Strażnik+ combines the functionality of IPAM (IP Address Management) and NAC (Network Access Control) systems, and offers detection and prevention of unauthorised connections to the internal network by providing an implementation of the RADIUS protocol and deep integration with FortiGate devices and network infrastructure. The system is managed from a web interface.
The main goals of the system are:
Securing the network from unauthorized devices (802.1X).
Simplification of granting network accesses to individual employees and groups of employees.
Organisation of remote work using SSL-VPN connections.
Unification of security configuration and logging in for all accesses.
Centralisation of network addressing and granting accesses between units.
Facilitation of the introduction and control of infrastructure for remote working.
FG-40F, FG-40F-3G4G, FG-60E, FG-60E-DSL, FG-60E-DSLJ, FG-60E-POE, FG-60F, FG-61E, FG-80E, FG-80E-POE, FG-80F, FG-80F-BP, FG-81E, FG-81E-POE, FG-81F, FG-81F-POE, FG-90E, FG-91E, FG-100E, FG-100EF, FG-100F, FG-101E, FG-101F, FG-140E, FG-140E-POE, FG-80F-POE, FG-200E, FG-200F, FG-61F.
The system allows for assigning accesses to sections of the network to users both individually and in groups.
Network accesses are assigned to each user (employee) and not to a specific device, thanks to which the user always gets assigned their own accesses regardless of which workstation the user logs in at.
Network accesses can be granted both per-user and per-group, simplifying the management of accesses for medium and large numbers of employees. The system also allows for the creation of temporary accesses – accesses that expire after an amount of time set by the administrator has passed.
All accesses granted in Strażnik+ are also automatically created for SSL-VPN connections. Thanks to this, every user with enabled VPN connections can obtain access to the same elements of the internal network as directly from their device without additional configuration while maintaining the highest standards of network security.
Strażnik+ continuously fetches information from network infrastructure devices (switches, FortiGate devices) using available APIs and SNMP, scanning for unauthorized devices and attacks on the network. All detected connection attempts are reported to the administrator via e-mail and in the web interface.
Thanks to the functionality of address management connected with unit management, IP address reservations for devices in units and in the headquarters are automatically assigned from the web interface without the need to assign them manually.
Thanks to unit isolation, in the case when a unit device is compromised, there is no possibility for the attacker to get access to sensitive data, e.g. in the headquarters. Moreover, a fallback unit configuration makes sure that in the case of a loss of connection, employees who are already authorized via the NAC subsystem can continue their work within the unit-local network.
All changes to the Strażnik+ configuration by administrators can be assigned requirements as to the number of required signatures, rank on a 10-point scale of administrator privileges required to sign off on a change, and whether a change needs a superadmin to additionally confirm the changes.
Users can submit requests to be granted access to a specific network resource. Requests are available for viewing in the web interface and are also sent to the administrators’ email address.
Two-factor authentication (2FA) protects employee accounts from being hacked even if their password is stolen. With 2FA enabled, employees will have to enter their username, password, and a 6-digit code generated on a phone app or token to log in. To achieve the highest standard of network security, FIDO2 security key authentication is also supported.
Strażnik+ makes it easy to maintain a guest registry and grant temporary network accesses to guests. With the Guest Management module, an authorised employee can generate login credentials with which the guest confirms their presence in the system.
It is also possible to enable a self-registration mode which ensures that no employee intervention will ever be required.
All guest data can also be anonymised or wiped in accordance with the GDPR.