From fierce competition to passenger safety, airlines have enough to worry about without throwing renegade end
users and network security threats into the mix.
Nobody knows this better than Andre Gold, director of information security at Continental Airlines. A nasty encounter with the so-called SQL Slammer worm -- which three years ago wreaked havoc on corporate networks around the world -- taught Continental's information security director a valuable lesson: Protect your network from end user surprises. Give IT the ability to control what applications users run and what file servers and other resources they can access.
After worming its way into Continental's enterprise network by way of a mobile user's infected laptop (and a security hole in Microsoft's SQL Server software), SQL Slammer brought much of the airline's commercial business to a halt for several hours. Although the worm is not destructive to the infected host, it generates damaging levels of network traffic by scanning for random IP addresses for vulnerable servers.
"Slammer saturated our network, so as a byproduct … we had a lot of client/server systems that became unavailable," said Gold. "Our CEO came back and said, 'How can we fix this so it doesn't happen again?' For a long time we weren't able to answer that question."
The challenge: Continental's network is unique because of its massive roaming user community. Reservation agents switch among terminals, depending on where they are assigned on a given day and time. Flight crews access the network for crew updates, and the airline's sales force constantly logs in from the road. Yet all of these employees need access to network applications to do their jobs.
"We have thousands of employees that don't have a PC. They log in and there are a slew of assets they need to authenticate to," said Gold. "I can't base a firewall policy around machines with a roaming user group," because those policies are location-dependent.
Gold decided to solve his problem by deploying role-based provisioning, technology that ties the applications each user can access to their user profiles. This move would protect the airline's network by controlling where users go on the network and what they do, whether users are internal employees, contractors, or simply guests. And those policies would apply to users regardless of where they physically log onto the network, so shared terminals or changing locations would no longer be a problem.
The source of Continental's role-based provisioning solution is ConSentry Networks. The Milpitas, Calif-based startup makes a combination hardware and software platform that operates at LAN speeds to control every user as well as to secure every port on the LAN.
The ConSentry package includes the Secure LAN Controller switch, the LANShield operating system running on it, and the ConSentry InSight command center, which provides traffic visibility and access policies. The Controller applies those policies to enforce access to network resources and perform malware controls. Significant to Continental's need to identify users at a granular level, the platform performs three-way binding of user identity, which is learned during authentication to the user's IP address and MAC address. That binding enables user-based traffic tracking and role-based provisioning.
Before opting for ConSentry's Secure LAN Controller solution, Gold considered other security options but discovered pitfalls that proved to be deal breakers. He found network access control (NAC) devices too costly -- a multimillion dollar investment that Continental wasn't prepared to make, especially when the ConSentry platform would cost a couple of hundred thousand dollars.
Security solutions, such as those that provide malware containment, were discovered to be costly as well. Gold found that these server-based applications also created a network bottleneck that he didn't encounter with the ConSentry platform. It, in contrast, integrates with the network fabric -- the appliance is deployed "inline" so all traffic traverses it for strong enforcement, but it is able to keep pace with Continental's 10 Gbit network speeds.
"An inline deployment is crucial because of performance. Both the decision about how to treat traffic and the forwarding of enforced traffic is faster," said Michelle McLean, ConSentry's senior director, product marketing. "If you're going to sit inline, you'd better be LAN speed. So, in our case, our custom hardware is the key to maintaining 10-gig speeds."
So far, Continental has rolled out ConSentry's platform and role-based provisioning at its headquarters in Houston, Tex. Further deployment plans include data centers, reservation centers, hubs, and some selected tier-one airports.
Gold is satisfied that the solution will serve Continental well, even if SQL Slammer rears its ugly head again. In that event, he said, the amount of SQL traffic sent out by the infected user would be immediately detected by the ConSentry platform, which would shut down the user's access to the SQL application. However, the user's other applications, such as e-mail, would remain operational. In effect, Gold said, Continental now has an army of productive, protected end users.
"We got slammed by the slammer … since then we've been evaluating things in the space," Gold said. Now, he says, "We have a network that fights back."