On Location: Bank Gets the NAC for Internal Security

No CIO wants to take a step backward when securing an enterprise network. Yet that's exactly what Jim Hochstatter, the vice president of technology for Ulster Savings Bank, Kingston, NY, was asked to do when an auditor declared the bank's procedures for protecting against internal threats lacking.

"Based on how he interpreted Federal Reserve security rules, the auditor [from MessageSecure] was concerned with the accountability of internal activity on specific workstations and devices," Hochstatter says. "He felt a static IP environment was the best direction to go to help securely manage our end points."

But moving from DHCP, which dynamically assigns IP addresses to devices as they connect to the network, to a static IP environment was out of the question. "It's an archaic way to manage a network," Hochstatter says.

Yet he still had to find a way to address the auditor's concerns or face significant fines. After researching various alternatives he turned to an emerging product in the security arena: a network access control (NAC) appliance. The NAC deployment ensures that only authorized devices connect to the internal network and enforces security policies on those devices.

The appliance, InfoExpress's CyberGatekeeper LAN, operates with the 802.1x security standard to assess the operational profile of endpoint resources each time they access the network. Working in conjunction with the company's Foundry Networks Ethernet switches, the CyberGatekeeper box admits or quarantines devices depending on the presence of CyberGatekeeper agent and whether the devices comply with the bank's security policies. Hochstatter can be confident that, for example, each device's OS is patched and its antivirus is up to date.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

Now fully deployed, the system gives Hochstatter and Ulster Savings Bank, which has about 350 employees and $620 million in assets, two key benefits. First, it ensures that the bank's internal systems comply with a wide range of threat-mitigation standards, especially those established by the Federal Financial Institutions Examination Council (FFEIC), required in the heavily regulated financial services industry.

Second, Hochstatter's five-person IT department is positioned to efficiently and cost-effectively deal with Ulster Savings Bank's projected 50 percent growth rate. Hochstatter says this is crucial to his goal of using technology to help the bank meet its aggressive expansion efforts.

Room To GrowWhen Hochstatter joined Ulster Savings Bank in 2004, he faced two challenges. At the top of the list was upgrading and managing the bank's IT infrastructure so it could support Ulster's aggressive growth strategy, including establishing the bank's first direct connection to the Internet to support customer self-service banking.

The second key objective was to streamline IT processes and improve workflow to "create a logically smaller and more nimble IT organization, so we need less overhead to support more customers," Hochstatter says. "We can't linearly grow our back-office staff with customer volume growth, so we need to do more with less and at the same time improve customer-services capabilities."

In early 2005, he found himself dealing with yet another challenge: Although the bank's annual security audit by MessageSecure, which assesses the security of small and midsize financial institutions' IT resources, revealed that its customer-facing systems were sufficiently hardened, the audit discovered the bank's internal security procedures were insufficient.

"That's not to say we had wide open access to critical network resources," Hochstatter says. "Less than 10 percent of our network was noncompliant--not at the right operating system level, old antivirus definitions, and a few had Yahoo toolbars installed in Internet Explorer, which caused application issues."

In addition, some of the bank's internal procedures had flaws. Business partners, such as the bank's outside general counsel could bring a laptop into the bank, plug it into a network jack and get an Internet connection.

The third-party security auditor's idea of moving to static IP addresses would have simplified endpoint-identiy management, and moved Ulster into FFEIC compliance. But Hochstatter says managing static IP addresses is labor-intensive, particularly when with the bank's hundreds of PCs, laptops and servers spread across its 20 branch offices in Ulster County. It was also incompatible with his overall strategy of more efficiently supporting the bank's growth.

He admits that he didn't analyze what it would have cost to follow the auditor's suggestion. "I didn't look beyond the fact that it would cost me more [than deploying an NAC solution] and therefore I didn't like the idea."

He did, however, assess the risk of not fixing things. "If we had done nothing, and my auditor was correct," he says, "I could be liable for pretty significant fines--in the neighborhood of a half-million to three-quarters of a million dollars. That's a big number for my institution."

Examine The OptionsHochstatter worked with systems integrator Topgallant Partners to investigate NAC solutions from three vendors: InfoExpress, Symantec and Vernier Networks. He admits that NAC technology was uncharted territory for him and his staff, so the first stage was an educational one--reading white papers from each vendor.

What he discovered surprised him: Adding a piece of agent software to each client device--as InfoExpress's CyberGatekeeper and Symantec's Sygate products require--proved to be a positive step, not a negative one, as he first thought it would be.

"Our initial thought was we didn't want to deal with an agent on each device," he says. "Then, the light went on: In a NAC solution, it's attractive. You have to have one of our agents to gain access to internal network resources, and if you don't, you go to the restricted LAN [RLAN]."

The Vernier solution, on the other hand, restricted access using the media access control (MAC) addresses of each endpoint device. Hochstatter would have had to maintain a MAC address table, "and that seemed like a daunting task."

Hochstatter calls the Symantec and InfoExpress solutions "similar," but he went with the latter because "I just felt the services level we'd get from InfoExpress and its regional integrator [Topgallant] would be at a higher level than from the Sygate folks." He admits the CyberGatekeeper, at $38,500 for hardware, software, and integration, cost a bit less than the Symantec product. Still, pricing "was not a factor at all. The sheer size of the risk was significant to the decision, and a few dollars here and there was not a big driving force."Eased Deployment

It took about a month for Hochstatter to ease the NAC system into his production network. (He bought two of InfoExpress's CyberGatekeeper LAN products, one for production, a second as a backup.) Hochstatter dealt with the often-complicated task of tuning up his switches for 802.1x compliance by first running CyberGatekeeper in a lab environment. "802.1x is a bit of a pain to configure," he admits.

One of the difficulties of 802.1x is that it requires client software on every device that connects to the network, including servers and network printers. For devices that don't have the client software, you have to create exceptions in the 802.1x environment. This is the route Hochstatter chose for the bank's servers and printers.

Regarding the servers Hochstatter says "We feel this is unwise and unnecessary due to the secure environment they operate in and critical nature of their performance." And because network printers don't support PEAP (Protected Extensible Authentication Protocol) client, Ulster's IT personnel have "hard coded" printers with static IP addresses so they can access the network.

He initially deployed and ran the system in passive mode to "get the system in place without causing pain," he says. "Passive" in this sense meant that users of non-compliant PCs would "get a message that their PC's Windows update wasn't working right or their anti-virus signatures were out of date" when they connected to the network. "We didn't keep anyone off the network--just sent warnings."After about a month, one switch at a time every night or so, Ulster's IT staff turned on the CyberGatekeeper as well as the 802.1x enforcement capabilities in the bank's Foundry switches. "In the morning, we'd be on our toes," Hochstatter says. "Generally, we'd find a couple of devices not compliant, and we'd track them down."

"However, once we got it working in the lab, replicating it to online switches was not too difficult," Hochstatter adds. "Our implementation sounds smooth because we had the luxury of time and we rolled it out in a conservative, methodical manner."

Hochstatter says "the beauty of this deployment was that we could implement it in a granular manner. We really didn't want to disrupt our users--they grumble if security issues make life more difficult for them."

A strong PR effort by Ulster's IT department, explaining what CyberGatekeeper was and how it provided enhanced security, kept user complaints to a minimum, Hochstatter says. "We also educated them on how to react to the messages they may see, especially when CyberGatekeeper was turned up in passive mode. Users were heavily encouraged to enter a helpdesk ticket to have the IT group resolve compliance problems on their desktop."

Now, Ulster's NAC solution checks to ensure that every end point has proper OS patches and current anti-virus signatures. PCs out of compliance are regulated to the RLAN, where their shortfalls are addressed. In addition, Ulster checks for IE toolbars that cause problems with a couple of applications delivered by hosting services. "We have also tested the discovery of a couple of popular game programs, but beyond that, we haven't really pursued this area," Hochstatter says.In addition to checking PCs when they connect, CyberGatekeeper also monitors their conformance "throughout the day." Even so, Hochstatter says that "less than 1 percent of our desktops require remediation. That equates to one to three helpdesk calls a week."

When a device from an outsider tries to connect to the Ulster network, it is "pushed" to the RLAN because it does not have the CyberGatekeeper agent. To go anywhere on the network, an outsider must contact IT and be given temporary access.

"We have yet to see an instance where an outside entity required justifiable access to internal resources," says Hochstatter. "The only exception to that would be the periodic third-party IT auditor."

In regards to the audit, Hochstatter says CyberGatekeeper fills the bill. "Since we did not have the NAC system installed 100 percent, the auditor, being an auditor, was only mildly impressed," Hochstatter says. "Any and all issues sited in the audit, however, are addressed via CyberGatekeeper."

15 MinutesHochstatter, 43, is the vice president of technology for Ulster Savings Bank, Kingston, Ny. He joined Ulster in 2004, moving from a midwest bank.

Best part of your job: "Having the opportunity to align technical tactics with higher-level business strategies. When the business is 'doing this,' I like to be able to drive technology to help us get to that goal."

Worst part of your job: "I don't care for administration. There's nothing worse than a technology group that's not automated. I try to keep my staff equipped with tools that allow them to do their jobs more easily."

How you got into managing IT systems: "I was a computer science graduate from Purdue and went to work for a bank IT group in West Lafayette, IN, in 1985."

What Hochstatter's co-workers don't know about him: "I'm avid motor sports fan.""Wish list" for IT group in company: "Nothing. I'm happy with the posture we're taking with technology."

Subject that makes him rant: "Simple tasks that are difficult. A good example: When I have to walk to a fax machine because someone needs a signature. The task is far too difficult for what it is."

What keeps him awake at night: "The stock market."

Comfort food: "Good pizza and hot wings."

Favorite team: "Chicago Bears."Wheels: "Ford Explorer."

In Hochstatter's car CD player: "'How To Win Friends and Influence People,' by Dale Carnegie."

Football or baseball fan: "Football."

Must-see TV: "None."

Next career: "Lifeguard."The Hard Sell

Justifying a network access control solution was a no-brainer for Jim Hochstatter, VP of technology at Ulster Savings Bank. "Risk management and mitigation are huge things in banking--I can't say enough about that."

Bank CIOs must develop an annual risk-assessment report, in which technology plays a crucial role. "If our network was breached from an internal end point, the price tag could be staggering for us," he says. Hochstatter estimates that regulatory fines alone could reach into the millions. The bank might also lose customers and face lawsuits. "We cannot let that happen."

In addition to the security concerns, he estimates that the NAC solution has reduced the workload of his helpdesk staff by 15 percent to 20 percent. Based on his IT costs, Hochstatter estimates he's saving about $40,000 per year--which is more than the total cost of the NAC deployment. Several factors are at work here.

For one thing, "We are confident we have consistently configured machines across the network," he says. Moreover, "There's virtually no overhead in keeping track of all those [machines]. My antivirus is happy and running, my Windows update server is working properly, and I don't have to time and time again go out and uninstall Yahoo toolbars."Jim Carr is an Aptos, Calif.-based freelance business and technology writer. Write to him at [email protected].