BLI Bank, headquartered in Green Bay, is a regional bank serving most of northern Wisconsin. The bank has 25 branches, with an average of 20 dumb terminals at each branch. The terminals connect back to a mainframe at headquarters. Branch operations are supported by 500 employees at headquarters who have desktops. A few years ago, BLI created an investment group in an effort to boost profits. The investment section has 1500 employees, all of whom are located at headquarters. The branch operations and investment groups share a T3 connection to the Internet (see Figure 11-5). Figure 11-5. Initial BLI Bank Network ConfigurationNaturally, computer security is important to BLI, as it should be for any financial institution. BLI doesn't have a particularly large IT staff, but they are qualified. They conduct regular risk analyses, maintain a rigorous security policy, and implement a very good computer security program. Recently, information security at financial institutions has come under increased government scrutiny. BLI has to comply with several new sets of regulations. It has to find a way to fulfill the requirements in the regulations with very limited IT resources. The staff believes that an IPS can help them accomplish the task with the resources they have. Limiting FactorsBLI must keep in mind a number of limiting factors as it decides how to use and deploy IPS:
Security Policy GoalsThe BLI information security team analyzed the new regulations and modified its corporate security policy accordingly. Then, it reviewed the policy and listed the requirements that an IPS could fulfill:
HIPS ImplementationBLI used the goals and limiting factors to come up with a high-level HIPS deployment plan. The plan defined the following:
Target HostsAll hosts have to have an agent if BLI is going to enforce the regulatory requirements. The deployment starts with the branch operations machines because they are more important to the regulators. The investment hosts follow. Management ArchitectureThe total number of hosts is less than 10,000, so a single management server architecture is appropriate. To prove to regulators that it is enforcing the regulations, BLI wants to be able to capture all HIPS events without losing any. A redundant management server with automatic failover can virtually assure that events are not lost. Agent ConfigurationBLI kept two factors in mind as it planned for the HIPS configuration. The first was that it had to fulfill the regulatory requirements. The second was that it had do so without having to devote many resources to ongoing agent management. It wants to keep the management tasks down to only a few hours per week. To reduce ongoing management costs, BLI decided to disable all of the IPS features in its HIPS product. It felt that its existing security tools, such as antivirus and firewalls, were stopping malware well enough. The agent would be configured to enforce the following policies only:
NIPS ImplementationBLI Bank realizes that HIPS can provide it only a certain degree of protection. Therefore, it decided to supplement its HIPS deployment with a NIPS deployment as well. The NIPS deployment helps enforce network separation along with some regulatory requirements. Sensor DeploymentBLI Bank has to worry about regulatory requirements as well as the separation between the investment operations and the normal banking transactions. From a network perspective, it decided to deploy in-line IPS sensors at the Internet perimeter and between the investment group and the rest of the bank's network. The sensor monitoring the investment group not only monitors attacks originating from the investment group systems, but is also configured to drop any connections from the investment group to the bank's network. Only connections from the investment group to the Internet are allowed (see Figure 11-6). Figure 11-6. Final BLI Bank Network ConfigurationNIPS ManagementBLI has a limited IT staff, so it decided to have a consultant initially install and configure its NIPS sensors. After the initial configuration, it feels that its current IT staff can maintain and monitor the IPS sensors. |