Firewalls can help stop the bad guys from hacking into your network, but what if your own users are launching the attacks – maliciously or accidentally? Burned once by an unwitting employee whose personal laptop infected the network, a northern California credit union is using a network access control (NAC) appliance to thwart insider threats before they wreak havoc.
"The statistics show that most of your threats are from insiders because they have more access to your devices," said John Shields, CTO and senior vice president of Patelco Credit Union, a 50-branch credit union based in San Francisco. "Our primary concerns are [controlling access for] the vendors or the visitors, or to make sure someone doesn't plug in something from home."
Before Shields had even thought about buying a NAC appliance, the credit union's two-and-a-half person networking team had cooked up some homegrown ways to monitor network access, but the CTO said none of the workarounds were effective.
"We did some ad hoc things -- detecting new devices on the network -- but like I said, it was pretty ad hoc and not very user friendly," Shields said. "[Using a NAC appliance] sort of brings a more streamlined and usable solution to that, [whereas] before, we had no way to really take action on someone plugging into a port."
About two years ago, an employee brought from home a laptop that had been infected with a worm. Nothing stopped the user from plugging in the infected device and unleashing the worm onto the network, Shields said.
"It did some damage to some of our internal servers," he said.
But insider threats could stem from more than just the credit union's 500 employees, Shields said. Contractors and vendors would often request network access, which had required Shields' networking team to accommodate them by building a physically separate network with restricted access.
"It was a totally separate network, which adds to cost and administration overhead," he said. "We realized we needed a NAC appliance to control -- down to the port level on the switch -- who has access and what they can access once they get connected."
NAC appliance helps control and redirect visitor access
As a longtime Cisco Systems customer for routers and switches, Shields evaluated the networking giant's NAC appliance but found it too difficult to deploy, and it came up short in covering some of the smart devices on his network, such as specialized receipt printers.
"Some of these products are really quite cumbersome to get installed and up and running," he said. "Even with [Cisco] infrastructure, the endpoint security [with its NAC appliance] required specialized software, and even then it only sort of applies to PCs and desktop-type devices."
Looking for something simpler that his small networking staff could handle, Shields turned to independent NAC vendor ForeScout Technologies for its NAC appliance, CounterACT. The product required no configuration changes to infrastructure or any of the 1,500 endpoints it secures, he said.
With the NAC appliance in place, Patelco's vendors and visitors are automatically redirected onto a different virtual local area network (VLAN) or they bypass the network completely with only Internet access, Shields said.
"Two systems sitting on our data center watch all the traffic going [within] the data center and to and from it," he said. "We can see what devices are talking to what [servers], and we can tell if a system is accessing more than it's allowed to or attempting to access more than it's allowed."
Network security professionals have been eyeing inside threats posed by employees for quite some time, but now occasional insiders -- contractors, auditors, outsourcing companies -- are also posing a challenge, according to Jack Marsal, director of marketing at ForeScout.
"The world is evolving; businesses have been evolving and networks have been accommodating more and more business visitors," Marsal said. "[Enterprises] are wondering how all these unknown people and unknown computers impact [their] security."
NAC appliance rings the alarm for intruders
Patelco has suffered no more breaches, but Shields said the NAC appliances keep his systems administrators busy with alerts -- letting them know if an endpoint doesn't have the latest Windows security patch so that the credit union can ensure that it meets compliance standards.
"Based on our corporate policies of keeping devices current, we can run a report and send out a list of all the devices that are not in compliance," Shields said. "We have the alerts right away, plus after a while, we can run reports to double- and triple-check them."
Although he would like to see ForeScout put out updates sooner -- they usually come two weeks after Microsoft puts out a new patch -- Shields said he has been impressed with how little management and maintenance the NAC appliances need. He estimated that he uses the equivalent of one quarter of a full-time employee to manage the system.
"[The NAC appliances] will say, 'This device talked to six different IP [addresses]' and [usually] it was one of our network people working on a router or multiple routers," Shields said. "Knock on wood, we haven't seen a real incident yet, but if it were a worm, you'd see a similar pattern."
Let us know what you think about this story; email Jessica Scarpati, News Writer.
Dig deeper on Network Access Control