Case Study uniVersa
Implementation of the Network Access Control solution macmon NAC at uniVersa
Company Profile
uniVersa Versicherungen is a group of companies with a long tradition and extensive experience. Its origin goes back to 1843, the year in which uniVersa Krankenversicherung was founded – the oldest private health insurance company in Germany.
uniVersa emphasizes individual pension solutions and put focus on long-term customer benefits and high service quality. In addition to customer satisfaction, maintaining entrepreneurial independence plays a central role in the company's philosophy. The IT department of uniVersa Lebensversicherung a.G. has dealt intensively with the issue of network access control in the interests of precaution and security.
Based on the company's internal requirement description with a central administration, distributed locations and a field service structure various solutions were considered.
Key Facts about Case Study uniVersa
Biggest challenges:
- Distributed locations and field service structure
- Security solution for all device classes
Reasons for macmon NAC:
- manufacturer-agnostic
- Agentless functionality
- Mixed operation of SNMP and 802.1X
- High availability
- Web-based Graphic User Interface
Successes with macmon NAC:
- Effective introduction of Network Access Control in 5 project days
- Smooth connection of existing and further systems
The requirements
A key aspect of the requirements was a manufacturer-agnostic solution so the operation with existing network components (switches, routers, etc.) can be continued. The future solution should also work if individual components or a complete system are changed. Accordingly, products that do not require the use of additional network components or even collectors, etc. were preferred. In addition, the main requirement was to support open standards to not create a stand-alone solution.
Furthermore, the NAC solution must operate independently of device classes such as printers, PCs, card readers and other special devices and enable the operation of two endpoints on one port (e.g. PC and VoIP telephone). The use of an additional agent should be avoided at all costs due to the many different systems. To take the distributed structure into account, the solution had to meet all requirements for both the head office and all branch offices, whereby the necessary internal communication between the components had to be encrypted. Another key point was the requirement that the future NAC solution could also be operated in a mixed mode. "mixed mode" - i.e. to enable the authentication of endpoints using MAC addresses, certificates (via 802.1X) or other methods at the same time.
In addition to these many important functions, the basic operation was also defined in more detail. Accordingly, the system must be a virtual server, highly available and operable via web GUI. If a system failure occurs it must not hinder the operation of uniVersa under any circumstances. The different operating modes such as "monitoring only", "learning", "simulation" and "active" should enable a step-by-step implementation. Another important requirement is that guest access and private endpoints can be managed with a suitable ticket management system to secure WLAN and wired connections.
The selection
Based on the extensive catalogue of requirements, various manufacturers of NAC solutions were approached and invited to present their products at uniVersa, depending on their fulfillment of the catalogue. In this context, various manufacturers presented their products to the project team. In addition to the differentiated pricing, the approaches and technologies used by the providers were also very different. The German manufacturer macmon secure was able to stand out thanks to its intelligently simple concept and the comparatively faster implementation of its NAC solution.
During the selection process, the functions of the various solutions were weighed up against each other. The aim was to be able to take the tested product directly into company-wide productive operation after a test phase. Based on the existing findings, the well-founded outlook for further developments and considering the experience from reference installations, macmon was ultimately chosen as the favorite.
Michael Herbig, Project Manager, uniVersa
"The lower implementation effort compared to the competition convinced us."
macmon estimated a time frame of 2 days for the PoC. A virtual appliance was used to commission the system and set up the network within a short amount of time. The configuration of macmon was already brought so far on the first day that it would have been possible to activate the NAC solution already. Only the endpoints detected in the network still had to be categorized and the configuration of a few uplink ports, that were not automatically detected, had to be checked. The configuration of MAC authentication bypass on the switches and the test of the guest portal using MAB in the WLAN area were also carried out successfully. To the delight of the uniVersa project team, the integration of the guest network via WLAN including 802.1x authentication was possible. A bug discovered in a special configuration of the remediation VLAN was fixed on the same day by the developers of macmon secure GmbH.
At the end of the first day, following these results, it was decided that the second planned day on site was no longer required. In addition to the planned steps, the first tests with macmon's multiple compliance could already be carried out.
The simple handling of the macmon NAC and the successful introduction to the system by a macmon consultant in combination with the know-how already available in the uniVersa project team made it possible for all further test scenarios to be run by uniVersa without the macmon support. A test phase of approx. 4 more weeks was carried out to observe the ongoing operation.
Michael Herbig, Project Manager, uniVersa
"We were surprised that it was possible to effectively introduce Network Access Control effectively within 5 project days."
Christian Knauer, Network and Communication Technology, uniVersa
"Connecting our existing systems for policy enforcement is a great opportunity that we will continue to expand."
The intuitive and simple use of macmon was a key factor in the decision-making process, the implementation and the ultimately successful completion of the project. The quick response of the macmon secure GmbH team to requirements and the uncomplicated, direct coordination with the German manufacturer supported the smooth process.
Network Access Control was implemented successfully and with relatively little effort, even in a distributed environment such as the one at uniVersa with a wide variety of endpoints.