Control technology secures network: virus attack over its WAN links spurs Las Vegas Review-Journal to use LAN controller

Communications News, Feb, 2006

Nearly three years ago, the Las Vegas Review-Journal (LVRJ) got a bug. The Blaster virus had infected the company's LAN through a WAN connection, quickly propagating itself throughout the organization's infrastructure across the country. Steven Olson, the paper's infrastructure manager, realized he needed to find a remedy before the next bug invasion.

LVRJ is the largest daily newspaper in the state of Nevada, with a daily circulation of more than 160,000 and a Sunday circulation of more than 224,000. It is owned by Las Vegas-based Stephens Media Group, which also publishes 100 different newspapers and Web sites, serving cities and towns throughout Arkansas, Hawaii, Nevada, North Carolina, Oklahoma, Tennessee, Texas and Washington.

With more than 1,500 network users nationwide, many of them part of an expanding mobile workforce of reporters and contributing writers, the need for increased visibility into user activity and access control have become business-critical issues. Because the newspaper's mobile workforce bypasses the perimeter firewall when connecting to the LAN, it subjects the Review-Journal's network to various user access and malware threats that can cause network downtime or lead to misuse and unauthorized activity. In addition, new regulatory compliance issues are driving the need to control access to network resources and applications.

"Historically, we have focused on shoring up our network protection from the perimeter and have done a pretty good job of it," says Olson. "However, when the Blaster virus impacted us a couple of years ago, we realized that we became infected through a WAN connection. That's when we realized we had to start examining security for our interior networks."

The LVRJ's initial response was to segment its LANs and create multiple subnets to prevent the entire network from being infected or compromised by viruses and malicious security breaches. "We installed intrusion-detection and prevention (IDP) systems between the LAN infrastructure and WAN perimeter but soon discovered this really didn't help protect the core network because we were actually running eight subnets," explains Olson. "The only way to provide pervasive protection would be to deploy IDPs on each subnet, which was not practical from a cost or IT resource standpoint."

ALTERNATIVES NOT ADEQUATE

Olson discovered additional problems associated with segmenting LVRJ's interior networks with VLANs. "We've tried to address this issue by segmenting our LANs with static IP addresses and access control lists (ACLs) but this approach proved to be much too complex and began to consume valuable IT resources, which adversely affected other projects. We have a small IT team and concluded that assigning a dedicated resource to exclusively managing ACLs wasn't justifiable on multiple levels."

Because there are so many disparate users accessing LVRJ's network, including reporters, sales staff, administrators and freelancers, Olson tried implementing roaming profiles in order to allow any user to log on to a workstation. "What we discovered is that if we set a policy for a user based on a static IP address established on a given workstation, and then allow that user access to a different workstation based on that static IP address, suddenly our security controls were gone."

To address these issues, the LVRJ selected the ConSentry Networks' CS2400 Secure LAN Controller (SLC). These purpose-built LAN security systems, which deliver up to 10Gbps full-duplex throughput for deep packet inspection, are deployed as inline appliances at the distribution layer and sit transparently behind access/wire closet switches.

Described by Olson as "snap-in" devices because of their ease of deployment, the SLC leverages LVRJ's existing authentication and identity-management systems to significantly augment and preserve previous security investments. In addition, the systems deliver detailed visibility into user activity all the way up to Layer 7, enforce roles-based policies on a per-user and per-application basis, and contain malware in real-time at LAN speeds to contain outbreaks before they propagate throughout the network.

"The controllers give us the ability to monitor the activity of every user in real time and enforce granular control over what resources and applications each individual user or group of users is authorized to access," says Vikas Khorana, network engineer for the Review-Journal. "This goes well beyond just authenticating users to the network. In effect, the controllers act as a network 'chaperone' to control user access once they've been admitted to the network in the first place."

For example, business users from the sales force oftentimes share office space with reporters. Rather than having to set up complex VLANs for these disparate users with differing network access rights and policies, LVRJ uses the SLC to centrally enforce specific user policies from its inline vantage point close to users. "Not only are we saving significant IT resources, we're strengthening overall network security, since the SLC enforces policies immediately from a single device, rather than relying on disparate systems with external enforcement points that lack integration."