Since 2006 BSR have been reliably protecting their heterogeneous IT Network with macmon

Since 2006 Berliner Stadtreinigung have been relying on macmon, macmon secure GmbH´s NAC solution. Result: Comprehensive transparency regarding all devices in the network, significant reduction of administrative effort and reliable protection against current threats.

 

With a staff of over 5.300 and a yearly turnover of 485 Million Euro, Berliner Stadtreinigung is one of the largest communal waste disposal enterprises in Europe. Their IT landscape currently comprises around 2.300 users, i.e. around 2.000 desktop PCs, 600 notebooks, 600 printers, over 300 servers and 320 switches of varying provenance. Furthermore, around 200 disposal and road sweeping vehicles supply tour data via WLAN. Currently, macmon manages 4.500 MAC addresses, of which around 3.500 are concurrently active, on the average.

Key facts about the BSR case study

Network security challenges:

 

  • Heterogeneous IT network
     

Reasons for macmon NAC:

 

  • manufacturer-agnostic 
  • Easy integration and administration
  • Demand-oriented network security

Successes with macmon NAC:

 

  • Transparency in the network
  • Reduction of administrative effort
  • Avoidance of duplication of work through import interface to CMDB
  • Reliable protection against current threats

     

Localisation and monitoring of all devices in the network –including those without 802.1X-capability

The decision to implement macmon was triggered in 2004 by an auditor´s demand to be furnished with network access. The initial plan was to introduce the IEEE 802.1X network protection Standard.

 

Frank Basler GE Information Technology IT-Services

Berliner Stadtreinigung


“We quickly realized this standard´s limitation, since printers and IP telephones are not supported satisfactorily.“



After an initial evaluation of various competing products and an extensive test phase, BSR opted for mikado soft gmbh´s NAC solution. “The results convinced us. Our expectations regarding a security solution which was to be easy to install, easy to integrate and to administrate were convincingly fulfilled. The network protection afforded by macmon fits our requirements. Since macmon supports current standards and renders manufacturer-independence, it is best suited to monitor our heterogeneous switches. 

Frank Basler GE Information Technology IT-Services

Berliner Stadtreinigung


“macmon has been in continuous satisfactory service since 2006, and has given us transparency over our network. Complex information is accrued and we are able to detect relocation of devices or printer failures. Even a replaced PC motherboard or network interface card is reported“

Upon detecting an unauthorized device in the network, macmon can be configured via rule management to block the corresponding port. This function is active by default and the affected port is blocked for 20 minutes. This procedure will be repeated until the offending device has been removed, thus greatly reducing administrative effort and vulnerability to threats.

 

 

Frank Basler added „macmon with its integrated CMDB-connector renders us manufacturer-independent and greatly reduces our administrative effort!“

 

Added value due to CMDB-connector and Infoblox-Interface

All devices active in the BSR network are documented in a CMDB. Population and maintenance of the macmon reference list is therefore not effected manually, but automatically from the CMDB via an import interface, thus reducing administrative effort. The procurement and change-management processes are already conducted according to ITIL at BSR, so the CMDB is a good source for the reference list. The introduction of ITIL3 will in turn entail a feedback of end-user-device location data, as known to macmon, back to the CMDB, thus again enhancing data quality.

macmon supports device classification with the help of devices´ IP addresses and DNS name resolution. Devices in remote branch offices initially posed a problem when reading ARP-Caches to resolve IP address association. Their ARP-Caches could not be read via SNMP. This problem was subsequently solved with an interface to the Infob-lox-DHCP server. Thus, end user devices Hostnames and Leases are now available in the database.

 

 

 

 

“Migration from the then existing Linux-based system was effortless“ according to Frank Basler, “Migrating to Appliance has enabled us to configure even more network settings.“ 

The newly available “Footprinting“-Option offers even more transparency, in that device type and OS can be detected as well.
 


Outlook: WLAN-Support

macmon´s upcoming support for WLAN is eagerly awaited by BSR, since returning vehicles report tour data via WLAN. This data is of high sensitivity, since BSR is required to archive it for a 15-year period. The BSR WLAN infrastructure is currently managed with proprietary solutions, and an integration with macmon would greatly assist in reducing administrative effort.

Bottom line:


“With macmon, BSR was able to avoid high investment cost and extended implementation duration. Network management has been decidedly enhanced. macmon operation is cost-effective, processes are automated, administrative effort is clearly reduced and IT staff are afforded transparency regarding all devices in the network.“ Frank Basler, responsible network projekt manager, sums it up.

© macmon secure GmbH