DIDW: Network Access Control Case Studies
Jeff Williams, California State Association of Counties -
Nonprofit advocate for California’s 58 counties.
Represent before lawmakers, agencies and federal government, counties range from 1200 to 10 million people.
Multiple consituencies: Legislators, employees, conties, residents. All want high degree of service and integrity. Very keen on knowing who has access to our network.
State government entities are the 2nd most often targeted in attacks (behind financial services) - Open and easily accessible information is often part of our mission.
Wanted to protect servers and applications from unknown users
Grant appropriate access to specified users/machines
Reporting and auditing for state compliance
IT must be responsive with limited staff
Integrity and credibility of CSAC at risk
Risk to counties’ agenda and well-being
Solution considerations:
Firewalls - identity blind, no machine auth, limited auditing, complex config
Chose instead - identity management and network access control appliance and software
Deployed TNT: Simple implementation, met objectives, unalterable user and computer identity into network traffic, grant or deny access to specific information resources based on identities. Simple tool to configure, set policies, and report all activity. It was installed in one day.
Really liked the reporting capabilities. See status at a glance
Results:
-Identity enabled infrastructure provided full view of user and endpoint behavior
-Led to rapid, straightforward and effective access control policy decision
-Protected the critical state information records from data breaches
-Ensured confidentiality of communication within state government and counties
-Provided full audit to address regulations
Q&A:
What is the scale of this deployment?
We represent the counties from a legislative standpoint but they didn’t deploy this. We deployed this for our employees only.
** Second Case Study
Roman Lessnow (sp) - Security Manager Wellstar (Atlanta, GA)
600,000 customers
10,000 employees
Fve hospitals
Urgent care centers
etc.
Implemented Information Technology Infrastructure Library (ITIL)
Very small IT staff, wanted network plug and play, granular access control, transparent user experience
We use LDAP, needs to work with that. Novell E-Directory, moving to LDAP
Environment:
Windows, Linux, HPUX, 475 devices with SSH/Telnet, also looking to control devices, pumps, monitors and other SSH or telnet supported devices for vendor access
Wanted authorization based. More access internally than remote. Needed to set the policy directly and enforce it on the engines within the device.
Easy management: Vendor logs in to update one of their devices onsite, we want to check that there system is clean before they are granted access.
View log data, etc.
Chose Caymas Appliance. Plocies can be updated real time, users cannot view / discover unauthorized resoruces, full log and audit, no user training required.
We provide the vendor access, meet the requirements of our mobile employees, deal with a heterogeneous environment, etc.
Can do policies via LDAP or locally on the box.
Technorati Tags: Digital ID World, identity, NAC