Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | phanumars-thuanthong |
View: | 813 times |
Download: | 5 times |
ViaScope Integrated IP Network Management Solution ProviderAgentless Network Access Control & IPAM Solution
By nForce Security System AP
2
Reference
Samsung Electronics (HQ, Semi-conductor , Mobile phone, LCD, Appliance etc. 300,000 license ), LG Electronics ( worldwide 53 countries ), KT ( Korea Telecom nation-wide network, 800 sites), LG-Philips , Philips Electronics, Citi Bank, Allianz, Prudential, ING life, Kookmin Bank, Shinhan Bank(1,100 sites), Samsung Securities, LG-Caltex Oil, Hyundai Heavy Industries, SK C&C, Hynix-Semiconductor, LG Telecom, Korea Telecom FreeTel, University, 200 Government offices, etc.(1,000 customers)
Korea
More than 1400 customers are already using IPScan
Toyota Motor Corporation(100,000 license), Matsushita Electronic Industrial Co., Ltd (Panasonic), Sony EMCS Corporation,., Mottox Inc., NYK Systems Research Institute, Denso, Nabtesco Corporation , Gihuken Police, Arakawa Chemical Industries Ltd., Aichi Steel Corporation, Toukei Computer Co., Ltd., Jupiter Programming Co., Ltd., Nissho Electronics Corporation, Daiko, Argo21 Corporation, Nomura Living Support Center, Eizo Nanao Corp, Aisin AI Co., Ltd. PFU Limited, Nihon University, Matsushita Electric Works, Nipro Corp, Misawa Home Holding.
Japan
South East Asia
Alcatel Lucent, LG China, Mega International Commercial Bank, B&Q Corporation, Shinkwong Fabric, Chinese Gamer International, Ministry of Foreign Affairs, Japan Research Institute, Misawa Homes, Fujitsu Chubu Systems, Toppan ChungHwa University, Shanghai Stock Center, Beijing Institute of Petrochemical Technology, etc. ( 200 customers)
China/Taiwan/Hong Kong
Philippines : Bank of Commerce, Bureau of Treasure, LG Electronics, Allied Bank /Thailand : EGAT (Electricity Generating
Authority of Thailand), MWA ( Metropolitan Water Authority of Thailand), BankThai, WDC, Road Accident Victims Protection,
NCB, PAT (Thailand),Tun Hussein Malaysia : WDC Malaysia, Denso Malaysia, Malaysia National Security Division/Prime
Minister Department, IPPM, INSPEN, MASTIC, UKM / Singapore : Philips Electronics, Walton International, BSC / Indonesia :
AMFG, BIN / Hong Kong : WKK Corporation, Emperor Group, HUKM, TNT Express, WKK Holdings / Brunei : Ministry of Foreign
Affair, Bani Islam bank, etc.
America / EuropeUSA : Deluxe Digital Studio, City of Los Angeles , Station Casinos/ Las Vegas, HanmiBank, ScanHealthPlan , Samsung America, Mexico : Samsung Mexico, Dynamic Communication, etc / Brazil : Samsung Brazil / Norway : Norwegian Customs and Excise, BKK, Norwegian School of Veterinary Science, Ministry of Defense, Norwegian Defense Logistics Organization, Government Administration Services, Ministry of Culture and Church, Ministry of Education and Research, Elis AS, Hejmme Mortensen, The Norwegian Public Service Pension Fund, Norwegian Ministry of Fisheries and Coastal Affairs, Diakonhjemmet Hospital, Sweden : Sanofi-Synthelabo AB, Lesjofors AB, Swedish Institute for Infectious Disease Control, etc.
3
Reference Sites- More than 500 customers are already using IPScan
HUKM
Thailand Reference Sites
In your network
Authorized Clients DHCP or Fixed mode
AD Server192.168.0.2
Mail Server192.168.0.1
VAM Server192.168.0.3
Guest (Static address)192.168.0.2
Guest under policy
IP Conflict
IPAM Server found IP Conflict
Not BLOCK !!!
Best practices
Authorized Clients
AD Server192.168.0.2
Mail Server192.168.0.1
VAM Server192.168.0.3
Guest (Static address)192.168.0.2
BLOCKING
IPScan
BLOCKING
New MAC
IP Conflict
Unauthorized ClientsWith Access Time Control
Static VS Dynamic
Static DHCP DHCP + Secure
User can change IP Address Yes Yes No
Real time data update (MAC, IP, Host) No Yes Yes
Easy to change and deploy address to clients No Yes Yes
IP conflict monitor No Yes Yes
Stop IP Conflict No No Yes
Easy to find source / destination of IP Conflict No No Yes
Block to new Host connection No No Yes
Limited time for connection No No Yes
Host registration No Yes Yes
Switch Port Monitor No Optional
Yes
9
• How many active devices connected to your network ?
• How do you manage your IP addresses? (Spreadsheet, paper based, etc)
• How many devices do not use anymore? Relocated? Offline? Can you keep track of the changes?
• Do you assign static IP to users? What happen if the users change the IP?
• Can you keep track the changes? Can you prevent the user from changing IP addresses?
• What happen if the user start conflicting IP with each other?
Questions for IP Management
10
Current Problems
There are some IP address management solutions in the market, but no solutions for Static IP address or Static/DHCP mixed environments.
It is painful to manage IP/MAC manually based on spreadsheet such as excel sheet.
IP managers are facing more difficulties to update IP/MAC address usage status for all devices in network (Online/Offline, unused, change, add, etc,)
Common DHCP problem: • Unauthorized multi DHCP Server issues • Static IP address in the DHCP pool causes problem.• DHCP Server based solution cannot control each IP/MAC address. It is just an IP assignment device• DHCP Server can assign the same IP to the same MAC each time, but, this policy is not effective when
there is IP conflict, etc.• It is critical when DHCP Server has failure, etc.
Static IP problem• Cannot prevent PC users from changing IP address• Cannot prevent “ IP duplication” problem , and it causes big problems sometimes• Unused IP address space creates security problems, but cannot disable this.• Long time NO used device, etc.
IP address Management problems
IP address Management problems
Current Problems
11
DHCP IP
Unused IP
DHCP IP
Temporary IP
Unauthorized User
Static IP
DHCP Pool area
DHCP IP
DHCP Server
Unauthorized DHCP Server
Static IP assigned area
IP conflict
Unused IP
Static IP
Static IP
Static IP IP change
NAC problems
NAC Current Problems
Non 802.1X agent
Network Servers and devices
Router
802.1 X Agent installation issueHealth Check Agent
NAC In-line
Internet
802.1X Switch required
802.1 XAgent
OK
Anti Virus Server
Patch Server
AAA
Too complicated, Too expensive, Too difficult to implement
13
Current Problems
• No single set of standards – many approaches to NAC
• Low adoption rates of NAC related Technology such as 802.1X - Complexity
• Cost of replacements or upgrades of major network components is too high
• Agent installation issue in Host based NAC
• Difficult to manage non 802.1x devices such as printers/non windows
• Inline installation or Port mirroring requirement in Network based NAC
• Difficult to integrate with Anti-virus, Patch management, etc,
NAC problems
NAC Comparison Inline Agent Agent
lessIPScan
Require 801.X No No Yes No
Need to Install agent to clients No Yes No No
Easy to deploy to un-management switch Yes Yes No Yes
Require to Switch port Mirror No No Yes No
Control all devices (PC, Notebook , Network device)
No No Yes Yes
Protection to IP/MAC of important device No No No Yes
Block static address access to network No Optional Optional Yes
Limited Broadcast packet No Yes No Yes
Need to Join Domain Controller No Yes No No
IP / MAC blocking by administrator No No No Yes
Out of Range Blocking No Yes No Yes
Limited time control No Yes No No
Products of Viascope
IPScanXE5.0 (Enterprise Solution for distributed environment)
Integrated IP/MAC Management & Secure DHCP Server * Control Unauthorized IP/MAC Prevent IP duplication * Layer 2 Network Access control* Ideal for both Static & DHCP IP • Target from small to large enterprise (more than 100,000 users can be managed by Single IPScan Server)
IPAM + DHCP Server + Layer 2 Network Access Control System(Server + Management Console + DBMS + Probe)
Viascope Smart IP1000(Appliance type for SMB)
IPAM + DHCP Server + Layer 2 Network Access Control Appliance(manage up to 1000 user / Distributed environment is not supported )
18
Viascope Smart IP - IPScan appliance model for SMB
All-In-One Appliance
- Manage up to 1000 users
- IP/MAC Management/ DHCP Server/ LAN Access Control Network Inventory
- Simple Deploy (Plug&Play) & Easy GUI (Web Access )
- Cost Effective
Viascope Smart IP
19
IPScan XE5.0
IPScanXE 5.0Enterprise Solution for distributed environment
- Management Software that controls all IPScanProbe in IT Center
- Deigned for Enterprise Environment / Comprehensive Features
- Sell by Number of Intranet IP address (250 users to 100,000 license)
- Full Redundant Configuration (Server/ Probe) support
IPScan Server
Communication Server program for IPScan Console, IPScan DB Server, IPScan Probe connection
Send out IPScanConsole defined IP policies to IPScan ProbeNeed to buy : a bundle of 250 online user license (Perpetual)
Continued on next page
20
User Interface program for administration
Multiple Console support / User permission control
Enforce Network Policy & IP/MAC monitoring information
It comes with IPScan Server license
DBMS with PC Server (Not provided by ViaScope)
Support MySQL, MS SQL2000/2003/2008 Server(Recommended), Oracle 9i,10g
IPScan Console
IPScan Components
Database Storage for IP/MAC address table, Policy, IPScan Change History, IP Conflict, User Data, and various event storage
IPScan ServerCommunication Server program for IPScan Console, IPScan DB Server, IPScan Probe connection
Send out IPScanConsole defined IP policies to IPScan Probe
Need to buy : a bundle of 250 online user license (Perpetual)
22
- Dedicated H/W with embedded engine to collect information within the segment & enforce policies.- Multi Probe type support for HQ, Regional office and Branch .
IPScanXE 5.0 Probe
IPScan Components
IPScan Probe Model
IPScan Probe 50Up to 50 Online device
IPScan Probe 100AUp to 500 Online device
IPScan Probe 200Up to 1,000 Online device
IPScan Probe 600RUp to 2,500 Online device
IPScan Probe 1000RUp to 5,000 Online device
Server VLAN
23
Network Diagram
IPScan Probe 1000R( Up to 5,000 Users)Built-In DHCP Server
IPScan Server with DBMS and IPScan Console
UnauthorizedUser
User
Probe 50(Less than 50 users)
Server
Probe 100A(Less than 500 users)
Access Point
BLOCKING
User
Router
User VLAN
LAN / Wireless LAN
Router
Router
Router
24
How to Implement?
Do not change existing network environment
Do not install any agent software
Do not use ID & Password
Do not depend on any network vendors
Do not affect to the network when IPScan has a problem
port1 port2 port3 port4 port5 port6 port7 port8
Uplink to RouterWireless
Access Point ( Bridge mode)
Just connect IPScan Probe into normal switch port in Flat Network (no VLAN)
Enable “802.1Q trunk” in connected switch port to monitor/control Multi VLAN, or connect Probe in each VLAN
25
Connectivity
Unmanaged / Managed Switch (Core, Distribution, Edge) or Hub
IPScan Probe
IPScan Server with DBMS and IPScan Console
ARP Monitoring/ARP Control
26
IPScan Probe
192.168.0.100AA:BB:CC:DD:EE:11(IP Protection)Server/Static IP
192.168.0.101AA:BB:CC:DD:EE:22
(MAC block)Manual LAN Access block
192.168.0.102AA:BB:CC:DD:EE:33DHCP client or Non
Policy enabled IP/MAC
192.168.0.100BB:CC:DD:11:22:33New MAC orIP conflicting device
192.168.0.100 AA:BB:CC:DD:EE:11 Protection192.168.0.101 AA:BB:CC:DD:EE:22 MAC block
192.168.0.102 AA:BB:CC:DD:EE:33 None192.168.0.103 None IP Block New MAC block
IPScan Server & Console
IPScan Memory: IP/MAC address Registration DB
How IPScan works?
ARPARPARP
IPScan IP/MAC table Policy
IPScanProbe 100A
Built – in DHCP Server
BLOCKINGBLOCKING
Logical Broadcast Domain
ARP monitoringARP control
ARP
Registered DHCP client
New MAC
Static IP protectionUnused IP address blocking IP-MAC binding
27
Easy implementation for the current DHCP Serverenvironment with visitor control
IPScan Probe
DHCP Server
IP Management without DHCP server
DHCP Request
How IPScan works?
IPScan with 3rd Party DHCP Server
DHCP Request
DHCP Request
DHCP Request
BLOCKING
Static IP area
IPScan Probe
DHCP
BLOCKING DHCP
DHCP
DHCP
Built-in Secure DHCP Server
28
Registered DHCP client
Need to replace existing DHCP Server,but, it provides more managedand secured DHCP environment
Built-In DHCP Server
Instant New MAC BlockingOR Temp IP allocation
Mission critical IP protection(IP conflict protection)Unused IP address blocking IP-MAC binding, etc.
Authorized DHCP Pool Unauthorized DHCP Pool
New DHCP client
How IPScan works?
Static IP area
Only supported In IPScan
29
Summary Perfect inventory solution for all network IP devices
Protect mission critical systems from IP conflict : server farm,
manufacturing device, static IP address, etc.
Increase wired/wireless network access security
Increase DHCP network security
Quick & Easy action for worm-virus infected PC
Remote branch network access monitoring & access control
Easy PC management: All users have to follow up network policy
30
All-in-One solution IPAM (Static/DHCP) + NAC Enforcement + Duplicate IP
protection + Net device Inventory + Switch Port Monitoring/Control + more…
Easy-to-Deploy Agentless, Unmanaged Switch Support, Vender independent
Less Investment with more features
Technically proven with 1,600 large companies since 2001
Summary
31
Case Study
Distribution Switch VLAN1
VLAN2
VLAN3
VLAN
VLAN
R&D / Office CenterProbe100 ( Old model)
(Less than 250 Active IP address)
802.1Q trunkBackbone switch
/Router
Distribution Switch
VLAN
VLAN 6
Probe600(Less than 2,500 Active IP address)
VLAN 1
Factory
Backbone switch/Router
VLANVLAN
VLANVLAN
VLANVLAN 7
802.1Q trunk
- Samsung Electronics (150,000 user licenses)
32
Auto IP/MAC Inventory: Online, Offline, Unused IP/MAC address
Features
33
Real-time IP/MAC events
User Description:
Features
34
IP/MAC Details
Features
35
Unused IP Blocking
Features
36
Unauthorized / Rogue IP/MAC Detection & Blocking
Features
37
Blocked IP/MAC list details and easy unblocking
Features
38
IP/MAC Grouping:
Logical GroupingPhysical Grouping
IP based GroupingMAC based Grouping
Features
39
SwitchPort( L1)- MAC (L2)– IP(L3)
Features
40
Authorized / Unauthorized DHCP Pools
Temp user control, New MAC blocking, etc
Features
41
Access Time Control
Access time for MAC / IP Expired IP/MAC blocking
Features
42
Customized Blocking Message
Features
43
IP Change Control
Broadcast storm detection
Features
44
MAC Authorization
Out of Range IP blocking
Policy Simulation mode
Features
IPScan XE VS SmartIP 1000
IPScanXE SmartIP1000
Agentless Yes Yes
Component DB/Server/Console/Probe
All-in One appliance
User Interface Client-Server Web-base (SSL)
Network Setting Serial port / GUI Serial port/GUI/ LCD
Coverage Unlimited users 1000 users / unit
Switch port Control Yes No
DHCP IP pool Authorized / Un- authorized
Authorized
WAB support Yes No
Centralized Management Yes No