Before contacting our technical or product support, please go through our FAQ—answers to the frequently asked questions.
Resources can be anything. Protection is provided either by connecting to the resources through a gateway (local or also in the cloud) or by high-level single sign-on authentication via SAML or OpenID. Individual applications can be assigned to users and devices within the policies, as well as e.g. network areas, individual IPs, specific protocols / ports, etc.
The login process for SDP and VPN does not differ fundamentally for the user. There is an agent to which the user must authenticate. However, the macmon SDP agent not only checks the user identity, but also the identity and security status of the endpoint. This information is then transmitted to the controller and checked. Complementing this, the GUI of the SDP agent offers more convenience than a VPN solution with the display of available resources in the form of applications and links.
Beneath IPSec, we offer WireGuard as the latest VPN technology and combine this with a self-developed control of who and what is allowed to use the tunnel. This allows us to operate with considerably less "legacy". Furthermore, we can significantly shorten the path, especially for connecting resources in private clouds, and eliminate the connection detour via the local infrastructure. So the advantage here is primarily the more direct connection without any possible bottlenecks due to limited local bandwidths.
Reducing the connection options to exactly those resources that each individual user needs for his or her work also reduces the attack surface for an attacker. If, for example, someone " hijacks" a laptop and the access data of an employee and thus establishes a connection to the company, this attacker cannot immediately access the entire network. The protection is further increased by the extended reduction to certain ports. An attacker could for example only connect to the CRM via the website (https), but not additionally check the underlying server for security gaps with a PortScan in order to take it over and thus gain further access to the network. Viruses, worms and Trojans also like to distribute themselves independently in a network. However, if the other clients and also the servers are not accessible at all, but only the websites of the respective applications, malware cannot spread so easily. This measure falls under the term microsegmentation.
macmon secure is a trusted manufacturer for network security. As with our NAC solution, we have focused on simple handling and use. Especially by offering it as a cloud service, administrators are relieved of a lot of effort and commissioning is easier and faster than with any classic VPN solution.
The macmon SDP agent is a "cross-platform solution" and can be operated on endpoints with the operating systems Windows, mac OS, Linux, Android and iOS. Basically, the agent works "transparently", communicates with the cloud controller and provides the secure connection channels after successful authentication.
One login is enough to connect to all tunnels - i.e., to local resources and to resources in private clouds. Resources in public clouds require the use of single sign-on technology, which currently requires a separate (one time) login in the browser.
There are several different strategies for implementation in order to benefit from the added values as quickly as possible. For example, in the first step, the existing VPN solution can simply be replaced - this usually only requires a few rules, distributing the agents and implementing the gateway. Since parallel operation with a classic VPN is also no problem, migration can be very smooth. Overall, a migration can be completed in just a few hours, plus agent distribution. Based on this, resources can then be added step by step.
This is one of the biggest advantages of the cloud-based SDP solution. For example, it is possible to start with one gateway if the resources are already available internally. Additional gateways can then be added per site with IT resources in operation to increase availability and reduce traffic. Cloud-based resources and applications are directly accessible via macmon's own cloud gateways, so that no effort is required on the part of the customer here.
The agents already have build-in authentication, which precisely checks the identity of the endpoint. Transparent encrypted communication based on shared secrets that change for each connection is used for the connections to the gateways - a separate PKI is therefore not required.
Yes, our approach is multi-client capable. So you can operate clients or customers without them having mutual insight into their data, user management, etc.
Policies are set individually in the SDP controller at the user and device level.
The gateway is offered as an OVF (Open Virtualization Format) virtual appliance. However, a Debian package is also available on request, which can be installed on dedicated hardware with a pre-installed Debian Linux. The configuration steps are then of course a bit more, because we can't do them in advance, as we do with the virtual appliance. However, we can of course provide support during implementation.
Both products can be used and operated completely independently of each other. In the future, there will be various integrations, but no further details can be communicated yet.
macmon SDP is available in the MSP model. In fact, macmon SDP was planned primarily as a service, where we as the vendor provide the infrastructure, but Managed Service Providers provide the services such as maintenance and administration. The extensive multi-client capability allows granular control of who gets access and can provide the corresponding configurations - and thus also the MSP.
macmon SDP is only distributed indirectly worldwide. This means that the solution is not purchased directly from macmon secure GmbH, but via one of our partners, who also provide support in testing, licensing and implementation. For partners, the purchase is made through our distribution.