With attackers shifting their focus to applications, the University of Miami, Miller School of Medicine, decided it was time to upgrade the school's intrusion prevention solution, reports Greg Masters.


When Vijay A. Haripal realized attackers had figured out that operating systems (OS) are becoming harder to penetrate, he noticed them focusing their attacks on applications within the OS, such as MS Office, Firefox, etc. So the information security manager at the University of Miami, Miller School of Medicine, decided it was time to upgrade the school's intrusion prevention solution.

Considering that the University of Miami is home to over 15,400 undergraduate and graduate students from around the world, with another 11,000 faculty and employees serving the campus population, this was not a simple challenge.

Its Leonard M. Miller School of Medicine campus, located in Miami, consists of 45 acres within the 100-acre University of Miami/Jackson Memorial Medical Center complex and includes the Miami VA Medical Center and two University-owned hospitals -- the University of Miami Sylvester Comprehensive Cancer Center and Anne Bates Leach Eye Hospital, home to the Bascom Palmer Eye Institute.

The University of Miami, Miller School of Medicine, sought to upgrade its intrusion prevention solution (IPS) from the outdated device sitting on its network to a third-generation, purpose-built IPS appliance. “We realized that there were fundamental issues with relying too heavily on signature-based protection for our network,” says Haripal.

The 120-member information security team at Miller – including network engineers and technicians, security engineers, server technicians and support engineers – engaged in an extensive evaluation of the current solutions in the market that were the most viable over the long-term. And after shopping around, Haripal and his staff chose a solution from Top Layer.

“Because Top Layer's architecture also examines the actual protocol of attack, as well as traffic behavior and characteristics, its IPS 5500 performed much, much better with variants of attacks than its predecessor.”

As security threats evolved and became more cunning and sophisticated, Haripal says he and his team knew the tool formerly in their network would not be able to provide adequate protection to changing network needs and the changing security threat landscape that has evolved over recent years.  

“At the same time, we started hearing more and more about Top Layer Security's capabilities beyond its strong distributed denial-of-service (DDoS) protection history and that its technology was protecting customers from all types of malicious content, undesired access and botnet-based attacks. As new threats beyond simple worms and rate-based threats have emerged in recent years, Top Layer Security has kept up, evolving and enhancing its technology to help its customers face these new challenges.”

The information security team at the University of Miami, Miller School of Medicine is made up of: Frank Rodriguez, director of network, security and telecommunications; Vijay Haripal, manger of information security; and Joshua Weisblum and Nathan Morrison, security engineers. The team felt that its former IPS solution gave only a minimal level of security and was not sophisticated enough to mitigate today's more advanced attacks.

“Joshua, Nathan and I did extensive research to choose three high performance IPS solutions that best-fit our environment for evaluation. We then adopted a phased approach in testing and mimicking attacks and chose the best product out of the three solutions.

The team determined that the technology of one of the options was not mature enough and did not provide the ease of management or flexibility it required. Another was still signature-based and when put inline too often went into Layer 2 fallback.

After phasing out one solution, the team concluded its evaluation with Top Layer's IPS 5500, and another vendor's solution, in parallel on the network. They compared their network's traffic and behavior with the entire Top Layer Security rule set active, including: signatures, protocol anomaly protection, application usage awareness, deep-packet inspection and firewall. The Top Layer solution was performing at 28-35 percent capacity, maybe peaks to 50 percent once in a while, which, Haripal says, was quite impressive.

“This sealed the deal, and we then left the Top Layer's IPS 5500 in the network to replace the previous tool. We have never seen a performance hit since putting Top Layer inline, proving to us that Top Layer's ASIC-based architecture and in-line protection mechanisms were truly built for high-performance networks, and not just marketed that way.”

Ken Pappas, vice president of marketing and security strategist at Top Layer Security, says that Top Layer's IPS 5500 delivers non-disruptive protection against risks and loses associated with cyber threats and network attacks.

“The IPS 5500 provides maximum protection for critical IT assets, while allowing full access to legitimate users and applications, protecting against malicious content, undesired access and rate-based attacks such as DDoS. The appliance can be deployed at the network perimeter, on internal network segments, remote site locations, or at the network core to protect assets and stop attacks, delivering high performance, low network latency, reliability and high availability.”

The Miller of School of Medicine has parallel networks in an HA configuration to provide redundancy as part of its disaster recovery plan. To maximize protection, Haripal purchased several more Top Layer IPS 5500s, and positioned them in front of the perimeter firewall to protect against external threats and behind the perimeter firewall to protect against internal threats. Having two data centers which are in an HA configuration made testing two solutions simultaneously a breeze, says Haripal.

“The outside IPS 5500s were tuned to enable more server-protection rules; the inside IPS 5500s tuned for more virus/DDoS protection – essentially, the outside appliances serve as a filter for the inside counterparts. Because of this flexibility in tuning and deployment configuration, the Miller School of Medicine is better able to shape traffic to its specific operational needs," he says. "The architecture of Top Layer IPS that uses ASIC processors and CPUs runs more efficiently and effectively than competing solutions. Because of this design, Top Layer's solution is able to process traffic faster and better, therefore increasing performance and enabling significant traffic flow improvements.”

In addition, The Miller School of Medicine has Top Layer's ProtectionCluster enabled with the four IPS 5500 appliances in place, to make use of additional processing horsepower and load-balancing, in case needed. Haripal says that his team hasn't yet needed the additional horsepower, “but it is certainly nice to have.”

“Top Layer notices what is ‘abnormal' and the solution showcased these great defense capabilities against the attacks that our team threw at it during the testing phase. In addition, testing was not conducted in an evaluation network; it was tested on the production network with no performance impact once installed. Granularity and fine-tuning is key to managing the network, and Top Layer excelled in these areas.”

Haripal says he is finding the tool easy to manage and operate. “We manage the Top Layer IPS via the IPS controller. The IPS Controller maintains constant contact with the IPS devices it is managing. We are able to view health, events, and interface information from one central screen. We are also able to push updates and remotely administer most features. This comes in handy when you have a small security team. We find that Top Layer's IPS solution helps remain safe from attacks and helps us be more efficient and effective.

Help with compliance

It is also an aid in meeting compliance issues. The Top Layer IPS is a technical safeguard that assists with meeting HIPAA regulations for privacy. The standards require the protection of patient data from inappropriate and unauthorized disclosure or use. As well, security standards require the safeguarding of patient data from unauthorized access. The security safeguards fall into three categories (as defined by the regulation): administrative safeguards (administrative actions, policies and procedures, security management), physical safeguards (physical measures, policies, and procedures to protect electronic information systems and related equipment), and technical safeguards (technology assets and security protection for access).

“This ensures we provide a high level of security and we practice due diligence to try to keep data safe," says Haripal.

The convenience and ease of use of the internet is a factor as well. Health care organizations are able to transfer critical patient knowledge and medical information more rapidly and efficiently using the internet, adds Pappas. “Information can be shared globally in an instant to promote faster response times to address patient needs. However, the ubiquitous nature of the internet also creates new opportunities for cybercrime activities that target the core infrastructure element for successful online health care initiatives –the server infrastructure that stores confidential data.”

In an age when malicious attackers have easy access to sophisticated attack tools, health care IT administrators are faced with the challenge of increasing information availability without compromising security, he says. “We have witnessed health care institutions breached by attackers without the knowledge of IT.”

And, the University of Miami has a diverse network, requiring high-performance solutions due to the various sectors it serves. For instance, the university has a high-speed computing facility connected to Internet2, a large research community, students, doctors, faculty, staff etc. that all have different computing needs, so any type of inline device needs to take this into consideration when deployed on the University of Miami network.

“Top Layer gave us the flexibility to identify which rules to apply to which networks,” says Haripal. “The internet pipe comes from the main University of Miami campus and traffic goes between the campuses as well as to the internet. Specifically, the Miller School of Medicine and the University of Miami share a network and we're able to carve out segments that each entity owns, and create specific rules for traffic between the campuses and to deal with external threats. This capability within the Top Layer IPS was a big deciding factor; our previous IPS was too generic, while Top Layer enabled us to get very granular.

Securing critical IT infrastructure by preventing undesired access, protecting against malicious content that exposes private data, and stopping rate-based attacks that can be employed for extortion purposes, are all key considerations in working towards fulfilling compliance with regulations, such as HIPAA and meeting patient expectations.

“The IPS 5500 delivers the right protection, performance and reliability to provide health care organizations the confidence to ensure complete privacy of patient data while providing proper availability,” says Pappas.

Security has always been a priority at the Miller School of Medicine and will always play an important role when expanding and designing the infrastructure, says Haripal. “We have noticed a synonymous trend with technology and security, as the world relies more and more on digital information, attacks are more prevalent and becoming more complex. We are always trying to stay one step ahead by arming ourselves with the latest and greatest security tools.