COVER STORY

The Insider Threat

Texas Credit Union League's efforts to deploy access control across its business were complicated by its distributed structure.

When auditors conducted an internal scan of the Texas Credit Union League's (TCUL) LAN, they voiced concern about the accessibility of data that applications, such as backup software, stored for their own use. Bill Braun, TCUL's vice president of information systems, knew the data posed a negligible security risk, but given the league's position as a representative for approximately 600 not-for-profit Texas credit unions, he decided that adhering to security best practices should prevail and opted to eliminate the risk. TCUL already had a number of perimeter security mechanisms in place, such as restricting access to corporate resources for virtual private network (VPN) users. Braun began looking for ways to supplement this external security. "Now we wanted to secure the LAN itself," Braun says. "What I wanted, more or less, was a firewall between the edge and the core network. We needed to control access from every port." TCUL, like companies across a range of vertical industries, recognized that the next wave of security needed to be directed toward protection from within–protection against accidental or malicious damage from "the insider threat."The auditor's discovery, while harmless in finding backup data, pointed out the openness of the network.

Braun's task to deploy access control across the business was complicated by TCUL's distributed structure. Dallas, the organization's headquarters, is the central hub for divisions in Houston and Austin. Houston houses an employment agency outfitted with thin clients operating applications running in Dallas. Austin has some local servers, but all Web-based applications and Internet access are provided by the Dallas IT center.

In addition, many TCUL employees travel to individual credit unions, providing education, training, regulatory/compliance assistance, research and new product development, and other services and programs. These users require remote access to resources in Dallas while on the road and sometimes need temporary workspaces when visiting corporate sites.

TCUL also operates wireless networks in Dallas and Austin, providing a guest/public network for Internet access and a private network for employees. "We have a lot going on at once–different user types, different network types and different locations," says Braun.

Braun wanted a way to simplify and more tightly control access across all the infrastructure types and locations, and he needed to simultaneously secure the wireless infrastructure, as well as eliminate the risk posed by open wired ports, such as those in conference rooms.

"I wasn't interested in isolating people and making them go through remediation. It's not how I operate here."

A RANGE OF FEATURES

LAN security, or network access control, includes a range of features, spanning from when a user first connects to a network to full control over what users can do after they are admitted onto a LAN. Braun wanted a LAN security solution that would span the full gamut of both pre- and post-admission control features. He needed to cover the basics, including ensuring that all users are authenticated, but he also wanted to be able to restrict access to resources based on each user's identity.

He began his search by turning to his primary vendors, Cisco and HP, and he also investigated Enterasys. Cisco and HP both offered network admission control (NAC) solutions based on 802.1X. To test whether this approach would meet his requirements, Braun hired a consultant and got the necessary equipment from one of the vendors.

"We tried to do a proof of concept with 802.1X, but we ran into all kinds of problems with it," says Braun. The client supplicant software was difficult to get working, for example, and many of TCUL's IT management packages would not work with 802.1X.

"We have a lot of management software that runs automatically, or that we use off hours. But with 802.1X, unless the client was properly authenticated, the management software couldn't do its job, like inventory or pushing out patches," Braun says. "We kept running into these roadblocks. For us, 802.1X was just too complicated."

Braun also looked at admission-control solutions, specifically those providing authentication and posture check, but he found them focused entirely on endpoint validation and remediation. These two areas did not address Braun's needs, since those products essentially make a binary decision about how to treat the users–either allow or deny them access to the LAN based on the state of the machine. This treatment was too limited and too intrusive, and did not provide any way to control access for users allowed onto the LAN.

"I wasn't interested in isolating people and making them go through remediation. It's not how I operate here. My objective is to be very proactive and to make things as transparent to the end-user as possible," he notes.

Continuing his search of NAC products, Braun came across ConSentry Networks in a magazine review of the ConSentry LANShield Controller. Through its LAN security platforms, ConSentry provides a comprehensive set of LAN security services that includes network-admission control, traffic visibility, identity-based control and threat control, including malware containment.

ConSentry was able to provide a proof-of-concept evaluation on site. "That was big," says Braun. "It's hard for me to invest in some of these new technologies unless I'm absolutely certain they're going to work and meet our requirements." Testing within his network was essential to understanding whether the solution would fit the environment.

A significant draw, Braun says, is that the LANShield platform works with Microsoft Active Directory, leveraging the Windows login to authenticate users on the network. "That is just huge. It simplifies so much," he offers.

The LANShield Controller watches users authenticate to back-end identity stores such as Active Directory and RADIUS, so users do not have to authenticate to the ConSentry platform separately. In fact, the process is transparent to the users.

In addition to this passive authentication technique, the platform can also actively authenticate users via a browser-based captive portal. This option lets IT extend admission control to guests, contractors and other non-employees who are not listed in the identity store.

Another major draw for Braun was ConSentry's reporting capabilities. "Reporting wasn't in my requirements, because I didn't really expect that to be available, or affordable," he says. "I had looked at another company that specializes in reporting on LAN traffic. It looked like a wonderful product, but it was unconscionably expensive."

Prior to installing the LANShield Controller, Braun only had insight into bandwidth flowing through routers and switches. "Now we can see different types of application traffic, and it's real time," he notes. ConSentry resolves all LAN activity back to specific user names, including application flows, files opened and closed, and the use of printers, voice-over-IP phones and other resources.

The controller retains statistics about all flows and makes this information available in predefined and customizable reports through the ConSentry InSight command center. InSight provides real-time and historical data on LAN traffic, with at-a-glance views of key user and application data and security incidents, and long-term views for trending and auditing purposes. This granular visibility also enables IT to control resource usage based on a user's group association or role within the organization.

Braun could not justify paying for a separate device to provide this kind of visibility data, but he has found it helpful for troubleshooting and for understanding what is happening on the LAN. Getting that functionality built into the control platform was an important combination for him.

In addition to aiding with network troubleshooting, trending and other management tasks, Braun and his staff are also using the controller's visibility capability to understand what resources are being accessed by which users, so they can build the rules for access control. ConSentry's identity-based controls limit employee access to networked resources based on the employee's role in the organization. Because LAN activity is tied to users, this access control is applied regardless of how users connect to the network, whether they are attaching locally via a wired or wireless connection or connecting remotely via a VPN.

A PHASED DEPLOYMENT

Braun is taking a phased approach to policy deployment, beginning with segregating users into groups within Active Directory. "Once that's done, we'll start by defining policies for one group, do the testing, then roll that out," Braun says.

The ConSentry platform provides the means to test each policy. The staff can implement a new policy, have the platform enforce it just by logging violations, and that logging information provides a means for Braun and the team to "check their work" before having the platform enforce policies by blocking violating traffic.

Braun also plans to use ConSentry's access controls to constrain non-employee access to the network, particularly in conference rooms and empty cubicles. Currently, anyone in a conference room can plug into the network via an open Ethernet jack. Companies usually deal with this issue by manually enabling and disabling ports in conference rooms and throughout their networks.

Once the ConSentry deployment is fully configured with policy rules, "we'll be able to identify someone with a non-managed computer and just give them Internet access," says Braun. Companies can set such a policy based on users not being in the Active Directory database, for example, or by recognizing whether a PC is company-owned or not.

The ConSentry platform, for example, can be configured to look for specific files on a PC to deem that machine internal, or it can rely on MAC address-based authentication techniques, along with user login, to determine the corporate assets. These multiple options for ascertaining the identity of machines and users will enable Braun and his team to offer more sophisticated services to the TCUL staff.

"We have some empty cubicles, and this is where ConSentry will come in really handy," notes Braun. When remote employees come into the office, they use these cubicles, which have wireless access only. "We have them configured to go straight out to the Internet now to avoid possible security problems," he says.

This setup complicates how users access the LAN where, currently, employees have to launch a VPN over the Internet to get back into the corporate resources. By using the LANShield Controller to identify authenticated and unauthenticated wireless users, Braun eventually will be able to apply the appropriate access controls and let employees directly access LAN resources.

"These policies bring a lot more peace of mind," says Braun. In the future, Braun will not have to answer questions about SQL data being accessed over the LAN or other information not being protected. So getting through the audit processes will be quicker and easier.

"NAC can be quite an expensive undertaking,” he adds. "Somebody might be thinking about an investment in a NAC solution and not getting their finger on what it's going to cost five years from now–how much consulting, maintenance, things like that that will be needed to keep it running. Compared to other solutions I researched, ConSentry provides the type of access control I want and is a lower cost solution–to implement and to manage."

About ConSentry Networks

ConSentry Networks was founded in 2003 and is based in Milpitas, Calif. To mitigate the threat from within, ConSentry delivers secure switching–the ability to control every user and secure every port on the LAN. Whether in an appliance or a switch, secure switching enables enterprises to control not only who can come onto the LAN but, more importantly, what users can do after they have been admitted onto the LAN.

Prior to becoming chairman and CTO of ConSentry Networks, Jeff Prince was a founder of Foundry Networks, where he led Foundry's hardware engineering group. Prince holds eight patents related to networking technologies, and brings to ConSentry more than 16 years of experience developing networking and ASIC technologies. He has a bachelor of science degree in computer engineering from California State University, Chico.

For more information from ConSentry Networks (click here)