Financial institutions need to balance a high level of security with convenient access for their diverse set of users. So, when the legacy network access control (NAC) system of Credit First National Association (CFNA) failed an internal penetration test during an audit, Timothy Lynch Childress, manager of CFNA Network Services, Bridgestone Firestone, was stunned.
“Even with a NAC solution in place, an auditor was able to access our network in less than 10 minutes just using his laptop,” Childress says. “We are required to ensure compliance with regulations of the Office of the Comptroller of the Currency, and keeping our customer and employee data safe is paramount." He and his four-member IT team began looking for a new solution immediately.
CFNA, a federally chartered, limited-purpose credit card bank, and a wholly owned subsidiary of Bridgestone Retail Operations, issues credit cards to customers of Firestone Complete Auto Care Stores and independent dealers who have commercial relationships with Bridgestone America Tire Operations. The company employs 200 people in Brook Park, Ohio.
Knowing what they didn't want, after an unsatisfactory experience using the company's legacy NAC solution, made it easy for the CFNA staff to articulate exactly what they needed in a new solution: The ability to prevent rogue devices from accessing the network, increased visibility and enforceable policies that could be modified as needed. The company also required an easy, preferably self-service, remediation process as CFNA's previous NAC solution required users to call the help desk anytime they failed a scan.
It was also essential that any solution they chose be virtually invisible to network users. “We really wanted to improve our user experience with NAC, because while visibility is essential to us, our users found our previous tool to be an intrusion,” Childress says. “Our legacy NAC prevented users from logging on while a lengthy policy scan was completed, and response time was impacted by virtually anything happening on the network.”
After Childress and his team evaluated a number of network access control solutions, they chose Network Sentry from Bradford Networks to enforce NAC across the CFNA network environment.
“Once I saw the control and visibility that Network Sentry provided, I was convinced,” Childress says. “The simplified end-user experience really sealed the deal. Given the problems we had with our previous NAC solutions, Network Sentry has been a breath of fresh air."
The adaptive network security (ANS) platform automatically responds and securely provisions network resources based on pre-established policies, says Frank Andrus, CTO of Concord, N.H.-based Bradford Networks. "The platform integrates and correlates network resources, user information and device information to make networks more secure and more accessible," he says.
The solution uses an out-of-band, policy-driven architecture to deliver centrally-managed visibility and access control across wired, wireless, and VPN environments, says Andrus. "Elements in the network environment including switches, wireless access points and VPN concentrators, are leveraged to gain visibility of all connected users and devices, and to enforce access policies at the edge of the network."
The tool's architecture also allows it to be deployed in phases to meet unique requirements of different organizations. For example, deploying first in “monitor-only” mode provides network-wide visibility of all users and endpoint devices on the network, while being completely transparent. This allows an organization to “baseline” the network to determine whether users and endpoint devices are compliant with security policies without adversely impacting anyone's network access, says Andrus.
"The organization can then move on to enforce access policies in later phases of deployment," he says. "Advanced capabilities, such as device profiling and securing guest access, can be added in later phases as well, without needing to deploy additional hardware or reconfigure the system. This gives Bradford customers the ability to adapt the Network Sentry platform to their own environment."
Network access policies are associated with a unique identity profile consisting of user name, user role, host (device) name, MAC address, IP address, network access location, and time, Andrus adds. User identity and role information are ascertained via integration with authentication and directory services, such as RADIUS, Active Directory and LDAP-based directory services. Further, persistent and dissolvable agents are offered for endpoint assessment of Windows, MAC OS X and Linux devices, while “agentless” assessment is achieved via a directory-based scanning feature.
Integration with third-party security devices, such as IDS/IPS and other systems, is also supported, enabling existing technology investments to be leveraged for more comprehensive security policy enforcement, says Andrus.
The implementation of the solution at CFNA includes a number of components. Network Sentry Foundation is the intelligent base of the Network Sentry family. It has built-in network security and policy management software in the hardware appliance. Access Manager provides visibility and control of all users and devices on a campus network to prevent unauthorized access and keep the network secure, while Device Tracker prevents rogue devices and locks down the network to allow only known, authorized devices. Endpoint Compliance validates the security posture of endpoint devices, detects any vulnerability and enables actions to quarantine and self-remediate. Further, Integration Suite allows integration with third-party security systems and correlates device information to enhance security and control.
Now that the solution is in place, updates are pushed out remotely in a number of ways: Updates to the system software for Network Sentry (version 4.1.x to version 4.1.y) are performed by remotely downloading the new software version from Bradford's website and installing the system update through the user interface. Updates to the persistent agent (an optional component of Network Sentry) are triggered when a host connects to the network and the current persistent agent begins to communicate with Network Sentry. The persistent agent version number on the host is checked by Network Sentry. If the version is out of date, an update is automatically initiated. In addition, Bradford provides weekly updates, called Auto-Definition updates, that contain support for a number of components. As well, customers are able to configure Network Sentry to automatically download and install updates on a weekly basis from Bradford's secure download site, or can manually download and install updates on their own.
Bradford Networks worked with Childress and his team to implement Network Sentry in just a few days, and a follow-up penetration test proved the strength of the new solution.
Since the implementation, CFNA has completely eliminated all rogue connections, Childress says. If an unauthorized user tries to connect to the CFNA network, the IT team can see the attempt, including the location, immediately.
This level of visibility and control has also saved time and resources for CFNA network administrators who can easily make configuration changes and monitor network ports and devices. In fact, administration problems associated with the legacy NAC used to take as long as two hours each day to resolve – now the team spends less than two hours each week administering the solution.
“Network Sentry has a unique way of working at the switch port level to control network devices, actually issuing command line functions at the switch itself,” Childress says. “This interaction with network ports ensures complete control.”
At the same time, he says that end-user satisfaction has increased significantly owing to the device's policy scans, which, he says, are virtually invisible to the end-user. Also, since remediation is now accomplished automatically, the user experience is improved and calls to the help desk related to remediation have been reduced by 75 percent, allowing the team to focus on more critical projects.
Upon completion of the initial phase of implementation – in which CFNA worked with Bradford to ensure security policies were up to date and to lock down the network to prevent rogue connections – CFNA began to integrate their patch management system with Network Sentry.
Network Sentry ensures that only approved, company-owned devices can access the CFNA network. Any other device that attempts to connect is automatically quarantined and the IT staff is notified of the attempt.
"Whereas a few years ago our greatest fear was a rogue device accessing our network to launch externally facing attacks, such as DOS using our servers, our primary focus now is preventing outsiders from accessing the data on our network," says Childress.
In the future, CFNA will roll out wireless LAN access points and begin a conversion to VoIP. As with its network, the financial institution intends to secure those implementations with Bradford's Network Sentry.
Each business environment poses unique challenges. In the financial services segment, the critical nature of confidential customer data requires strict adherence to industry and government regulations for security and data protection.
"The visibility and control delivered by Bradford's Network Sentry helps customers in this market segment to meet requirements of PCI DSS (Payment Card Industry Data Security Standard) and similar regulatory standards," says Andrus.
However, the greatest benefit CFNA has realized is less tangible. “With Network Sentry we feel confident in knowing that our network is secure, that our users and customers are protected, and that we are in control,” Childress says. “Recent penetration tests have proven what we know for sure: Network Sentry works.”
Greg Masters is managing editor of SC Magazine. He can be reached at [email protected].