The Volkswagen Foundation is investing in macmon Network Access Control (NAC)to completely prepare its network for current and future security demands. At the same time, intelligent automation is relieving the load on IT employees.
Old systems too rigid and complicated
With just over 200 end devices (printers, desktop PCs and laptops) for 105 employees, the Volkswagen Foundation is a relatively small organisation. But as an important sponsor of training, science and technology for research and education, it bears a significant social and financial responsibility – which is why it requires the best possible protection against unauthorised access.
The Foundation had already implemented a Network Access Control solution from a US provider to protect its network access, the first and most important line of defence in data protection. However, this solution tied the IT team to its provider to a certain extent, making it difficult to update the infrastructure and flexibly adapt it to new requirements. Furthermore, support inquiries were a long and complicated process, as no local service team was available within Germany for direct contact. Another problem posed by the old solution was the time-consuming operation and high level of complexity, as it was much too cluttered for the relatively simple infrastructure. This meant that even small changes required great effort and the management of the solution alone took up a significant part of the workday for the two in-house network administrators.
Simple. Secure. In just four weeks.
Changing the infrastructure over from VDX to ICX switches made it possible for the Volkswagen Foundation to throw off the shackles of the previous NAC solution. This is due to the fact that ICX switches, in addition to most other switches, are compatible with the completely manufacturer-independent macmon NAC solution, which made it possible to easily change to the far more convenient German solution. As the solution of the Berlin-based technology leader functions independently of hardware, the Volkswagen Foundation IT team was able to freely build its environment from best-ofbreed hardware and software to implement the level of protection that was just right for the organisation. In addition to the added functional values, the fact that macmon is completely developed in Germany and therefore poses no risks of hidden backdoors, which third parties could use to evade the security measures unnoticed, was an important factor. Only four weeks passed between making the decision in favour of the macmon NAC version 5.3.0 and the complete replacement of the old solution. Following implementation, macmon was operated in reading mode alongside the old solution. In addition to the NAC basic module, the VLAN Manager module and the Graphical Topology were deployed. During this first test phase, employees were able to familiarise themselves with the functions and the easy operation of the macmon solution. The IT team quickly realised that macmon is nowhere near as complicated as the old solution and is perfectly tailored to the requirements of the Volkswagen Foundation. The topological representation offers a complete overview and a large number of intuitive management options for all network devices in the network. The dynamic VLAN Manager won the IT team over with its high degree of automation and predefined set of rules, meaning that only a single additional rule had to be written. Other network switches were connected step by step during the changeover until macmon was able to fully replace the old solution after only four weeks. Thanks to the preceding reading and learning phase, all device were already classified in macmon, meaning it was nearly as easy as flipping a switch to transfer the new NAC solution into production mode.
All-round protection with a real future
Access to the network is now granted on the basis of different criteria, such as the MAC address, username/ password or certificate. The certificate is the highest level of authentication. Since access to the network is granted by the switch only after confirmation has been provided by the RADIUS server, there are no unused or non-secure ports – as recommended by the BSI*. The ease of use of the solution makes it very quick to put into operation and also allows for easy switching to combined operation with and without 802.1X if required. With macmon, the Volkswagen Foundation has transformed its Network Access Control from an irksome, awkward and Sisyphean task that prevented valuable IT resources from performing productive work into a central, future-proof and convenient security authority in the network.