No Longer a Sisyphean Task
Volkswagen Foundation Invests in Streamlined Network Security Made in Germany
The Volkswagen Foundation is investing in macmon Network Access Control (NAC) to completely prepare its network for current and future security demands. At the same time, intelligent automation is relieving the load on IT employees.
The Volkswagen Foundation is an independent non-profit foundation incorporated under private law with a registered office in Hanover. Its overall funding volume of around €150 million per year makes it Germany‘s largest private research-funding foundation and one of the country‘s largest foundations overall. The organisation provides funds exclusively to academic institutions. Since it was founded more than 50 years ago, the Volkswagen Foundation has supported around 30,000 projects with a total sum of over €4.7 billion.
Old Systems too Rigid and Complicated
With just over 200 end devices (printers, desktop PCs and laptops) for 105 employees, the Volkswagen Foundation is a relatively small organisation. But as an important sponsor of training, science and technology for research and education, it bears a significant social and financial responsibility – which is why it requires the best possible protection against unauthorised access.
The Foundation had already implemented a Network Access Control solution from a US provider to protect its network access, the first and most important line of defence in data protection. However, this solution tied the IT team to its provider to a certain extent, making it difficult to update the infrastructure and flexibly adapt it to new requirements. Furthermore, support inquiries were a long and complicated process, as no local service team was available within Germany for direct contact.
Another problem posed by the old solution was the time-consuming operation and high level of complexity, as it was much too cluttered for the relatively simple infrastructure. This meant that even small changes required great effort and the management of the solution alone took up a significant part of the workday for the two in-house network administrators.
"The operation is so intuitive and self-explanatory that we no longer need any training courses. It is immediately obvious that macmon cooperated closely with its customers in the development of this solution, because as an administrator, you instantly know your way around and everything you need is exactly where you would expect it.“
Simple. Secure. In Just Four Weeks.
Changing the infrastructure over from VDX to ICX switches made it possible for the Volkswagen Foundation to throw off the shackles of the previous NAC solution. This is due to the fact that ICX switches, in addition to most other switches, are compatible with the completely manufacturer-independent macmon NAC solution, which made it possible to easily change to the far more convenient German solution. As the solution of the Berlin-based technology leader functions independently of hardware, the Volkswagen Foundation IT team was able to freely build its environment from best-of-breed hardware and software to implement the level of protection that was just right for the organisation. In addition to the added functional values, the fact that macmon is completely developed in Germany and therefore poses no risks of hidden backdoors, which third parties could use to evade the security measures unnoticed, was an important factor.
Only four weeks passed between making the decision in favour of the macmon NAC version 5.3.0 and the complete replacement of the old solution. Following implementation, macmon was operated in reading mode alongside the old solution. In addition to the NAC basic module, the VLAN Manager module and the Graphical Topology were deployed.
During this first test phase, employees were able to familiarise themselves with the functions and the easy operation of the macmon solution. The IT team quickly realised that macmon is nowhere near as complicated as the old solution and is perfectly tailored to the requirements of the Volkswagen Foundation. The topological representation offers a complete overview and a large number of intuitive management options for all network devices in the network. The dynamic VLAN Manager won the IT team over with its high degree of automation and predefined set of rules, meaning that only a single additional rule had to be written.
Other network switches were connected step by step during the change-over until macmon was able to fully replace the old solution after only four weeks. Thanks to the preceding reading and learning phase, all device were already classified in macmon, meaning it was nearly as easy as flipping a switch to transfer the new NAC solution into production mode.
"So far we haven‘t had a reason to contact the macmon support team – the solution is working perfectly. But we are certain that we will receive expert help in no time at all should we need to get in touch with them in future. After all, the macmon customer service is based at the headquarters in Berlin, which means that journeys are short and the right experts are always available even for complex issues.“
"Since we know that macmon provides high standards of quality and the solution is entirely developed in Germany, we are perfectly prepared for current and future security and data protection requirements with regard to the network.“
All-Round Protection with a Real Future
Nearly all manual management tasks for the IT employees have been automated with macmon, leaving them free to focus on productive work since then, while the NAC solution monitors the network in the background. If an unknown device attempts to access the network, it is automatically quarantined in a separate VLAN and the IT team is notified of the incident so that appropriate measures can be implemented immediately.
Purchasing new hardware components to keep using state-of-the-art infrastructure – which plays a central role, for example in compliance with the new data protection regulation (GDPR) – is no longer a problem, since the new solution functions independently of any manufacturer. Components can now be purchased purely to match specific requirements, for their quality and to meet the budget, without being tied to a third party‘s price policy. This also makes the organisation free to expand their system in any direction, should the Foundation grow in future.
The intelligent management functions enable the IT team to set up redundancies quickly and easily to prevent network failure in an emergency. In order to make security even more efficient, the Volkswagen Foundation introduced device authentication with the IEEE standard 802.1X using a RADIUS server in its network.
Access to the network is now granted on the basis of different criteria, such as the MAC address, username/password or certificate. The certificate is the highest level of authentication. Since access to the network is granted by the switch only after confirmation has been provided by the RADIUS server, there are no unused or non-secure ports – as recommended by the BSI*. The ease of use of the solution makes it very quick to put into operation and also allows for easy switching to combined opera-tion with and without 802.1X if required.
With macmon, the Volkswagen Foundation has transformed its Network Access Control from an irksome, awkward and Sisyphean task that prevented valuable IT resources from performing productive work into a central, future-proof and convenient security authority in the network.