Medium Financial Enterprise

BLI Bank, headquartered in Green Bay, is a regional bank serving most of northern Wisconsin. The bank has 25 branches, with an average of 20 dumb terminals at each branch. The terminals connect back to a mainframe at headquarters. Branch operations are supported by 500 employees at headquarters who have desktops.

A few years ago, BLI created an investment group in an effort to boost profits. The investment section has 1500 employees, all of whom are located at headquarters. The branch operations and investment groups share a T3 connection to the Internet (see Figure 11-5).

Naturally, computer security is important to BLI, as it should be for any financial institution. BLI doesn't have a particularly large IT staff, but they are qualified. They conduct regular risk analyses, maintain a rigorous security policy, and implement a very good computer security program.

Recently, information security at financial institutions has come under increased government scrutiny. BLI has to comply with several new sets of regulations. It has to find a way to fulfill the requirements in the regulations with very limited IT resources. The staff believes that an IPS can help them accomplish the task with the resources they have.

Limiting Factors

BLI must keep in mind a number of limiting factors as it decides how to use and deploy IPS:

• BLI is a regional bank so it has limited IT resources, but it's subject to the same regulations that apply to large financial institutions with lots of IT resources. It has to maximize the value of IPS by using it to fulfill as many regulatory requirements as it possibly can. At the same time, it has to make sure that it can support the IPS implementation with the small staff they have.

• Right now, the investment and branch operations groups are subject to very different regulatory requirements. The branch operations group is regulated far more stringently. BLI can separate the groups to some extent, but it can't afford two Internet connections. It will have to fulfill the requirements even though both groups share a single Internet connection.

Security Policy Goals

The BLI information security team analyzed the new regulations and modified its corporate security policy accordingly. Then, it reviewed the policy and listed the requirements that an IPS could fulfill:

• BLI must employ a neutral company to conduct remote penetration tests to make sure that BLI's countermeasures are working. BLI must be able to internally verify that the penetration tests are occurring regularly.

• All login failures and successes must be logged.

• All accesses of the mainframe and SQL databases must be tracked.

• Transactional network traffic must be separated from employee traffic such as e-mail and web browsing.

HIPS Implementation

BLI used the goals and limiting factors to come up with a high-level HIPS deployment plan. The plan defined the following:

• Target hosts

• Management architecture

• Agent configuration

Target Hosts

All hosts have to have an agent if BLI is going to enforce the regulatory requirements. The deployment starts with the branch operations machines because they are more important to the regulators. The investment hosts follow.

Management Architecture

The total number of hosts is less than 10,000, so a single management server architecture is appropriate. To prove to regulators that it is enforcing the regulations, BLI wants to be able to capture all HIPS events without losing any. A redundant management server with automatic failover can virtually assure that events are not lost.

Agent Configuration

BLI kept two factors in mind as it planned for the HIPS configuration. The first was that it had to fulfill the regulatory requirements. The second was that it had do so without having to devote many resources to ongoing agent management. It wants to keep the management tasks down to only a few hours per week.

To reduce ongoing management costs, BLI decided to disable all of the IPS features in its HIPS product. It felt that its existing security tools, such as antivirus and firewalls, were stopping malware well enough. The agent would be configured to enforce the following policies only:

• All login failures and successes written to the operating system event log are to be forwarded to the HIPS management console.

• The agent on the SQL database is to keep track of all IP addresses that connect to it.

NIPS Implementation

BLI Bank realizes that HIPS can provide it only a certain degree of protection. Therefore, it decided to supplement its HIPS deployment with a NIPS deployment as well. The NIPS deployment helps enforce network separation along with some regulatory requirements.

Sensor Deployment

BLI Bank has to worry about regulatory requirements as well as the separation between the investment operations and the normal banking transactions. From a network perspective, it decided to deploy in-line IPS sensors at the Internet perimeter and between the investment group and the rest of the bank's network.

The sensor monitoring the investment group not only monitors attacks originating from the investment group systems, but is also configured to drop any connections from the investment group to the bank's network. Only connections from the investment group to the Internet are allowed (see Figure 11-6).

NIPS Management

BLI has a limited IT staff, so it decided to have a consultant initially install and configure its NIPS sensors. After the initial configuration, it feels that its current IT staff can maintain and monitor the IPS sensors.