During German Bundesliga matches, each and every fan is focused on their team’s game. In the background, meanwhile, the IT department is working flat out to deflect any “own goals.”
The MEWA Arena can accommodate over 33,000 fans. In contrast to the usual office networks, the planning and organization required for football matches presents particular challenges for the IT department: For example, a stadium’s Wi-Fi network has to deliver a complex and sophisticated service in real time. A fully functioning Wi-Fi 6 network is a key factor in a football club’s IT infrastructure for ensuring visitor satisfaction, as fans want to be able to film the live experience on their smartphones and share it with friends and family on social media. Journalists and fans connect to the network in the stadium at the same time, however, they have separate accesses.
Head of ICT & Digitalization 1. FSV Mainz 05 e.V.
"Compared with other widely available management and access security systems from major hardware manufacturers, we find macmon secure an extremely easy-to-use solution.“
In addition, use of the Mainz-05 app an important factor for the club’s fan loyalty and provides a way to keep in close contact with its fans. In the compe-
tition with TV offers, it is becoming increasingly important to ensure that the experience in the stadium is a multimedia one. The major challenge therefore lies not only in providing an adequate signal, but primarily in dealing with the extremely large volume of users. On a typical match day, 1,472 authorized connections and 8,775 unauthorized connections with a total of 50 device groups are used. The Wi-Fi network of 1. FSV Mainz 05 e.V. has to be able to identify users, monitor their network access, provide differentiated services and have robust protection against potential security threats.
The IT department of 1. FSV Mainz 05 e.V. handles a broad range of topics in addition to fans’ communication requirements. For example, the office communication of the 1,095 employees, including 460 Office users, poses significant challenges for a smooth-running IT system that is protected against unwanted access. In addition to the internal users – some of whom are stationary and some who work on a mobile basis – there are regularly around 700 external users of the communication systems, who require network access to maintain the 210 POS systems, for example. Processes for administering guest access need to be both simple and secure. And finally, the evolved IT infrastructure alone is made up of 155 network switches, 380 access points and 7,500 network ports from different manufacturers. It was these special requirements, particularly in terms of network security, that prompted Karsten Lippert, Head of ICT & Digitalization for the club, to look for a network access control solution, including with regard to the requirements of the GDPR.
Karsten Lippert: “Before the project got started, I was afraid that introducing a network security solution could lead to more disruptions on match day. A potentially long implementation period also seemed counterproductive, as our IT department already as more than enough to contend with due to the many requirements, for example, with regard to data protection issues.”
In cooperation with a local IT systems house, the experts at macmon secure GmbH, were able to quickly allay these initial fears.
The project kicked off with a detailed risk analysis. During this phase, it was revealed, among other things, that the connection between switches and access pointsis the most critical access point to be secured in the network, as virtually all VLANs used in the network are at located the connections of the access points and they are affixed in “unsecured” locations, such as on outside walls and lamp posts, etc., meaning that removal is always a concern. This precise network device to network device connection cannot be covered by classic 802.1X, however, an alternative method, such as macsec encryption is not supported by most edge switches and APs. macmon NAC solved this challenge with the SNMP NAC functionality with corresponding event monitoring and a total of just three rules.
Firstly, on match days two isolated networks are activated in predefined areas for the guest team and the home team. Secondly, access point ports are treated separately as long as they are connected to the infrastructure.
“Time and again, we encounter potential customers who are worried about the work that the implementation will involve based on their past negative experiences. But our NAC solution is simple to implement and quickly provides an overview of all endpoints in the network. This visualization is already a quick win. The solution is pretty much intuitive for an IT administrator and offers diverse added value,” explains Christian Bücker, Managing Director of macmon secure GmbH.
One key way in which operating costs have been reduced is by eliminating the previous manual and time-consuming configuration of network connections for the different events held at the stadium. In addition to around 20 matches per season, some 200 external events are also hosted.
Automating the configurations minimized the number of helpdesk tickets and meant that the original network management solutions from the hardware manufacturers could be done away with. 1. FSV Mainz 05 e.V. uses three mechanisms for authentication: SNMP-NAC-based, mac-based via RADIUS and 802.1X. The appropriate mechanism is applied depending on the port and the endpoint used. However, this process is summarized in a menu on the macmon GUI and simplified so that the administrator simply has to enter the correct VLANs. macmon NAC handles the rest in the background, meaning that protocol-dependent settings are not required.
macmon NAC uses the MAC address and fingerprint to identify access points. Compliant access points communicate in their networks via the tagged VLANs on the switch port. macmon NAC registers within a second when an access point is removed, and the port is shut down immediately. If an access point is connected to a new port, macmon NAC sets the tagged VLANs so that the service set identifiers can communicate in the respective networks. If an access point is removed, macmon NAC removes all tagged VLANs previously set on the port for wireless communication and thus closes the tagged access to any networks on the port. For more information, see our Knowledgebase articles in the macmon service portal.
The use of macmon NAC meant that it wasn’t necessary to eliminate any existing switch manufacturers and the switch infrastructure already in place could be used seamlessly, with no conversion required. 1. FSV Mainz 05 e.V. uses the following managed systems, which also act as network devices toward macmon NAC: Aruba/HPE formerly Procurve Switches, Commscope/Ruckus Access Points (partially hospitality version with LAN ports) and Microsens Microswitches (for the cable channel). The Mainz-based club also uses non-managed PD switches from Netgear as well as cable drum switches from Pandacom, which from a macmon point of view, act as endpoints.
Heterogenous networks in different locations – not a problem. Since it was introduced, macmon NAC has proved itself to be a reliable assistant on a daily basis and particularly on match day. In addition, to use macmon NAC, it is not strictly necessary to have an appliance in each of the three locations. The external locations can also be served from the main location. An important question when planning a project is always: What level of security / scalability do you need if the connection to the external location is lost and how critical is the scenario in this case? If RADIUS-based authentication is not performed at the external location, failure of the connection to it could possibly be acceptable depending on the usage scenario. However, if a company wishes to use RADIUS-based authentication there as well, it makes sense to have an appliance at the external location. In the case of 1. FSV Mainz 05 e.V., the three locations in Mainz are connected by means of an edge- and node-disjoint dark fiber ring, meaning that the redundant macmon nodes in the central data center are sufficient.
Devices that do not send any data packets to the network themselves, which means that they are not authenticated.
- Example: Admission ticket printers and EC terminals
Solution: Conversion of the devices from a fixed IP configuration to DHCP, configuration of “home” telephony (rule updates) to maintain the authentication timers as well as the introduction of mac pinning.
- Example: Notebook computers
Solution: Change to the VLAN architecture from the previous connection type assignment (VLAN1=LAN, VLAN2=WLAN) to user group assignment (VLAN11=administration, VLAN12=contract players etc.) Securing of the access point connection and, at the same time, ensuring the hospitality functions (with up to four downlink ports per access point).
Solution: Definition of the access points as an endpoint and, at the same time, as a network device.
The second stage of the project at 1. FSV Mainz 05 e.V. will involve subjects such as comprehensive reporting of the monitoring data determined in the network and the representation of the events in the network. These include, for example, security aspects, such as the appearance of known devices at unusual times or highlighting of attacks such as ARP spoofing or MAC spoofing.
Karsten Lippert had the following to say: “In addition to the classic benefits of a solid and flexible solution for network access control, highly flexible connection options from third-party providers are available via the REST-API open interface for various solutions for our digitization projects. macmon secure is also already working on expanded usage options to make macmon NAC even more effective in the AWS cloud and in the Azure cloud. This will undoubtedly make our project a reference solution for other football clubs.”
Summary by Karsten Lippert:
The introduction of macmon at our club was driven by the increase in network access control. We have also gained a solution, which – thanks to its high degree of automation – enables us to offer new services for fans, customers and partners without having to provide additional personnel.