Network Security
Association uses identity-based network
access control
Appliances provide critical HIPAA
compliance and policy-based user access
controls.
An unauthorized user had just gained access
to the LAN at the Government Employees
Health Association (GEHA) in Independence,
Mo. Justin Gerharter, senior systems
engineer at GEHA, discovered the breach by
accident. "One day the guy sitting next to
me happened to be going through DHCP scopes
and saw an unfamiliar network name
associated with an IP address," Gerharter
recalls. "Sure enough, it was a consultant
who had plugged in a laptop."
The incident was innocent enough, but it
raised important questions: How often does
this type of unauthorized access occur? How
might the network's resources or patient
privacy be compromised when it does? "That
single incident drove home the need for
network access control," says Gerharter.
As one of thelargest national health
insurance plans serving federal employees,
retirees and their families, GEHA operates
under strict guidelines established by the
Health Insurance Portability and
Accountability Act (HIPAA), which, in part,
requires control over individual user access
to network resources. HIPAA also requires an
ability to distinguish between
corporate-owned and guest assets seeking
access to the network. Given the sensitivity
of patient privacy for GEHA's 221,000
health-plan members and their dependents (a
total of 400,000 patients) the association
had already implemented strict security
provisions for its IT resources, but
Gerharter realized more measures were
needed.
"Not knowing the identity of every user
and what resources they are authorized to
access on a network as sensitive as ours was
the trigger point for investigating NAC
solutions," Gerharter says.
GEHA's criteria for an identity-driven
LAN security solution narrowed the field of
vendor options. "We realized early on that
we needed more functionality than
traditional 'NAC solution' vendors were even
talking about," Gerharter explains. The
goal, at a minimum, was to ensure that all
devices accessing the network were
authorized to do so.
Gerharter sought advice from Steve Allen,
security manager at DPSciences in
Cincinnati, a certified reseller of
LANenforcer products from Nevis Networks.
Allen decided solutions from Nevis
Networks would be able to handle GEHA's
application, and a test of the LANenforcer
2024 Security Appliance at DPSciences'
demonstration lab was successful. The
LANenforcer transparently enforces
identity-based policies in real-time within
the network fabric, controlling who can
access the network and which resources are
permitted for use.
Gerharter decided to proceed with a
full-scale implementation of the LANenforcer
2024 Security Appliance. The deployment
involved nearly 1,600 access switch ports,
together providing secure access control for
some 800 users.
"We found the implementation to be very
simple and straightforward," Gerharter says.
As an in-line appliance, the LANenforcer is
installed between edge and core switches.
"You just plug the edge switch into the top
port and the core switch into the bottom
port of the same port pair," Gerharter
explains.
The next step was to create policies
using the LANsight management system.
Although the Nevis solution supports fairly
elaborate policies, Gerharter decided to
keep it simple initially. GEHA already had
several layers of security for its
applications, but to prevent any additional
unauthorized access to the LAN, he provided
guests with Internet access only. For
employees on company-owned systems, the
LANenforcer was configured to monitor and
log activity.
Gerharter initially experienced what
appeared to be a serious problem with GEHA's
voice-over-IP (VoIP) system: The phones did
not work. The access control policy was set
to recognize all VoIP phones by their MAC
addresses, and restrict access exclusively
to the VoIP VLAN. When the Avaya phones boot
up, however, they must have temporary access
beyond the VoIP VLAN to register with the
PBX and receive configuration information.
Because these phones were blocked from
reaching the PBX, they were unable to boot
up.
Changing the policy to grant the phones
access to a separate VLAN solved the
problem. According to Gerharter, "We were
making the network more secure than we
needed to, and for these phones that created
a problem," adding that Nortel phones boot
up in a similar fashion.
The restrictive guest access policy
recently proved itself when an employee
brought in her personal laptop because she
had been experiencing problems connecting to
the company's Citrix system while away from
the office.
GEHA recently installed the latest
release of the LANenforcer operating
software, which has a policy evaluation tool
for running "what if" scenarios for policy
troubleshooting and planning purposes. The
new posture-check dashboard provides
real-time monitoring, while the new
customizable reporting tool can be used to
answer critical questions, such as "Who (by
user name) accessed various servers and
applications over the last month?"
"Its cost-per-user is exceptional and our
deployment confirms complete
interoperability with our network
infrastructure," Gerharter says. "The great
thing about the solution is that it's vendor
agnostic. It doesn't care what switch vendor
or firewall vendor we use. It only cares
about the traffic sent to or from these
devices."
For more information from Nevis
Networks,
(click here)