Learning from endpoints: macmon NAC Advanced Security

    Jochen Füllgraf | August 25, 2023

    The Advanced Security feature is a function of the Network Access Control solution from macmon secure. macmon NAC Advanced Security enables the post-connect and cyclical verification of endpoints.The feature supports various communication and network protocols that enable fingerprinting and footprinting.Find out how you can access the various endpoint information and how this knowledge contributes to network security.

    Check endpoints with macmon NAC Advanced Security

    With Advanced Security, a check can be carried out regardless of how the endpoints entered the network. If macmon NAC has basic data such as the IP address or MAC address, it can communicate with endpoints. With the help of macmon NAC Advanced Security, it is possible to regularly check whether it is the same device or at least a company endpoint from a certain device group that was originally admitted to the network. This is because it is possible, for example, that a hub has been placed in front of the port and the MAC address or even the IP address has been manipulated by spoofing. This means that there may be endpoints in the network that were never authorized.

    With this obfuscation, however, the new endpoint takes part in the data traffic, i.e. the communication in the network. This allows macmon NAC to check the endpoint again. Certain TCP/UDP ports can be checked, communication and network protocols can be run through, and certificates can be inspected. Furthermore, it can be specified that silence in response to requests is also considered a violation, as this is different from the standard of the endpoint.

    Fingerprinting: Technique for user tracking with unique identification of operating systems, protocols, software and hardware of endpoint and clients

    Footprinting: Obtaining information from systems, infrastructure and networks from publicly accessible information and system responses

    TLS (Transport Layer Security): Encryption protocol for secure data transmission on the World Wide Web

    HTTPS (Hypertext Transfer Protocol Secure): Communication protocol with transport encryption on the Internet

    RDP (Remote Desktop Protocol): Windows network protocol for remote access to endpoints

    SSH (Secure Socket Shell): cryptographic network protocol for establishing a secure connection between endpoints

    WMI (Windows Management Instrumentation): Access to settings of Windows systems

    SNMP (Simple Network Management Protocol): Monitoring and control of network elements using a network management protocol via a central instance

    Fingerprinting & footprinting

    A unique certificate can be created, for example, by checking with TLS. RDP tends to be used when clients allow remote access with this protocol, for example for management.

    Passing through these protocols results in certificates. The newly issued certificate can be compared with the old certificate: Do the certificates still match? If the endpoint has been manipulated via spoofing, there is either no response to the request - no certificate is issued - or an incorrect certificate. Even if the correct public part of a certificate is supplied, a connection is also established to check whether the endpoint also contains the private part of the certificate.

    In response, the endpoint can be removed from the network or moved to a quarantine network. This allows you to check in a secure environment to what extent the endpoint represents a threat and what exactly has happened to it. Alternatively, only a notification or logging is possible.

    Another option for checking is SSH. Like TLS, this protocol can be assigned to fingerprinting. The SSH fingerprint can be used to uniquely identify each client. For example, the computer name of the Windows client can be read out via WMI. If it is actually a company-owned Windows client, the login must be successful and the client must meet the optionally specified conditions, e.g. the computer name must begin with WS, for Work Station, and a consecutive ID.

    Both WMI and SNMP are part of footprinting. This provides information on the associated group, i.e. the type or behavior of the client. The endpoint cannot be uniquely identified via footprinting, but it can be checked for company parameters.

    Services of macmon NAC Advanced Security

    A periodic time value can be stored in the Web GUI, e.g. 60. All endpoints connected to the network are then checked every 60 minutes to see whether their values still match the previous or general specifications.

    For unknown endpoints, device groups can be configured in macmon NAC Advanced Security in the sense of a check sequence. This allows a global check to be carried out according to certain specifications. For example, whether the unknown endpoints match the values of the “Client Special” device group. If there are discrepancies, the supplied values can be checked directly against another group, e.g. whether they are developer PCs or whether the endpoint is assigned to the “Default” group. Previously, it was only possible to check one of these group settings. Now, several group settings can be queried at the same time so that a granular assignment can be made. This can be particularly helpful if the company uses special certificates and/or certification authorities.

    macmon NAC Advanced Security can be used to examine all endpoints that can be checked with the network protocols mentioned (see info box). These do not necessarily have to be laptops or PCs - they can be telephones, printers, cameras or other IoT devices. Which endpoints can be scanned using the feature depends on which ports you are checking and whether a service is running on them that provides a certificate or other checkable values.

    macmon NAC Advanced Security can provide the following information:

    • Operating systems of the endpoints
    • Open and closed ports (TCP & UDP ports)
    • Successful login check
    • Name of the system
    • Name of the Active Directory domain
    • Name of the location of the endpoint (physical location)
    • Sysname (name of the endpoint)
    • Certificate Authorities
    • Fingerprints

    In combination with macmon NAC Compliance, properties that are configured on the endpoint and perform a quarantine can be checked. This data can be queried via REST API from other systems (technology partners) or for reporting.

    The Advanced Security function is included in the Security Bundle, Network Bundle and Premium Bundle.

    Recommended articles

    • 04.07.2024 | Sarah Kolberg

      RADIUS vs TACACS +

      RADIUS or TACACS+? Which AAA protocol is better for managing user access control? How do they differ? Find out more here about both protocols.

      more

    • 21.06.2023 | Sarah Kolberg

      Why VLAN management

      What is VLAN? How does VLAN management work? Learn more about Virtual LANs, the numerous benefits and of network segmentation and how to set up VLANs.

      more

    • 09.02.2024 | Jochen Füllgraf

      Which NAC approach? Pre-Connect NAC vs. Post-Connect NAC

      Pre-Connect NAC or Post-Connect NAC? Which is the best Network Access Control approach for your company? Learn more about the pros and cons.

      more

    • 03.11.2023 | Prof. Dr. Tobias Heer

      The use of Industrial NAC explained with the Titanic

      How could the incident on the Titanic have been prevented? What Network Access Control has to do with it and what you can learn about your industry network.

      more

    • 25.04.2024 | Julian Friesen

      macmon NAC: virtual appliance versus hardware appliance

      [Translate to English:] Die NAC-Lösung von macmon wird als Hardware Appliance & als virtuelle Appliance angeboten. Was sind die Vor- und Nachteile der verschiedenen Appliances?

      more

    © macmon secure GmbH