"I have a fairly strong security background, and I viewed it as a fairly large vulnerability in our environment," Reissmueller said. "My initial concern was just having unauthenticated devices on my network. Considering that Pioneer is a high-tech company, I have some fairly savvy users in different areas. I have engineering staff who do research and development and who are very familiar with how the kernel of an OS works, let alone how to use Windows. So it's very possible for me to have an employee come in, plug a wireless router into my network, and the next thing you know I've got DHCP being broadcast throughout my network, bringing everyone
Reissmueller was also concerned about unsecured devices brought into the company by partners or vendors. He said the scenarios for disaster were so numerous that he knew he had to do something to protect his inside edge.
In his search for a network access control (NAC) product, he ended up installing ConSentry's LANShield controllers, Layer 2 devices that sit between the network edge and the core. ConSentry's LANShield Controllers, like its LANShield Switches, are based on custom silicon that provide deep packet inspection for policy control and integrated NAC. The controllers start at $17,000 and provide control across multiple access switches, and the ConSentry access switches start at $7,995."
"I looked at doing standard Cisco 802.1x," Reissmueller said. "I also looked at Cisco Clean Access, and I had looked into McAfee's in-line product and HIPS [Host-based Intrusion Protection]. But once I saw how full the feature set was on the ConSentry product, that made a lot more sense to me than just meeting a traditional NAC need."
Michelle McLean, director of product marketing at ConSentry, said her company's technology goes beyond NAC by offering enhanced reporting features and dynamic behavior-based access control. The technology can observe user behavior and set a baseline for acceptable behavior for those users. It focuses on user identity and applications, rather than on authenticated devices and IP addresses.
"Yes -- we're going to do the admission piece and check for viruses and check for aberrant behavior," McLean said. "But really, our sweet spot is focusing on who can do what on the LAN according to the role they're in and how to track it and have a history or log of that for any kind of forensics or compliance that I need to document."
Reissmueller said he liked ConSentry's ability to continue monitoring traffic at the packet level after a device had been authenticated and granted access to the network. He said he valued the technology's ability to look at the data content of a packet and make decisions on whether it should be allowed to continue through the network.
He also values the fact that ConSentry can secure his network based on user identity and role, rather than their IP address and device, because his users need to be able to log on to different devices in the organization and still be able to do their work.
"The problem with [NAC technology that tracks] IP addresses is in an environment where you have DHCP. The IPs are going to change even if you do it as MAC address controls," Reissmueller said. "If I sit down to your computer and log in with my credentials, I need to have access to my stuff. So doing it at a device-based level just doesn't meet the needs of my business. If my NAC solution is making it so people can't work on machines that they need to use -- if I have multiple users using the same machine and they can't get the appropriate level of access -- then it kind of defeats the purpose [of good security]."
He tested the product for about four months before committing to it.
"First, I put it in my lab and did a bunch of testing with it," he said. "We ran it through quite a few paces in different scenarios to try to verify that the product did what they claimed it did and that it was truly as easy to manage as was said."
Then he put a controller in his main data center in Long Beach, Calif., and set it in passive monitoring mode, allowing it to dynamically create rule sets. Once he was comfortable with what he was seeing with the first controller, he started to roll it out to the rest of his larger facilities in North and South America, about 10 in all.
Reissmueller said the role-based features of ConSentry have required some tweaking on his part. "There are certain pieces of information that some users only access maybe once every six months, and there are those types of exceptions that [the controllers] didn't typically pick up because I wasn't running it in monitoring mode for that long," he said. "So I had to go in and say: 'This is a user that might run this type of financial application very infrequently. Or potentially this administrative person, such as the CFO, who might have access to payroll data but normally wouldn't use it. So maybe it involves expanding his permissions to things that he might not have to look at day-to-day.' "
Reissmueller plans to expand his use of ConSentry to two more Pioneer facilities.
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor