- 1. ViaScope
Integrated IP Network Management Solution Provider
Agentless Network Access Control & IPAM Solution
By nForce Security System AP
- 2. Reference More than 1400 customers are already using IPScan
Korea
Samsung Electronics (HQ, Semi-conductor , Mobile phone, LCD, Appliance etc. 300,000 license ), LG Electronics
( worldwide 53 countries ), KT ( Korea Telecom nation-wide network, 800 sites), LG-Philips , Philips Electronics, Citi Bank,
Allianz, Prudential, ING life, Kookmin Bank, Shinhan Bank(1,100 sites), Samsung Securities, LG-Caltex Oil, Hyundai Heavy
Industries, SK C&C, Hynix-Semiconductor, LG Telecom, Korea Telecom FreeTel, University, 200 Government offices, etc.
(1,000 customers)
Japan
Toyota Motor Corporation(100,000 license), Matsushita Electronic Industrial Co., Ltd (Panasonic), Sony EMCS Corporation,.,
Mottox Inc., NYK Systems Research Institute, Denso, Nabtesco Corporation , Gihuken Police, Arakawa Chemical Industries Ltd.,
Aichi Steel Corporation, Toukei Computer Co., Ltd., Jupiter Programming Co., Ltd., Nissho Electronics Corporation, Daiko,
Argo21 Corporation, Nomura Living Support Center, Eizo Nanao Corp, Aisin AI Co., Ltd. PFU Limited, Nihon University,
Matsushita Electric Works, Nipro Corp, Misawa Home Holding.
South East Asia
Philippines : Bank of Commerce, Bureau of Treasure, LG Electronics, Allied Bank /Thailand : EGAT (Electricity Generating
Authority of Thailand), MWA ( Metropolitan Water Authority of Thailand), BankThai, WDC, Road Accident Victims Protection,
NCB, PAT (Thailand),Tun Hussein Malaysia : WDC Malaysia, Denso Malaysia, Malaysia National Security Division/Prime
Minister Department, IPPM, INSPEN, MASTIC, UKM / Singapore : Philips Electronics, Walton International, BSC / Indonesia :
AMFG, BIN / Hong Kong : WKK Corporation, Emperor Group, HUKM, TNT Express, WKK Holdings / Brunei : Ministry of Foreign
Affair, Bani Islam bank, etc.
China/Taiwan/Hong Kong
Alcatel Lucent, LG China, Mega International Commercial Bank, B&Q Corporation, Shinkwong Fabric, Chinese Gamer
International, Ministry of Foreign Affairs, Japan Research Institute, Misawa Homes, Fujitsu Chubu Systems, Toppan ChungHwa
University, Shanghai Stock Center, Beijing Institute of Petrochemical Technology, etc. ( 200 customers)
America / Europe
USA : Deluxe Digital Studio, City of Los Angeles , Station Casinos/ Las Vegas, HanmiBank, ScanHealthPlan , Samsung America,
Mexico : Samsung Mexico, Dynamic Communication, etc / Brazil : Samsung Brazil / Norway : Norwegian Customs and Excise,
BKK, Norwegian School of Veterinary Science, Ministry of Defense, Norwegian Defense Logistics Organization, Government
Administration Services, Ministry of Culture and Church, Ministry of Education and Research, Elis AS, Hejmme Mortensen, The
Norwegian Public Service Pension Fund, Norwegian Ministry of Fisheries and Coastal Affairs, Diakonhjemmet Hospital, Sweden :
Sanofi-Synthelabo AB, Lesjofors AB, Swedish Institute for Infectious Disease Control, etc.
2
- 3. Reference Sites
- More than 500 customers are already using IPScan
HUKM
3
- 4. Thailand Reference Sites
- 5. In your network
VAM Server
192.168.0.3 Authorized Clients
DHCP or Fixed mode
AD Server
192.168.0.2
Mail Server
192.168.0.1
Guest under policy
Guest (Static address)
192.168.0.2
- 6. IPAM Server found IP Conflict
Not BLOCK !!!
- 7. Best practices
IPScan
VAM Server
192.168.0.3 Authorized Clients
AD Server BLOCKING
192.168.0.2
BLOCKING
Mail Server
192.168.0.1
Guest (Static address) New MAC
192.168.0.2
- 8. Static VS Dynamic
Static DHCP DHCP +
Secure
User can change IP Address Yes Yes No
Real time data update (MAC, IP, Host) No Yes Yes
Easy to change and deploy address to clients No Yes Yes
IP conflict monitor No Yes Yes
Stop IP Conflict No No Yes
Easy to find source / destination of IP Conflict No No Yes
Block to new Host connection No No Yes
Limited time for connection No No Yes
Host registration No Yes Yes
Switch Port Monitor No Optional Yes
- 9. Questions for IP Management
• How many active devices connected to your network ?
• How do you manage your IP addresses? (Spreadsheet, paper based, etc)
• How many devices do not use anymore? Relocated? Offline? Can you
keep track of the changes?
• Do you assign static IP to users? What happen if the users change the IP?
• Can you keep track the changes? Can you prevent the user from
changing IP addresses?
• What happen if the user start conflicting IP with each other?
9
- 10. Current Problems
IP address Management problems
There are some IP address management solutions in the market, but no solutions
for Static IP address or Static/DHCP mixed environments.
It is painful to manage IP/MAC manually based on spreadsheet such as excel
sheet.
IP managers are facing more difficulties to update IP/MAC address usage status
for all devices in network (Online/Offline, unused, change, add, etc,)
Common DHCP problem:
• Unauthorized multi DHCP Server issues
• Static IP address in the DHCP pool causes problem.
• DHCP Server based solution cannot control each IP/MAC address. It is just an IP assignment device
• DHCP Server can assign the same IP to the same MAC each time, but, this policy is not effective when
there is IP conflict, etc.
• It is critical when DHCP Server has failure, etc.
Static IP problem
• Cannot prevent PC users from changing IP address
• Cannot prevent “ IP duplication” problem , and it causes big problems sometimes
• Unused IP address space creates security problems, but cannot disable this.
• Long time NO used device, etc.
10
- 11. Current Problems
IP address Management problems
DHCP Pool area Static IP
assigned area
Temporary IP
Unused IP
IP conflict
Static IP
DHCP
Unauthorized User Server
DHCP IP Unused IP
Static IP
DHCP IP
Static IP
DHCP IP
Unauthorized
DHCP Server
Static IP IP change
11
- 12. NAC Current Problems
NAC problems
Internet
Router
Anti Virus Server
AAA
NAC In-line
Patch Server
802.1X Switch required
OK
Network Servers and devices 802.1 X Agent installation issue
802.1 XAgent
Health Check Agent
Non 802.1X agent
Too complicated, Too expensive, Too difficult to implement
- 13. Current Problems
NAC problems
• No single set of standards – many approaches to NAC
• Low adoption rates of NAC related Technology such as 802.1X - Complexity
• Cost of replacements or upgrades of major network components is too high
• Agent installation issue in Host based NAC
• Difficult to manage non 802.1x devices such as printers/non windows
• Inline installation or Port mirroring requirement in Network based NAC
• Difficult to integrate with Anti-virus, Patch management, etc,
13
- 14. NAC Comparison
Inline Agent Agent less IPScan
Require 801.X No No Yes No
Need to Install agent to clients No Yes No No
Easy to deploy to un-management switch Yes Yes No Yes
Require to Switch port Mirror No No Yes No
Control all devices (PC, Notebook , Network device) No No Yes Yes
Protection to IP/MAC of important device No No No Yes
Block static address access to network No Optional Optional Yes
Limited Broadcast packet No Yes No Yes
Need to Join Domain Controller No Yes No No
IP / MAC blocking by administrator No No No Yes
Out of Range Blocking No Yes No Yes
Limited time control No Yes No No
- 15. Products of Viascope
Viascope Smart IP1000
(Appliance type for SMB)
IPAM + DHCP Server + Layer 2 Network Access Control Appliance
(manage up to 1000 user / Distributed environment is not supported )
IPScanXE5.0
(Enterprise Solution for distributed environment)
IPAM + DHCP Server + Layer 2 Network Access Control System
(Server + Management Console + DBMS + Probe)
Integrated IP/MAC Management & Secure DHCP Server
* Control Unauthorized IP/MAC Prevent IP duplication
* Layer 2 Network Access control
* Ideal for both Static & DHCP IP
• Target from small to large enterprise
(more than 100,000 users can be managed by Single IPScan Server)
- 16. Viascope Smart IP - IPScan appliance model for SMB
Viascope Smart IP
All-In-One Appliance
- Manage up to 1000 users
- IP/MAC Management/ DHCP Server/ LAN Access Control Network Inventory
- Simple Deploy (Plug&Play) & Easy GUI (Web Access )
- Cost Effective
18
- 17. IPScan XE5.0
IPScanXE 5.0
Enterprise Solution for distributed environment
- Management Software that controls all IPScanProbe in IT Center
- Deigned for Enterprise Environment / Comprehensive Features
- Sell by Number of Intranet IP address (250 users to 100,000 license)
- Full Redundant Configuration (Server/ Probe) support
IPScan Server
Communication Server program for IPScan Console,
IPScan DB Server, IPScan Probe connection
Send out IPScanConsole defined IP policies to IPScan
Probe
Need to buy : a bundle of 250 online user license
(Perpetual)
Continued on next page
19
- 18. IPScan Components
IPScan Server
Communication Server program for IPScan Console,
IPScan DB Server, IPScan Probe connection
Send out IPScanConsole defined IP policies to IPScan Probe
Need to buy : a bundle of 250 online user license (Perpetual)
IPScan Console
User Interface program for administration
Multiple Console support / User permission control
Enforce Network Policy & IP/MAC monitoring information
It comes with IPScan Server license
DBMS with PC Server (Not provided by ViaScope)
Database Storage for IP/MAC address table, Policy,
IPScan Change History, IP Conflict, User Data, and
various event storage
Support MySQL, MS SQL2000/2003/2008 Server
(Recommended), Oracle 9i,10g
20
- 19. IPScan Components
IPScanXE 5.0 Probe
- Dedicated H/W with embedded engine to collect information within
the segment & enforce policies.
- Multi Probe type support for HQ, Regional office and Branch .
IPScan Probe
Model
IPScan Probe 50 IPScan Probe 100A
Up to 50 Online device
Up to 500 Online device
IPScan Probe 200 IPScan Probe 600R IPScan Probe 1000R
Up to 1,000 Online device Up to 2,500 Online device Up to 5,000 Online device
22
- 20. Network Diagram
LAN / Wireless LAN
IPScan Probe 1000R
( Up to 5,000 Users)
Access
Built-In DHCP Server
Point
Probe 100A
Router
(Less than
Router 500 users)
Server Unauthorized
User User
VLAN VLAN Router
BLOCKING
User
User
Router
IPScan Server Server Probe 50
with DBMS and IPScan Console (Less than 50 users)
23
- 21. How to Implement?
Do not change existing network environment
Do not install any agent software
Do not use ID & Password
Do not depend on any network vendors
Do not affect to the network when IPScan has a problem
24
- 22. Connectivity
Unmanaged / Managed Switch (Core, Distribution, Edge) or Hub
port1 port2 port3 port4 port5 port6 port7 port8
Wireless
Uplink to Router Access Point
( Bridge mode)
IPScan Probe
Just connect IPScan Probe into normal switch port
IPScan Server in Flat Network (no VLAN)
with DBMS and
IPScan Console Enable “802.1Q trunk” in connected switch port to
monitor/control Multi VLAN, or connect Probe in each
VLAN
25
- 23. How IPScan works?
ARP Monitoring/ARP Control
ARP monitoring IPScan
ARP control Server & Console
Logical
Broadcast
Domain
IPScan Probe
ARP ARP ARP ARP
BLOCKING BLOCKING
192.168.0.100 192.168.0.101 192.168.0.102 192.168.0.100
AA:BB:CC:DD:EE:11 AA:BB:CC:DD:EE:22 AA:BB:CC:DD:EE:33 BB:CC:DD:11:22:33
(IP Protection) (MAC block) DHCP client or Non New MAC or
Server/Static IP Manual LAN Access block Policy enabled IP/MAC IP conflicting device
IPScan IP/MAC table Policy
192.168.0.100 AA:BB:CC:DD:EE:11 Protection
192.168.0.101 AA:BB:CC:DD:EE:22 MAC block
IPScanProbe 100A
192.168.0.102 AA:BB:CC:DD:EE:33 None
192.168.0.103 None IP Block
IPScan Memory: IP/MAC
New MAC block
address Registration DB
Built – in DHCP Server
26
- 24. How IPScan works?
IPScan with 3rd Party DHCP Server
Easy implementation for the current DHCP Server
environment with visitor control
IP Management without DHCP server
Static IP area
Static IP protection
Unused IP address blocking IP-MAC binding
IPScan Probe
DHCP Server DHCP
DHCP DHCP
Request Request Request
BLOCKING
DHCP
Request
New MAC
Registered DHCP client
27
- 25. How IPScan works?
Built-in Secure DHCP Server
Need to replace existing DHCP Server,
but, it provides more managed
and secured DHCP environment
Built-In
DHCP Server Mission critical IP protection
(IP conflict protection)
Unused IP address blocking
IP-MAC binding, etc.
Static IP area
IPScan Probe
DHCP DHCP
DHCP BLOCKING DHCP
Instant New MAC Blocking
Registered DHCP client
OR Temp IP allocation
New DHCP client
Authorized DHCP Pool Unauthorized DHCP Pool
Only supported In IPScan
28
- 26. Summary
Perfect inventory solution for all network IP devices
Protect mission critical systems from IP conflict : server farm,
manufacturing device, static IP address, etc.
Increase wired/wireless network access security
Increase DHCP network security
Quick & Easy action for worm-virus infected PC
Remote branch network access monitoring & access control
Easy PC management: All users have to follow up network policy
29
- 27. Summary
All-in-One solution
IPAM (Static/DHCP) + NAC Enforcement + Duplicate IP
protection
+ Net device Inventory + Switch Port Monitoring/Control + more…
Easy-to-Deploy
Agentless, Unmanaged Switch Support, Vender independent
Less Investment with more features
Technically proven with 1,600 large companies since 2001
30
- 28. Case Study
- Samsung Electronics (150,000 user licenses)
Probe100 ( Old model)
R&D / Office Center Distribution
(Less than 250 Active IP address)
Switch VLAN1
VLAN2
VLAN3
802.1Q trunk
Backbone switch
/Router
VLAN
VLAN
Probe600
Factory Distribution VLAN (Less than 2,500 Active IP address)
Switch VLAN
VLAN
VLAN
VLAN
802.1Q trunk VLAN
VLAN 7
Backbone switch
/Router
VLAN 1
VLAN 6 31
- 29. Features
Auto IP/MAC Inventory:
Online, Offline, Unused IP/MAC address
32
- 30. Features
Real-time IP/MAC events
User Description:
33
- 31. Features
IP/MAC Details
34
- 32. Features
Unused IP Blocking
35
- 33. Features
Unauthorized / Rogue IP/MAC Detection & Blocking
36
- 34. Features
Blocked IP/MAC list details and easy unblocking
37
- 35. Features
IP/MAC Grouping:
Logical Grouping IP based Grouping
Physical Grouping MAC based Grouping
38
- 36. Features
SwitchPort( L1)- MAC (L2)– IP(L3)
39
- 37. Features
Authorized / Unauthorized DHCP Pools
Temp user control, New MAC blocking, etc
40
- 38. Features
Access Time Control
Access time for MAC / IP Expired IP/MAC blocking
41
- 39. Features
Customized Blocking Message
42
- 40. Features
IP Change Control
Broadcast storm detection
43
- 41. Features
MAC Authorization Policy Simulation mode
Out of Range IP blocking
44
- 42. THANK YOU
www.viascope.com
www.nForcesecure.com
45
- 43. IPScan XE VS SmartIP 1000
IPScanXE SmartIP1000
Agentless Yes Yes
Component DB/Server/Console/Probe All-in One appliance
User Interface Client-Server Web-base (SSL)
Network Setting Serial port / GUI Serial port/GUI/ LCD
Coverage Unlimited users 1000 users / unit
Switch port Control Yes No
DHCP IP pool Authorized / Un- Authorized
authorized
WAB support Yes No
Centralized Management Yes No