Genian NAC2018-08-23T09:45:32+00:00

Genian NAC

Encompass IT Security Management and Operation

Next-Gen Network Access Control

Genian NAC provides network surveillance and performs ongoing compliance checks to ensure that all connected devices are automatically identified, classified, authorized, and given policy-based access control. It also provides all the major features that network managers expect, such as NAC-driven IP Address Management (IPAM), Desktop Configuration Management, complete security control over Wi-Fi access, automated IT security operation, IT asset management, and much more. Genians NAC provides both on-premise and cloud-based deployment options, providing for ease of deployment and ongoing management.

Device Platform Intelligence

  • Accurate Platform Detection
  • Cloud-based DB Improvement

Correlated Information

  • Network Node
  • IP/MAC Address
  • Switch Port
  • Wireless Access

Asset Management

  • Windows, MacOS Agent
  • Collect Desktop Information (OS, HW, SW, Peripheral)

Dynamic Grouping

  • Over 500 Conditions
  • Real-time Update

Network Access Control

  • Dynamic Group-based packet filtering
  • 802.1x RADIUS Server
  • IPAM, DHCP Server
  • Switch Port Control

BYOD & Guest Management

  • Captive Portal
  • Authentication
  • On-demand Registration

Desktop Management

  • Desktop Configuration
  • Windows Update
  • External Device Management
  • Wireless Connection Manager

IT Workflow

  • Enrollment (Device, IP, User)
  • Multi-Step Approval Process
  • IT System Integration

3rd party Integration

  • Syslog Server
  • REST, SNMP Trap
  • LDAP/AD, RADIUS, RDBMS

Customization

  • REST/SOAP API
  • Custom Field
  • Custom Agent/Web Admin Plugin

High Availability

  • Active-Standby
  • Database Replication

The Components of Genian NAC

Uses L-2 based network sensors without adding complexity
Operates completely out-of-band

A brain (Policy Server) with two handymen (Network Sensor and Agent) can fortify your entire network without disrupting existing network configurations.

All components can go into a single server except the Agent. The Network Sensor can be separated from the Policy Server to manage remote sites and achieve extended Wireless visibility.

Agents can be used as Wireless Sensors as well.

Genian Cloud

  • Review and refine device platform information via the cloud
  • Deliver the most accurate up-to-date device platform information to Policy Server on a weekly basis

Policy Server

  • Establish security policies based on Node information collected by Network Sensors and Agents
  • Distribute established policies to Network Sensors and Agents
  • Communicate with Network Sensors and Agents to secure access control
  • Integrate with user database and third-party security solutions

Network Sensor

  • Collect Node Information from network
  • Apply (or enforce) established policies from Policy Server to targeted Node (or Node groups)
  • Detect all SSIDs by listening wifi signals
  • Identify who is accessing valid (enterprise-owned) APs, neighbor APs, or rogue APs
  • Support 802.1q Trunk Port

Agent (Optional)

  • Collect endpoint system information in detail
  • Execute policy enforcement as well as management tasks through the use of Plugins.
  • Operate as a Wireless Sensor to provide wider and more in-depth coverage to detect any possible Wifi activities such as Ad-hoc mode, SoftAP, and Tethering.

Additional Key Features

Over 170 features are being listed here so use a keyword to find out right features. For instance, windows, wireless, rogue, usb, etc.

* Cloud-managed version only supports the Basic and Professional editions

#FeatureDescriptionBasicProfessionalEnterprise
1General
1.1Number of Devices SupportedSupport up to 300,000 nodes for visibility and control300,000300,000300,000
1.2Number of Networks SupportedSupport up to 20,000 segmented networks for visibility and control20,00020,00020,000
1.3Out-of-Band ConfigurationSupport out-of-band configuration for collecting node information and control network access
1.4Infrastructure AgnosticDeploy without changing the existing network topology and configuration
1.5Manufacturer AgnosticOperate without relying on vendor specific networking devices
1.6Single Management ConsoleSet up and operate all functions through a single management console
1.7Web-based Management ConsoleProvide a web-based management console
1.8Agentless OperationPerform network access control functions without Agents
1.9Agent-based OperationCollect detailed information (e.g. h/w, s/w, peripherals) of endpoint and control the desktop configuration using Agents
1.1Secure CommunicationExchange data through encrypted secure communications
1.11Failure SafeSuspend its function to prevent network service outages in the event of a system failure
1.12High AvailabilityProvide a high availability configuration (Active-Standby)
1.13Custom Web/Agent PluginsProvide a customization service (Web UI and Agent plugins)
1.14RESTful APIProvide a RESTful API to integrate with other systems
2Node Visibility
2.1Realtime DetectionDetect devices connecting to the network in real time
2.2Layer 2 Network SensorMonitor network activities (e.g. ARP, DHCP, etc.) at Layer 2
2.3Support 802.1Q Trunk PortSupport 802.1Q VLAN trunk port to manage multiple VLANs
2.4Support Channel BondingProvide channel bonding or link aggregation for connection to redundant switches
2.5Node InformationProvide detail information of detected nodes (e.g. IP, MAC, NIC vendor, connectivity, authentication, etc.)
2.6Domain/Hostname DetectionDetect the NetBIOS domain/hostname of the network node
2.7OpenPort ScanningDetect any devices scanning Open Ports
2.8Service DetectionDetect network services such as DHCP, SMB, DNS, SMTP, TELNET, HTTP, HTTPS and SNMP provided by network node
2.9Node Activity MonitoringProvide node status information (system up / down), which is updated within 1 minute if status changes
2.1Platform DetectionDetect device platform information (e.g. type, manufacturer and model information, etc.)
2.11Platform Business InformationProvide information about the status of platform manufacturer (out of business, acquisition) and product (EOL, EOS)
2.12Update Platform DatabaseAutomatically update the latest platform information at least once a weekMonthly
2.13Unknown/Wrong Platform ReportProvide the reporting capability (manual or automated) for any information detected incorrectly
2.14Node TaggingCreate tags, set them on nodes, and release them when necessary. Establish policy via tags.
2.15DHCP DetectionProvide a monitoring function to identify that the network node has been assigned IP through DHCP
2.16Dynamic GroupingSet conditions for nodes requiring access control and provide ability to automatically classify nodes that meet those conditions. Conditions must be definable for all items collected by the NAC system.
2.17Custom FieldsCreate fields that allow administrator to enter custom data for each node
3Network Visibility
3.1Switch InformationProvide the link status, duplex, speed, utilization, security setting, and 802.1X configuration information of the switch and each port through SNMP integration
3.2Connected Switch PortProvide the switch name and port information to which the node is connected
3.3Switch Port DescriptionChange the description of the switch port via SNMP
3.4Switch Port ShutdownExecute administrative shutdown of the switch port via SNMP
3.5Switch Auto DetectionAutomatically register the switch using the node SNMP service detection information
3.6WLAN DetectionDetect neighbors' Access Point information in real time through network sensors and agents
3.7WLAN InformationProvide SSID, security setting, channel, signal strength, location, and detection time information for the detected wireless LAN Access Point
3.8Internal WLAN DetectionAutomatically detect that the access point is connected to the internal network
3.9WLAN Connection MonitoringProvide a list of stations that are connected to the Access Point and be able to identify which stations are known on the internal network
3.1Rogue AP DetectionIdentify any Access Points not acknowledged by network administrator
3.11Physical Location TrackingDiscover the physical location of AP
3.12Wireless / Wired Device MappingProvide wired-LAN information of the device providing the wireless-LAN access point
3.13Wireless Network SensorCollect wireless LAN information through a network sensor equipped with a wireless LAN interface
3.14Wireless Agent SensorCollect wireless LAN information through an agent-installed PC with a wireless LAN interface
3.15Risk DetectionProvide Layer 2-based risk detection (abnormal traffic), including:
- Invalid DHCP Server
- ARP Bomb
- ARP Spoofing
- MAC / IP Clone
- Port Scanning
4Endpoint Visibility
4.1Agent SupportProvide Windows and macOS Agents to present more details in real-time and control endpoint system cofiguration
4.2Windows SupportProvide Agent-based functions to Windows (XP or higher)
4.3macOS SupportProvide Agent-based functions to macOS 10.10 (Yosemite)
4.4OS InformationProvide the following information and detect any changes in real time:
- OS Name, Version, Service Pack, Language, Login User, Install Time
- Login Password, Screen Lock, IE Version, Shared Folder, etc.
4.5Hardware InformationProvide the following hardware information and detect any changes in real time:
- Motherboard, CPU, Memory, Storage, Network Interface Card, Battery, USB Device, Monitor, Printer, etc.
4.6Software InformationProvide software information and detect any changes in real time:
- Software name, version, path, date of installation, etc.
4.7Antivirus InformationProvide antivirus software information and detect any changes in real time:
- Antivirus name, version, Whether real-time monitoring is enabled, Latest update time, Latest scan time
4.8OS Update InformationProvide OS update information and detect any changes in real time:
- State of update installation, Installed update name, Settings of update service
4.9Periodic CheckUpdate the policy server only when changes occur in real time or periodically
4.1Periodic Custom CheckProvide the following options to check information periodically, based on your requirements:
- File presence, Hash, Date
- Process existence
- Registry key exists, value check
- Service presence
4.11WMI SupportProvide system information collection through the WMI interface
4.12Ad-hoc Network DetectionDetect network interfaces that are not authorized by the administrator
4.13Agent Download PageProvide a custom webpage to download Agent
4.14Deploy Agent by GPODeploy Agent through a GPO in Active Directory
4.15Non Kernel-based AgentOperate as a user-level application to minimize system malfunctions and performance impact
4.16Automated UpgradeAutomatically upgrade without user involvement
4.17Segmented UpgradePerform upgrades on segmented targets
4.18Authcode for Agent DeletionAllow to delete Agent by only authorization code, which is provided by the administrator.
4.19Hide AgentProvide the following options to hide Agent:
- Agent installation
- Tray Icon
- List of installed software in Control Panel
4.2Self ProtectionPrevent Agent being removed or terminated by the end user
5Network Access Control
5.1Device AuthenticationProvide device access control based on MAC address so that devices with unauthorized MAC addresses can connect to network after receiving administrator's authorization
5.2Identity-based Access ControlProvide access control based on device identity, which will be measured by the following options:
- Node type
- Node platform name
- Authentication user of the node
- The host name of the node
- NIC Vendor of the node
5.3Compliance Status-based Access ControlProvide access control if a device is not compliant. The compliance status will be measured by the following options:
- Required software install
- Antivirus s/w running
- Security settings, etc.
5.4Role-based Access GrantEstablish a different access control policy based on the role of user and device, and grant access to appropriate network, service, and time zone by privilege
5.5Real-time Policy ChangeUpdate policies in real time
5.6Captive Web Portal (CWP)Redirect HTTP (or HTTPS) requests to a custom web page to be remediated or access to right network resources
5.7Customizable CWPModify the messages and UI in the CWP
5.8Custom ButtonCustomize the buttons in the CWP to meet your requirements. The options will be provided like below:
- External page link
- File download
- Pop-up window
5.9Consent PageProvide consent page including terms and conditions for users connecting to the network. In addition, get custom data from users during the onboarding process
5.1Out-of-Band EnforcementProvide out-of-band enforcement to prevent network service disruption in the event of a system malfunction
5.11Layer 2 EnforcementProvide Layer 2-based access control using ARP
5.12Layer 3 EnforcementProvide Layer 3-based access control using Mirrorring (SPAN) ports
5.13Switch Port ControlControl (shutdown) a switch port if non-compliant devices are connected
5.14Network Sensor ModeControl Network Sensor mode: Monitor only or Policy Enforcement
5.15Agent-based Access ControlControl endpoints' Network Inferface and power using Agent
6User Authentication
6.1Captive Portal-based AuthenticationProvide user authentication through CWP
6.2Agent-based AuthenticationProvide user authentication through Agent
6.3Password StrengthProvide the following password strength-setting features:
- Minimum/maximum length limit
- Do not reuse the same password
- Includes letters, numbers, and special characters
- Repeating character
- Numerical or alphabetical order
- Regular expression inspection
- Custom blacklist
6.4Inactive User LockoutLockout inactive users for a certain period of time
6.5Regular Password ChangeGuide or enforce password changes at regular intervals
6.6Temporary Password for New UserProvide temporary password functionality for new users. User can update their password after login
6.7Two-Factor AuthenticationProvide two-factor authentication via text message or email
6.8Automatic LogoutAutomatically log out after a certain period of time post-login
6.9Automatic Logout for InactivityAutomatically log out if there is no activity for a certain period of time post-login
6.1Periodic ReauthenticationRe-authenticate users on a regular basis (Daily, Weekly, Monthly, Day of Week, Date, Time)
6.11Authentication at StartupPerform user authentication whenever the endpoint is restarted
6.12Limit Maximum Authenticated DevicesLimit the maximum # of IP, MAC addresses, and devices that can be authenticated by a user at any given time
6.13Local User DatabaseProvide user and group management capabilities
6.14User RegistrationProvide custom web pages for user registration. Set different management rules for super admin, sponsor, etc.
6.15Active Directory IntegrationRead the Active Directory Domain User information through the Agent and replace it with the authenticated user of the node
6.16Authentication IntegrationIntegrate with the following systems to get user authentication information:
- RDBMS Integration
- RADIUS Accounting Packet Integration
- Syslog Integration
- RESTful API Integration
6.17External User DirectoriesSupport the following user directories:
- RADIUS Server
- POP3/IMAP
- SMTP (Google G Suite)
- Active Directory
- LDAP
6.18User Database SynchronizationSync up with the following user directories:
- RDBMS (Oracle, MSSQL, MySQL, PostgreSQL, DB2)
- LDAP
- CSV
6.19RADIUS ServerProvide PAP, CHAP authentication for external RADIUS clients
6.2MAC Authentication BypassProvide a MAC Authentication Bypass (MAB) function for non-802.1X-capable devices
6.21802.1X based Access ControlSupport RADIUS EAP for 802.1X authentication services
6.22Supports Active DirectoryDomain controller interworking provides 802.1X authentication through Active Directory
6.23Supports WebhookProvides a Webhook function to check user credentials from external systems
6.24Supports EAP-GTCProvides an EAP-GTC Supplicant module for Windows for 802.1X configuration using Legacy Password
6.25RADIUS Server SeparationSeparates RADIUS Server Separation of remote access and user authentication
7IP Address Management
7.1Real-time IP Usage MonitoringMonitor current IP usage in real-time. (Used IP, unused IP, IP conflict, IP shortage)
7.2IP Usage TrackingKeep the history of IP usages (past 12 months) and retrieve node information with IP address at a specific time if needed
IP Matrix ViewManage IP usage through the Matrix View Table, where administrators are able to select and visualize the desired IP state
7.3IP PolicyUse only authorized IP through the IP policy in the network
7.4IP/MAC LifetimeSet the lifetime of an IP or MAC to be valid for a specific period of time
7.5IP User RestrictionSpecify which users can perform user authentication only on a specific IP
7.6IP Conflict PreventionProtect important IP's by enabling only an authorized MAC through the IP policy to use a specific IP. If an unauthorized MAC attempts to use a protected IP, it must provide a GARP response to prevent IP use. If an IP collision occurs, a detox ARP transmission function should be provided to minimize service interruption
7.7IP Change BlockRestrict unauthorized IP changes by restricting the IP that a particular MAC device can use
7.8DHCP ServerProvide a DHCP service that supports IP-helper addresses. For IP assignment requests, IP must be assigned only to authorized devices according to IP policies
7.9IP Request / ApprovalProvide IP request and approval system for unauthorized IP
8Endpoint Configuration Management
8.1Enforce Antivirus Software(Windows) Change the Antivirus software configuration for Windows machines
8.2Change Computer Name(Windows) Change the computer name to the specified template format
8.3Check Logon Password(Windows) Provide password checking for local accounts, including:
- Same with Genian NAC password policy
- Password Age
8.4Change Windows Settings(Windows) Provide a security configuration function that includes:
- Disabling Guest Account
- Firewall
- Remote Desktop
- Autorun
- Internet Time Synchronization
- Scheduled Task for Windows XP
8.5ARP Spoofing Protection(Windows) Provide Static ARP management to prevent ARP spoofing
8.6Control DNS(Windows) Provide DNS configuration and hosts' file management
8.7Control Folder Sharing(Windows) Control the folder sharing settings
8.8Control Application(Windows) Install new applications or delete installed applications
8.9Control Internet Options(Windows) Provide Internet option configuration function that includes:
- Homepage
- Active-X related settings
- Proxy Server
8.1Control Screen Lock(Windows) Enforce screen lock-related settings
8.11Multi-homed ControlInspect PCs connected to multiple networks at the same time control the network interface connection according to specified conditions
8.12Control WLAN(Windows) Disable the wireless LAN interface or prohibit Soft AP operation
8.13Control Process(Windows) Terminate run of specified process(es)
8.14User NotificationProvide users with the ability to deliver key events or manager messages via pop-up windows
8.15Run Scripts(Windows) Provide the ability to run batch files or VB Scripts set by the administrator
8.16Wireless Connection Manager(Windows) Provide ability to provision profiles for wireless LAN connection and control SSIDs accessible through the whitelist
9Patch Management
9.1Enforce Windows Update Settings(Windows) Enforce Windows Update settings
9.2Install Windows Updates(Windows) Perform installation at a given point in time (immediately, at system shutdown, or designated time) for administrator approved updates
9.3(Delayed) Automatic Approval(Windows) Automatically approve immediately when new patches are released, or automatically approve after a certain period of time
9.4Offline Windows Updates(Windows) Install Windows Update on endpoints that do not have Internet connectivity. Provide software that downloads update files from an Internet-enabled environment and copies patches to the NAC system on the closed network
9.5Support WSUS(Windows) Provide interoperability with the existing WSUS system
9.6Update File Cache Server(Windows) Provide the update file cache function through the network sensor equipped with the HDD so that the network bandwidth usage can be reduced when downloading the update file of the sensor managed node
10External Device Control
10.1Disabling Connected Device(Windows) Provide a function to keep the device in a disabled state when connecting to a device by setting a block policy using Name, Class, Type, Description for the device connected to the system.
10.2USB Device Control(Windows) Establish policy through vendor, model, serial No. for devices connected through USB interface and to keep it in a disabled state when connected to the corresponding device.
10.3Device Usage Request / Approval(Windows) Provide the service to use a device for a specified period of time through the administrative approval process
11Audit and Report
11.1Keep LogsRetains a minimum of 12 months of audit records
11.2Searching LogsQuery and retrieve audit records through the management console
11.3Log FilterSave specific search conditions and retrieve only the audit records that match those conditions
11.4Real-time Log MonitorMonitor logs generated in real time
11.5Tagging Node Using Log FilterSet tag on node where log is matched to a specific log filter, and provide the ability to change the policy when an event occurs
11.6NotificationSend an alarm to the administrator when an audit record meets a specific search condition
11.7Out-bound IntegrationIntegrate with the external system to share audit information that meet specific search conditions:
- Syslog
- SNMP Trap
- Webhook
11.8Syslog ServerReceive the syslog that occurred in the external system (e.g. FireEye) and set the tag of the node to apply the policy
11.9Receive SNMP trapsReceive the SNMP Trap generated from the external system, store it as an audit record, and provide the function to tag the node
11.1Default ReportsProvide the following basic reporting capabilities:
- Node Group trend
- WLAN Group trend
- Log volume trend by log filter
11.11Custom ReportsProvide the following custom report capabilities:
- Number of nodes
- Specific group trend
- Specific log trend
- Custom query result trend
11.12CSV ExportProvide the export function in CSV format for the data provided by the product
12Administration
12.1Customizable DashboardProvide customizable dashboard functionality
12.2Personalized DashboardProvide a personalized dashboard for each administrator
12.3Geo DashboardSupport a dashboard that provides location-based node monitoring
12.4BackupProvide a backup function that includes the following methods:
- External Storage
- CIFS / NFS
- FTP / SFTP
12.5Role based AdministratorControl the level of access based on an administrator role to use certain functions and menus
12.6Management ScopeControl the scope of management for each administrator
12.7Change TrackingAudit all administrators' settings and policy changes, including pre-change values
12.8Software UpdateVerify the latest software changes through the management console and be able to perform the upgrade after downloading
12.9SNMP SupportSupport SNMP to manage Genian NAC
12.1Two-Factor AuthenticationProvide administrator authentication through two factor authentication