Branch Office

Previous page
Table of content
Next page

The SafetyNet Insurance agency is a large company with over 20,000 employees. A majority of the employees are independent agents who pay SafetyNet a franchise fee to be allowed to open a brick-and-mortar storefront. One of the branch offices is located in a strip mall in Charlotte, North Carolina.

The office employs 10 agents, 20 support staff, and each has their own computer for a total of 30 desktops. They also have one Windows server that they use for database services and file sharing. A point-to-point VPN over a high-speed Internet connection allows them to transmit paperwork to SafetyNet headquarters. They use the same Internet connection without the VPN for e-mail, web browsing, and so on (see Figure 11-3).

Figure 11-3. Initial SafetyNet Network Configuration


If the computers or the Internet connection need repair, they can call the "computer guy" who services all of the SafetyNet offices in the county. His salary is subsidized by SafetyNet, but the office still has to pay him an hourly wage. Plus, the guy is really busy, so it sometimes takes him a few days to get to the office to solve the problem.

A few weeks ago, the managers in the office decided to make a major investment in computer security. They had three reasons for the decision:

  • Office computers are frequently infected by viruses that come in via e-mail or web browsing. The viruses sometimes propagate through the VPN to SafetyNet headquarters. When the headquarters technicians detect that a virus is coming from a branch office, the response required by headquarters security policy is to drop the VPN tunnel until the branch office computers are cleaned. Headquarters would rather lose the connection to a branch office than risk a major security incident at headquarters.

    Headquarters dropped the VPN several times last year, and every time it does, the office has to wait several days until the computer guy can get there and clean the infected systems. During that time, the office can still sell policies, but it has to transmit paperwork and get quotes via fax, which really delays the process and costs business.

  • Many of the employees don't have high-speed Internet connections at home, so they use the office computers to surf the web during off-hours. Lately, the company has had to pay the computer guy a tremendous amount of money to remove spyware and adware that was inadvertently installed by employees who were surfing the web.

  • A fair amount of employee turnover occurs at this branch. Six months ago, an agent left to work for another agency and took the office's entire client list with her. She used the list to contact many of the SafetyNet policyholders and convince them to move to her agency.

They hired a computer security consultant to help them. He immediately suggested that IPS could alleviate many of their problems.

Limiting Factors

Before the consultant could get started, the office management made him aware of the limitations under which he had to work. They explained that although the office doesn't have a computer security policy, headquarters has one with specific caveats that apply to all branch offices. A few of the guidelines in the policy appeared to be applicable:

  • All branch office computers must run virus protection of some kind at all times.

  • Branch offices must make a best effort to keep virus protection up-to-date.

  • The Internet router, where the VPN is terminated, is supplied and maintained by headquarters.

The branch office is prohibited from modifying the operation of the router or VPN in any way.

Security Policy Goals

When the consultant asked them what their goals for the project were, they listed four:

  • Make it harder for employees to steal valuable information.

  • Reduce support costs related to the cleanup of spyware and adware.

  • Cut down on the number of times headquarters has to drop the VPN connection because an office computer is infected with a virus.

  • Accomplish all of the goals without significantly increasing ongoing costs.

HIPS Implementation

SafetyNet's consultant used the limiting factors and goals to create an initial HIPS project plan. The plan defined the following:

  • Target hosts

  • Management architecture

  • Agent configuration

Target Hosts

The headquarters security policy requires that all of the branch office systems run virus protection. IPS falls into the virus protection category, so all hosts are targets for HIPS.

Management Architecture

One of the limiting factors SafetyNet shared with the consultant is that they don't want to spend much money keeping the HIPS up-to-date. Also, they don't have the expertise to make HIPS configuration changes after the consultant leaves. To address both of these issues, the HIPS is to be managed by a reasonably priced managed security service provider (MSSP).

The consultant is to do the initial agent deployment and configuration. Once he is finished, the agents are to be configured to report events and receive security settings from the MSSP's management server. Also, the MSSP delivers weekly status reports to the office manager.

Agent Configuration

HIPS can help address all of SafetyNet's goals. To do so, it will be configured to

  • Prevent the customer database from being copied to the desktops from the server, printed, or compressed. That way, it's harder to steal.

  • Make sure that the only program that can access the customer database is the customer management program. This is so that employees can't use a database management tool of their own to read the database and export it into another program.

  • As a theft deterrent, track all accesses of the customer database.

  • Reduce virus, worm, and Trojan infections so that headquarters does not drop the VPN connection.

  • Stop adware and spyware.

NIPS Implementation

Many of the problems being faced by SafetyNet can be addressed using HIPS. The consultant also decided to utilize NIPS to help minimize the VPN connections from being taken down by headquarters by installing an in-line sensor that drops all virus traffic (using IPS virus signatures) before they leave or enter the Charlotte branch.

Sensor Deployment

The Charlotte branch decides to deploy an in-line NIPS sensor between their network and the VPN router connected to the headquarters. By dropping all known virus-related traffic, they hope to keep the branch VPN operational (even if they have an infected system) while allowing them time to clean the infected system (see Figure 11-4).

Figure 11-4. Final SafetyNet Network Configuration


Using an in-line NIPS sensor, the Charlotte branch decides to drop the initial virus traffic (using virus-based signatures) and then block all traffic from the infected host for 24 hours (allowing time for the machine to be cleaned). If the virus is detected over a weekend, the traffic from the infected host is blocked for a longer period of time.

NIPS Management

The Charlotte office decides that the configuration on their sensor is not going to change very often. Furthermore, their research indicates that the virus-based NIPS signatures are accurate (the false alarm rate is very low). Therefore, the Charlotte branch decides to pay a consultant to initially configure the sensor and update the configuration quarterly. They plan to use the same MSSP that is monitoring their HIPS to manage the NIPS deployment.

To test the effectiveness of their in-line sensor, the managers decide to have the consultant configure the NIPS to generate an e-mail to all of the branch managers whenever an infected system is detected.

Note

The Charlotte deployment goes very well, and infections not detected by HIPS are blocked by the NIPS sensor. Headquarters notices that during the last year, it has never had to drop the Charlotte branch VPN connection because of an infected system. After investigating the Charlotte solution, SafetyNet decides to protect all of its branches in a similar fashion. Instead of deploying in-line sensors at each branch, it decides to deploy the NIPS sensors at the headquarters site. By deploying sensors at the headquarters location, it can decrease costs and management because traffic from all of the branches can be monitored with fewer sensors (a single sensor can handle multiple branches). Furthermore, the in-line sensors enable SafetyNet to modify its security policy to state that all traffic from an infected system will be blocked for 24 hours instead of all traffic from a specific branch, thereby reducing lost business opportunities.




Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
The .NET Developers Guide to Directory Services Programming
Java How to Program (6th Edition) (How to Program (Deitel))
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
802.11 Wireless Networks: The Definitive Guide, Second Edition
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy