively via the client browser, no connection between the macmon SDP cloud service and your internal systems is necessary, so that single sign-on is not only available for cloud applications, but also for your internal resources.
Benefits of macmon SDP
- Attack surface reduction with micro-segmentation
- Definition of individual policies at user level and device level
- Minimal maintenance and low operating costs thanks to SaaS
- Includes Cloud Identity Provider / Identity Access Management (IAM)
- Seamless integration of cloud resources and reduced traffic
- Split tunneling
- Prevention of account hijacking
- Highly scalable for any number of users
- Global availability
- GDPR-compliant
FAQ for macmon SDP
Before contacting our technical or product support, please go through our FAQ—answers to the frequently asked questions.
Technical FAQs
-
What are the advantages of the individual connections compared to a classic tunnel connection?
Reducing the connection options to exactly those resources that each individual user needs for his or her work also reduces the attack surface for an attacker. If, for example, someone " hijacks" a laptop and the access data of an employee and thus establishes a connection to the company, this attacker cannot immediately access the entire network. The protection is further increased by the extended reduction to certain ports. An attacker could for example only connect to the CRM via the website (https), but not additionally check the underlying server for security gaps with a PortScan in order to take it over and thus gain further access to the network. Viruses, worms and Trojans also like to distribute themselves independently in a network. However, if the other clients and also the servers are not accessible at all, but only the websites of the respective applications, malware cannot spread so easily. This measure falls under the term microsegmentation.
-
What are resources and how are they defined?
Resources can be anything. Protection is provided either by connecting to the resources through a gateway (local or also in the cloud) or by high-level single sign-on authentication via SAML or OpenID. Individual applications can be assigned to users and devices within the policies, as well as e.g. network areas, individual IPs, specific protocols / ports, etc.
-
What is the difference in the login between SDP and VPN?
The login process for SDP and VPN does not differ fundamentally for the user. There is an agent to which the user must authenticate. However, the macmon SDP agent not only checks the user identity, but also the identity and security status of the endpoint. This information is then transmitted to the controller and checked. Complementing this, the GUI of the SDP agent offers more convenience than a VPN solution with the display of available resources in the form of applications and links. -
Why is SDP more performant than VPN?
Beneath IPSec, we offer WireGuard as the latest VPN technology and combine this with a self-developed control of who and what is allowed to use the tunnel. This allows us to operate with considerably less "legacy". Furthermore, we can significantly shorten the path, especially for connecting resources in private clouds, and eliminate the connection detour via the local infrastructure. So the advantage here is primarily the more direct connection without any possible bottlenecks due to limited local bandwidths.
-
Isnt the functionality of macmon SDP too complicated and thus vulnerable to errors?
macmon secure is a trusted manufacturer for network security. As with our NAC solution, we have focused on simple handling and use. Especially by offering it as a cloud service, administrators are relieved of a lot of effort and commissioning is easier and faster than with any classic VPN solution. -
Can macmon SDP be operated with different operating systems?
The macmon SDP agent is a "cross-platform solution" and can be operated on endpoints with the operating systems Windows, mac OS, Linux, Android and iOS. Basically, the agent works "transparently", communicates with the cloud controller and provides the secure connection channels after successful authentication. -
Is one login enough for everything (local, public, private)?
One login is enough to connect to all tunnels - i.e., to local resources and to resources in private clouds. Resources in public clouds require the use of single sign-on technology, which currently requires a separate (one time) login in the browser. -
How long will the implementation of macmon SDP take?
There are several different strategies for implementation in order to benefit from the added values as quickly as possible. For example, in the first step, the existing VPN solution can simply be replaced - this usually only requires a few rules, distributing the agents and implementing the gateway. Since parallel operation with a classic VPN is also no problem, migration can be very smooth. Overall, a migration can be completed in just a few hours, plus agent distribution. Based on this, resources can then be added step by step. -
How does macmon SDP operate in a distributed IT infrastructure with many sites and respectively distributed resources?
This is one of the biggest advantages of the cloud-based SDP solution. For example, it is possible to start with one gateway if the resources are already available internally. Additional gateways can then be added per site with IT resources in operation to increase availability and reduce traffic. Cloud-based resources and applications are directly accessible via macmon's own cloud gateways, so that no effort is required on the part of the customer here. -
Does a full Public Key Infrastructure need to be set up and rolled out for SDP?
The agents already have build-in authentication, which precisely checks the identity of the endpoint. Transparent encrypted communication based on shared secrets that change for each connection is used for the connections to the gateways - a separate PKI is therefore not required. -
Is the SDP controller also multi-tenant in the cloud?
Yes, our approach is multi-client capable. So you can operate clients or customers without them having mutual insight into their data, user management, etc. -
Where are the policies set?
Policies are set individually in the SDP controller at the user and device level. -
Can the local macmon SDP gateway also be installed on physical hardware?
The gateway is offered as an OVF (Open Virtualization Format) virtual appliance. However, a Debian package is also available on request, which can be installed on dedicated hardware with a pre-installed Debian Linux. The configuration steps are then of course a bit more, because we can't do them in advance, as we do with the virtual appliance. However, we can of course provide support during implementation. -
Is the traffic via Cloud SDP Gateway unlimited?
In principle yes, but according to the terms of use there is a monthly limit per user. If this limit is exceeded, an additional license is required for each user who exceeds the limit. However, the question raises another fundamental issue regarding the planned usage - the approach of ZTNA is to explicitly define which traffic goes through a tunnel and that only certain resources should be accessible. This increases security and at the same time minimizes traffic, so that reaching the limit is highly unlikely, since everything else can go directly to the Internet and does not have to go through a cloud gateway.
Sales FAQs
-
Is macmon SDP a separate product (even without NAC)?
Both products can be used and operated completely independently of each other. In the future, there will be various integrations, but no further details can be communicated yet. -
Does macmon SDP exist in the MSP model?
macmon SDP is available in the MSP model. In fact, macmon SDP was planned primarily as a service, where we as the vendor provide the infrastructure, but Managed Service Providers provide the services such as maintenance and administration. The extensive multi-client capability allows granular control of who gets access and can provide the corresponding configurations - and thus also the MSP. -
Where can I purchase macmon SDP?
macmon SDP is only distributed indirectly worldwide. This means that the solution is not purchased directly from macmon secure GmbH, but via one of our partners, who also provide support in testing, licensing and implementation. For partners, the purchase is made through our distribution.
-
How can I test macmon?
You have several options to get more detailed information about macmon. Here you can start a test request. Our employees will get back to you as soon as possible with a demo version without obligation.
-
Where can I read more about macmon SDP?
For more information about macmon SDP and how it works, we recommend our product pages or our datasheet.