The number of connected devices in enterprise networks is growing fast. In addition, „Internet of Things“, which is widely discussed will also have a huge impact on corporate networks, when all kind of machines, devices or building control systems will be connected to the company network.
The IT desk used to be responsible for the provision of a performant and secure internet access of company-controlled de-vices. Nowadays, even mobile devices of staff, guests and suppliers do require access. Consequently, the administrative expense increases and security matters arise:
• Who does get access to the corporate network from which location?
• How can access rights for private devices be granted individually?
Why Smart Network Access?
• Who can ensure that the access rights of departing employees are deleted in due time?
• How can the administrative burden be effectively re-duced for access rights that are limited in time?
To fulfill the stringent requirements in terms of security and compliance, despite of the continually rising cost pressures, a growing number of companies is implementing an automated Network Access Control (NAC).
Common challenges in practice
Visitors, Partner, Customers, Supplier ...require a temporary and controlled internet access. This should be gran-ted without administration effort, but conforming to the law and misuse excluded.
Private Device of Employees ...need access to the internet, email/calendar, file shares, ERP-systems or the company’s databases. The implementation of a BYOD-strategy that features a self-service management for employees does represent a great challenge for the IT desk.
Company-Controlled End Devices ... such as laptops should get access via multi-level, certificate-based methods that can ensure authentication of persons as well as devices (802.1x). Successfully authenticated devices are assigned to the respec-tive VLANs.
Not the Complete Range of Devices ...such as printers and medical devices do support 802.1x. In this case, a MAC-based access control which includes an automatic assignment to dedicated VLANs provides effective support. A solution should be multi-tenant and feature interfaces to CMDB / inventory systems.
Employees, Suppliers, Consultants ...require external remote-access to sub-areas of the corporate network. For this purpose, a detached account administration should grant the access, instead of allocating of internal accounts.
Computer with Virtual Machines ...as well as unmanaged hub/switches or IP-phones connected to compu-ters do require special authentication procedures so that each (virtual) device can be assigned to its respective VLAN.
Intranet
wireless
wired
Sponsor / DevicePortal
mpp
DMZ
User / Device ManagementAuthentication ServerData-Center• IEEE 802.1x• MAC Authentication Bypass
Authentication Gateway• Captive-Portal• Router• Firewall• QoS
• Manage Guest Accounts• Manage “My Devices”• Manage “Equipment” macman
Macman is a Radius server that authenticates devices and dynamically assigns them to a network segment(VLAN). Thus, usage of private devices can be individually managed. For instance, the permitted number, Qua-lity-of-Service, automatic deletion of access rights and many more criteria are definable.
MPP is a Captive-Portal/Router/Firewall/Content-Filter, which is responsible for the user authentication via web browser and the compliance with legal regulations.
Solution
Smart Network Access is a highly flexible and straightforward overall solution which automates administrative tasks to a great extent and fully complies with high security standards. It consists of the following components: Macman, MPP and the Sponsoring/Device Portal
The Sponsoring/Device Portal represents a multi-tenant web application in the intranet which empowers emplo-yees to create guest accounts and manage their private and company-controlled devices.
All three components are synchronized automatically, so that once identified devices/persons can be authenticated via other procedures in the future.
Scenario 1
If employees use company-controlled devices within com-pany premises, full access is granted.
Who Authenticated Employee Where Company Premises What Company-controlled Device
Scenario 2
If employees use company-controlled devices outside the company premises, access can be limited.
Who Authenticated Employee Where Outside Company Premises What Company-controlled Device
Scenario 3
Guests and visitors are provided with a controlled Public WLAN service with SMS authentication.
Who Guest Where Company Premises What Private Device
Scenario 4
Impersonal devices such as machines, printers, medical devices etc. are automatically assigned to the respective VLAN or security zone.
Who Unknown Where Company Premises What Impersonal Device
Secure and flexible
Other NAC solutions apply the „all or nothing” principle, which means that a network access is either fully granted or denied. CloudGuard‘s Smart Network Access, however, is based on a dynamic approach. Each device gets as much access as it deserves trust. Thus, multi-level zone concepts are realizable.
The following scenarios depict possible rules for a secure access to your company’s network:
The Service Level you receive• Quality of Service (QoS)• Bandwidth Management
What device are you on?• Secure Device• Protected Container (MDM)• Private Device (BYOD)• Public Device (e.g. Internet Station)
What you can do• Firewall• Content Filter
Where are you?• Access Location (wireless, wired, VPN)
Who are you?• Authenticate the user (Certificates, Passwords, SSO)
Where you can go• Source based Routing• Access control lists (ACL)
DEFINES
The Smart Network Access solution of CloudGuard manages the appropriate network access for all people and their devices, independent of their place of use.
Controlled Internet Access
Functional Required Access
Full Access
Slightly Limited Access
CloudGuard products - the optimal „Add-on“ for existing environments
CloudGuard Add-on for Your „Guest Access“
• Straightforward self-registration via SMS authentication• Multi-level authentication (e.g. password and SMS)• Payment access (voucher, credit card, premium SMS)• Individually configurable, location-specific landing pages (e.g. for local information, advertisements)• Automatic recognition of guests (no multiple login)• Multi-tenant user/ device management with individual access rights• Individual QoS-profiles based on guest types (VIP, standard guest, etc.)• Strictly separated storage of account data for external and internal accounts• Integration into customer-specific databases (clinic information systems, hospitality solutions such as Amadeus, Fidelio, etc.)• Compliance with local/legal requirements• Decentralized satellites for local break-out or Internet traffic in branches / subsidiaries
CloudGuard Add-on for Your „BYOD Strategy“
• Straightforward password generation for private devices (no installation of apps or certificates)• No internal (AD) credentials on private devices (security)• No multiple logins (automatic re-connect)• Strictly separated storage of account data for „unsecured“ and company controlled devices• Possibility to limit the number of private devices allowed per employee• Automatic blocking of departing employees’ devices• Automatic import from or synchronization with inventory databases and CMDB (e.g. mobile phones, tablets, medical
devices etc.)
• Intuitive interface for the management of private devices
• Highest usability
CloudGuard Add-on for the Management of Internal Devices
• Straightforward, multi-tenant delegation of the device management to departments and customers• 802.1x, MAC authentication bypass (MAB) and web authentication • Simple on-boarding of all devices (WLAN and fixed network)• Automatic assignment of the devices to the respective VLANs or security zones• Multi-domain authentication (for IP-Tel/PCs, Hubs and PC with VMs)• Automatic import from or synchronization with inventory databases and CMDB (e.g. mobile phones, tablets, medical
devices etc.)• Comprehensive reporting and monitoring possibilities
Many customers already have security solutions of leading suppliers in place. However, they are often unhappy with the complexity of the product’s administration. Sometimes, it also happens that important functions are simply missing like the self-registration, straightforward onboarding or compliance issues related to local laws. For these and further rea-sons, the solutions of CloudGuard can offer real value add to your existing installation.:
Advantages of CloudGuard‘s Smart Network Access
CloudGuard offers the currently most flexible Net-
work Access Control solution on the market. The
unique solution is customized to our client’s needs
and is subject to further development.
Thanks to its flexibility, the solution can be optimally
integrated into existing environments. Active
Directory, LDAP- or Radius Server and user-specific
databases, etc. allow for the automatic transfer of
user data.
Reduced administrative overhead regarding manage-
ment of devices, guests and external employees
thanks to multi-tenant delegation of administration
and various self-service applications.
All conventional authentication methods are
supported: 802.1x, MAC-Authentication,
Web-Authentication, SMS-Authentication,
Voucher, credit cards etc.
Voucher
MAC/WEB/SMS
Credit Card
Control remains with the network manager who benefits from overviews of authorized accesses and extensive logging capabilities for traceability purposes.
Summary
CloudGuard‘s Smart Network Access is the optimal network access control solution for complex company environ-ments with a lot of requirements and devices. Furthermore, it is an ideal enhancement to existing solutions such as Identity Services Engine (ISE) from Cisco Systems®*, Meraki®* or Aruba ClearPass Access Management System®™. Hence, missing functionalities such as the integration into a company-specific ERP, CMDB systems or the multi-tenant delegation of administration can be realized. Tell us your plans and requirements. It is pleasure for us to support your Network Access Control project.
Who is CloudGuard?
Since 2004, CloudGuard has been developing software solutions for Network Access Control (NAC), Bring-Your-Own-Device (BYOD), Guest Access and wireless communication in public transportation means. By now, more than 100 companies (such as banks, insurances, hospitals and transportation companies) benefit from the advantages of Cloud-Guard’s software.
Extract from our Customer List
Universitätsspitäler Basel, Zürich
and Bern Guest Access
Aargauische Kantonalbank Guest Access, BYOD
SBB, Postauto WiFi Access for passengers
Flughafen Zürich Device Management
The Dolder Grand Hotel Device Management, Guest Access
Opernhaus Zürich Guest Access
Fachhochschule Nordwestschweiz Network Access Control
Migros Guest Access, BYOD
*Cisco® Identity Services Engine (ISE) und Meraki® are registered trademarks of Cisco Systems, Inc. in the United
States and certain other countries.
CloudGuard Software AG • Zurich • Switzerland
Tel: +41 55 214 18 00 • [email protected]
www.cloudguard.ch