A Midwest issuer of credit cards found a NAC system to help meet compliance requirements...and solidify security, reports Greg Masters.

Financial institutions need to balance a high level of security with convenient access for their diverse set of users. So, when the legacy network access control (NAC) system of Credit First National Association (CFNA) failed an internal penetration test during an audit, Timothy Lynch Childress, manager of CFNA Network Services, Bridgestone Firestone, was stunned.

“Even with a NAC solution in place, an auditor was able to access our network in less than 10 minutes just using his laptop,” Childress says. “We are required to ensure compliance with regulations of the Office of the Comptroller of the Currency, and keeping our customer and employee data safe is paramount." He and his four-member IT team began looking for a new solution immediately.

CFNA, a federally chartered, limited-purpose credit card bank, and a wholly owned subsidiary of Bridgestone Retail Operations, issues credit cards to customers of Firestone Complete Auto Care Stores and independent dealers who have commercial relationships with Bridgestone America Tire Operations. The company employs 200 people in Brook Park, Ohio.

Knowing what they didn't want, after an unsatisfactory experience using the company's legacy NAC solution, made it easy for the CFNA staff to articulate exactly what they needed in a new solution: The ability to prevent rogue devices from accessing the network, increased visibility and enforceable policies that could be modified as needed. The company also required an easy, preferably self-service, remediation process as CFNA's previous NAC solution required users to call the help desk anytime they failed a scan.

It was also essential that any solution they chose be virtually invisible to network users. “We really wanted to improve our user experience with NAC, because while visibility is essential to us, our users found our previous tool to be an intrusion,” Childress says. “Our legacy NAC prevented users from logging on while a lengthy policy scan was completed, and response time was impacted by virtually anything happening on the network.”

After Childress and his team evaluated a number of network access control solutions, they chose Network Sentry from Bradford Networks to enforce NAC across the CFNA network environment.

“Once I saw the control and visibility that Network Sentry provided, I was convinced,” Childress says. “The simplified end-user experience really sealed the deal. Given the problems we had with our previous NAC solutions, Network Sentry has been a breath of fresh air."

The adaptive network security (ANS) platform automatically responds and securely provisions network resources based on pre-established policies, says Frank Andrus, CTO of Concord, N.H.-based Bradford Networks. "The platform integrates and correlates network resources, user information and device information to make networks more secure and more accessible," he says.

The solution uses an out-of-band, policy-driven architecture to deliver centrally-managed visibility and access control across wired, wireless, and VPN environments, says Andrus. "Elements in the network environment including switches, wireless access points and VPN concentrators, are leveraged to gain visibility of all connected users and devices, and to enforce access policies at the edge of the network."

The tool's architecture also allows it to be deployed in phases to meet unique requirements of different organizations. For example, deploying first in “monitor-only” mode provides network-wide visibility of all users and endpoint devices on the network, while being completely transparent. This allows an organization to “baseline” the network to determine whether users and endpoint devices are compliant with security policies without adversely impacting anyone's network access, says Andrus.

"The organization can then move on to enforce access policies in later phases of deployment," he says. "Advanced capabilities, such as device profiling and securing guest access, can be added in later phases as well, without needing to deploy additional hardware or reconfigure the system. This gives Bradford customers the ability to adapt the Network Sentry platform to their own environment."