News Stay informed about the latest enterprise technology news and product updates.

Zero day protection with network access control, intrusion prevention

A global executive relocation service provider improved its zero-day protection capabilities with a combination of network access control and an intrusion prevention system.

IT pundits talk quite a bit about delivering "value" to the business and transforming the IT organization from a cost center to a profit center. However, sometimes simple vigilance can get you into the good graces of the executive suite.

Senior manager of IT security at global executive relocation service provider Sirva Inc. Waqas Akkawi was recently taken to dinner by the company's president after he and his staff prevented a Trojan from hijacking the executive's personal banking information.


The president had picked up the Zeus Trojan on his corporate laptop while outside the corporate network. Then he logged onto the corporate network in his office and the Trojan's abnormal behavior triggered an alert on the management console of Sirva's network access control system, ForeScout's CounterAct

"He was checking his stocks and visiting his bank to [make a transaction] and we caught that his PC was compromised by Zeus," Akkawi said. "When we got there, he was trying to get into [his bank]. We told him 'Your PC is compromised and we want to take a look at it. Let us clean it up.' We saved him because otherwise he would have had his stuff leaked and stolen."

Zero day protection with network access control

Akkawi has been using CounterAct NAC from ForeScout for several years for zero day protection from compromised devices that employees bring into the network. With Sirva's highly mobile sales staff traveling globally, employees are constantly bringing infected laptops onto the network, he said. With a network access control system in place, Akkawi can detect infections, whether they are zero day threats or old worms and Trojans coming around for a second time. He's dealt with nearly half a dozen Conficker and Zeus infections in the last couple months alone.

"We had three guys come in with Conficker. ForeScout isolated them quickly and alerted us. Our guys went in, hooked up their stuff and determined that their defenses were down. Antivirus was shut down. Everything was taken down. We looked around for a signature and it was Conficker. We were able to do all that without any harm coming to the network. In the past, something like that would affect a huge area of the network. A denial of service attack would start to happen because of a bunch of chatter. The whole organization would get infected so they would have to redo all the PCs."

Akkawi chose CounterAct network access control to secure the network because it integrated quite easily with his Cisco Systems network and it required very little heavy lifting to get up and running. He also liked the system's flexibility. What's more Akkawi wanted a NAC product that didn't become part of the problem. He had heard horror stories about NAC systems locking people out of the network and killing productivity.

"On a zero-day attack, [ForeScout] gives us a leg up because we are able to block isolate and contain PCs on a port level. We don't' have to block the whole PC," Akkawi said. "We can let the guy keep working. But if there is chatter or an issue on one port on his IP address, we block that and dispatch engineers accordingly. "

Zero day protection at the perimeter with NAC-based intrusion prevention system

Akkawi recently boosted his zero day protection capabilities with a second ForeScout product to secure his perimeter. CounterAct Edge, which uses an algorithm based on ForeScout's CounterAct NAC product, sits outside Sirva's firewall perimeter. CounterAct Edge is an intrusion protection system (IPS} that relies on an algorithm rather than signatures. It tracks the reconnaissance behavior of hackers and malware. When attackers probe the perimeter of the network looking for vulnerabilities, CounterAct Edge will respond to the probe with false information about vulnerabilities and configurations. When an attacker comes back and tries to use that false information to penetrate the network, CounterAct Edge blocks the attack.

This appliance has allowed Akkawi to retire legacy intrusion detection systems (IDS) that he had in place from multiple vendors. It's also reduced the load on his Cisco firewalls.

"It protects the firewalls from all the garbage that is inherently probing and scanning our network and only allows meaningful traffic to reach the firewall," he said. "Rather than the firewall being at 50% CPU consumption inspecting all these packets and connections, the firewall is now down to 5% CPU consumption. It's only looking at traffic meant for the company and CounterAct Edge is denying access for all this garbage, like port scanning from Russia and the Ukraine, which you see all day."

Offloading work from his firewalls has improved network performance during major attacks, Akkawi said. In the past, if the network perimeter was getting hit hard, his firewalls would grind everything to a halt as they tried to inspect every packet. Legitimate traffic would get hung up in the queue with malicious traffic.

"Now that's being done by CounterAct Edge. The firewall just processes legitimate traffic."

Global management of zero day protection with network access control

Sirva manages its ForeScout NAC system out of its security operations center (SOC) at its primary data center in Fort Wayne, Ind. Originally Akkawi deployed the NAC product across his U.S. offices, but success with ForeScout has spurred him to expand his use of the technology across Sirva's 40 global locations.

This year Akkawi deployed CounterACT NAC in its Australian and Asia-Pacific offices. Management of the technology is still handled out of the U.S. SOC. If ForeScout detects a problem, an alert goes out to the SOC and to engineers in Australia. Network security managers in the SOC will call the Australian engineers to ensure that they are responding to the alert.

"We're protecting 6,500 endpoints today and that's going to increase. That's not including Europe and Canada, and I have money in the 2011 budget to roll out ForeScout there in March," Akkawi said. "Because of the centralization, it's scalable. There's no need for the complexity of different teams managing it in Europe. I like to see in one dashboard or console what's going on globally."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Dig Deeper on Network Access Control

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.