IPS protects ever-changing show floor

New York City’s Javits Center is one of the nation’s best-known convention and expo centers, its one million square feet of exhibit space playing host each year to hundreds of events. Since opening in 1986, Javits has hosted more than 2,400 events, nearly 1,400 of which were major trade shows or conventions. Over time, the expectation from attendees–and especially from exhibitors for whom these events are critical moments in their business–is the delivery of unimpeded, reliable Internet access. Javits provides this access as part of exhibition fees, so it is a major revenue source for the center.

Delivering unimpeded Internet access to Javits exhibitors can threaten network availability, and also endanger the hardware of other exhibitors. At first blush, this seems similar to any enterprise, but unlike most enterprises, Javits has zero control over the devices that are attached at each port.

Lou Martorella, Javits’ network manager, was dealing with regular outages; on days of major events, these outages were numerous. “This was typically due to exhibitors unknowingly connecting infected machines to the network,” Martorella says. “We would generally hunt down the offending device and block it, or physically remove it from the network.”

During this non-stop hunt, however, network performance was degraded or completely stalled, frustrating other customers. Further compounding the issue, the network landscape would change from moment to moment, and a new offending device was usually presenting itself shortly. Commonly seen were pests such as SQL Slammer, Smurf and SYN-flood variants, and it was seemingly endless.

Martorella says he was literally playing “network cop”–sometimes five or six times a day–and countless hours were being lost hunting down and stopping malicious network traffic. Due to the technical and administrative issues this was causing, Martorella began searching for a comprehensive solution, in conjunction with Javits management.

Initially, Martorella deployed a firewall solution, but it presented administrative and management challenges. The needs and demands (by port, by protocol and by application) varied by exhibitor, by show, and even over time. This left out the considerations that even an authorized application on an authorized device can still become infected and wreak network havoc. So, Martorella realized a firewall was untenable.

Javits’ network has a primary DS-3 Internet connection supplied by AT&T.

The technical model of using an active, inline intrusion-prevention device proved to be the right approach.

“The IPS (intrusion-prevention system) approach was very attractive,” offers Martorella. “The idea of plugging a device inline that would inspect network traffic and drop malicious packets on the fly, before they bogged down the LAN, seemed the perfect approach for our ever-changing network.” So, Martorella and his team began evaluating IPS solutions from several vendors.

Beyond the goal of assuring connectivity for exhibitors, their requirements included deep-packet inspection techniques, strong distributed-denial-of-service (DDoS) protection mechanisms, rich security logging, and fail-open capability, since the device would be inline. Additionally, they wanted to avoid any requirements, such as creating access control lists, due to the dynamic nature of the network and the impact on their switches and routers.

Essentially, the solution had to keep the network as flexible and unrestricted as possible and quickly mitigate attacks before they proliferated. It was also imperative that the network’s performance not be degraded by the solution.

After the evaluations, Martorella’s team decided to try a Top Layer Networks Attack Mitigator 3501 inside the production environment. The device was installed on the inside of the Javits router. “Configuring and installing the device was relatively easy and took about half an hour,” Martorella explains.

No technical changes were required, as the device connected inline between the router and switch. After this production test, Javits decided to purchase and permanently install the device. Javits has since upgraded to the 5500 version of the product.

“The solution of using an inline device has been working very well overall,” according to Martorella, “and has nearly eliminated any need to chase down network ghosts, while still giving exhibitors and other customers the free reign they need over their Internet connectivity.”

One glitch that presented itself was that exhibitors using remote SQL services to update remote databases sometimes triggered false positives on the device. This requires an administrator to add trust relationships to the device to prevent those false positives.

Taking the inline IPS approach has saved Javits money by considerably reducing the number of exhibitor refunds related to network outages. The approximate cost for the deployment was $35,000. The primary justification for the initial investment was the time and revenue being lost due to network outages. Javits also required a network that came as close to 99.999% reliability as possible for all users to help build the center’s reputation for offering customers rock-solid network availability.

Beyond the actual vendor or device chosen, Martorella says the technical model of using an active, inline intrusion-prevention device proved to be the right approach due to the variability of the network environment and the total lack of control over the devices.