HARTING´S Local Networks now monitored by macmon, the NAC Solution

The HARTING Technology group, competent in the areas of coupling, transmitting and networking electrical, electronic and optical signals, has specialized in developing custom solutions to couple and relay electrical energy and electronic data. Areas of activity are NC machines, railway technology, wind energy systems, and telephony. HARTING also manufactures electromagnetic components for the automotive industry and specializes in developing housings, cabling systems and automated salessystems. HARTING staff is over 3200 worldwide. Turnover for the business year 2007/08 (as per 30.09.2008) was 385 million Euro.

After implementing the macmon automatic Network Access Control system, the world´s leading manufacturer of industrial coupling devices has gained full overview over nearly 3000 end-user devices. The access control system monitors five network segments at its Espelkamp headquarters as well as five networks abroad. Special attention is devoted to the numerous mobile systems, whose movements within the company premises could up to now only be monitored imprecisely. Now, however, the administrator is able to determine any device´s status and current location up to the minute, as well as whether a device is authorised to access the network, or not. Illegally introduced devices are automatically locked out by blocking the corresponding access port.

Key facts about the Harting case study

Biggest challenges:

  • Permanent availability of manufacturing and industrial networks
  • Older operating technology
  • High fluctuation of network participants due to external service providers

     

Reasons for macmon NAC:

  • manufacturer-agnostic
  • Operation via SNMP possible
     

Successes through macmon NAC:

  • Clear localization of mobile systems in operation
  • Network access control solution for 30 locations worldwide

     

Protection of networks in the manufacturing area to avoid production loss due to network failure

Jens Wandelt

HARTING Technology Group


“Such alien devices, unexpectedly introduced to a production network, pose a constant threat to servers often running under vintage OS versions for which there are no current security patches available.“



HARTING´s initial situation was typical for many enterprises. Without proper Network Access Control, the corporate administrative and production areas risked being paralyzed at any moment by omnipresent attacks on a local network. Apart from internal service staff that may connect a device for maintenance purposes to the HARTING network from anywhere within the corporate premises, external contractors, technicians and support staff may require access to production network segments for their notebooks.

The system administrator at the HARTING Technology Group in Espelkamp had therefore been looking for a system, “that allows a simple protection of networks from within“ when he came across an article on macmon in an IT magazine. Due to the heterogeneous network infrastructure at HARTING, proprietary NAC systems could not be considered. Even making use of the IEEE 802.1X standard was no option, since not all deployed devices supported it, besides its being very complex to administrate. “By identifying devices through their MAC-address, macmon presented itself to him as a universally adaptable, uncomplicated solution“ Wandelt remembers. After having contacted mikado, macmon´s developer, the rest is quickly told. It took only half a year from the initial product presentation to macmon´s productive operation in the HARTING network.

 

Surprisingly simple implementation

At the Espelkamp headquarters, macmon was installed on a central Windows Server, with Microsoft SQL Server as database. Wandelt fondly remembers the implementation and startup phases. “With the presence of a mikado specialist we were able to carry out installation and training in a single day.“ The initial challenge was to include around 60 switches with over 1200 attached devices distributed across five buildings into the monitoring scheme. The devices comprised PCs, iPhones, scanners and printers as well as assembly line robots and NC devices. For this initial implementation, data on the various switch models was directly imported from an Excel file supplied with macmon. Much of the data required to populate the reference list could be extracted from files available with the macmon installation pack.

“During the initial phase, macmon was able to detect a number of unknown devices in the network that had not been documented in asset lists. Once locations and device names were available, this information could be entered into the NAC system“.



The association of industrial machinery present in the network to device types was somewhat more elaborate, since no DNS names were prespecified. On-site inspection of these devices was required to uniquely identify them. “The initial set-up phase was concluded after two weeks, and since then the system has been operating reliably, causing little administrative or support effort“. A subsequent replacement of Cisco and 3Com network components by HP equipment was also easily accomplished.

Automation is Welcome

Switches, known to macmon by their DNS names, are scanned by macmon at two minute intervals. Upon detecting an unauthorised MAC address at any switch port, macmon will automatically block the port and sent a notifying E-Mail to the help desk system.

Jens Wandelt

HARTING Technology Group


“macmon is a quickly implemented, efficient and easily manageable tool . We employ it at our Espelkamp head office and in our subsidiaries at over 30 sites worldwide.“


After a blocking time of 15 minutes, the port is automatically unblocked again. If the unwanted subscriber is still there, the port is blocked again. Otherwise, the connection can be used again immediately by an authorized device. “So nobody has to intervene,” says Wandelt, explaining the advantage of the deliberately chosen event control. He sees a further advantage of macmon in the fact that “it is a passive system”. If the monitoring fails, no other application is affected. “In contrast, with other NAC concepts that work on the basis of 802.1X, for example, there is a risk that if the authorization system - e.g. the Radius server - fails, the entire network will be affected as no more devices can be connected,” explains Wandelt.

New end devices are simply authorized by the IT department's desktop service via a learning port set up there, without using the macmon interface. If this is not possible, the department reports the relevant data to the IT department before commissioning, which enters it manually into the system. The locations of the devices are also maintained with macmon. This data is of very good quality, as macmon recognizes relocations immediately and then reminds the user that the location documentation needs to be adjusted.


macmon International Deployment

Following the successful introduction of macmon at the Espelkamp headquarters, the rollout to subsidiaries began. The HARTING technology group´s international network spans over 30 sites, with network segments interconnected via VPN. Local networks in five subsidiaries are already being protected by the NAC-Appliance at the Espelkamp office. Learn-Ports are available there to introduce new devices. 

If desired, new devices abroad may also be authenticated by the IT-dept. in Espelkamp. The number of devices already monitored by the central server tops 3000. User satisfaction is significant. According to Wandelt, “macmon is an efficient and mostly hands-off tool that can be rapidly deployed“. Its hassle-free operation in subsidiaries abroad only confirms this impression anew.

Outlook

Due to access rights reasons, macmon is installed centrally, with an instance for each subsidiary. “With the upcoming multi-client capability, however, macmon needs to be installed only once“, is how Wandelt perceives the simplification which the new feature will bestow upon site-spanning administration.


© macmon secure GmbH