The Lippis Report

Thanks for visiting the Lippis Report. We provide access to thousands of industry white papers, case studies, presentations and podcasts, all you need to do is register. Enjoy!

It is well-known that over 70% of network security incidents are initiated, both maliciously and unknowingly, by parties within the confines of the enterprise network, be they employees, contractors, or unauthorized intruders. A new breed of secure proxy appliances, such as the Blue Coat Systems ProxySG (www.bluecoat.com), has hit the market with the goal of supplementing perimeter security while maintaining internal security and productivity by controlling employees’ use of the Internet. As Blue Coat’s VP of Marketing, Steve Mullaney, states: “We want to keep the bad guys good and the good guys honest.”

CompUSA: A Case Study

It is well-known that over 70% of network security incidents are initiated, both maliciously and unknowingly, by parties within the confines of the enterprise network, be they employees, contractors, or unauthorized intruders. A new breed of secure proxy appliances, such as the Blue Coat Systems ProxySG (www.bluecoat.com), has hit the market with the goal of supplementing perimeter security while maintaining internal security and productivity by controlling employees’ use of the Internet. As Blue Coat’s VP of Marketing, Steve Mullaney, states: “We want to keep the bad guys good and the good guys honest.”

One of Blue Coat’s marquis customers is CompUSA (www.compusa.com). I had the opportunity to speak with Ken Monroe, Director of IT Communications and Support Services, and Pat Hykkonen, IT Network Security Manager, both out of CompUSA’s corporate headquarters in Dallas, about their experience with Blue Coat’s ProxySG solution. This week’s Lippis Report is a case study of CompUSA’s implementation based on this discussion.

CompUSA Overview

CompUSA is the leading retailer and reseller of PC-related products and services in the US, with approximately 225 retail stores in 90 major metropolitan markets. It has approximately 15,000 employees, 11,000 with Internet access. CompUSA’s Wide Area Network (WAN) is based on Sprint’s (www.sprint.com) Frame Relay service at 512Kbps, with a hub-spoke architecture connecting retail sites up into corporate. A T1 to XO’s Communications’ (www.xo.com) backbone at each site provides redundancy and VPN connectivity. All retail site traffic runs up through corporate, including Internet traffic, which is provided by dual DS3’s. The core is a fairly common Ciscobased switch-routed network.

The Problem

Monroe stated that CompUSA was seeking to improve overall network performance for an upcoming VoIP implementation while driving down recurring connectivity and usage costs ?¬¢‚Äö√ᬮ‚Äö√Ñ√∫ and what enterprise isn´t? It also wanted to implement some Internet security and control policies, as Internet access was ?¬¢‚Äö√ᬮ?√¨wide open?¬¢‚Äö√ᬮ¬¨√π at the time. Monroe brought in a third-party to audit CompUSA´s corporate network and, like many enterprise managers, was surprised to find out that Internet traffic was responsible for a significant amount of overall WAN bandwidth consumption ?¬¢‚Äö√ᬮ‚Äö√Ñ√∫ more than 30%. This was driving huge expense in bandwidth consumption charges.

Upon deeper inspection, the real problem surfaced. The majority of this Internet traffic was non-business related - an employee productivity plague that has become all too common over the past several years. The drivers ranged from seemingly innocuous casual web surfing to more troubling peer-to-peer (P2P) applications such as KaZaa and Morpheus. P2P applications obviously drive bandwidth consumption through large file exchange, on average 3MB/.mp3 and greater than 700MB-1GB for movie files.

While some employees are brazen enough to actually host MP3 and video servers on the corporate network, most employees don’t realize the significant security implications of enabling outsiders to come onto the corporate network to “share” files residing on their PC’s. This opens the door for intruders to access files on LAN-based corporate PC’s and/or leverage them as launching pads for attack, as well as for the inevitable major P2P-based virus that’s sure to come.

What to Do?

Monroe and Hykkonen knew they needed to address the P2P security and performance concerns in tandem. The logical place to start was the firewall, in this case a Cisco PIX (www.cisco.com). The first attempt was to utilize simple TCP port-blocking on the firewall. This is a successful method for blocking many traffic types, as most applications use a single TCP port - close the port, block the traffic. The developers of P2P applications realized that many would view this traffic as “undesirable” and use port-blocking to filter it out. As a result, P2P applications are much smarter - and sneakier - in their transport mechanisms, hopping across multiple ports. KaZaa, for example, uses both TCP and UDP for transport. It uses port 1214 as its default for establishing a
connection. If 1214 is blocked, it attempts to use ports 1000-4000. If these ports are blocked, it then goes to port 80, HTTP, and hides inside normal web-browsing traffic. As most organizations need to maintain some Internet connectivity for business purposes, they cannot close port 80. And this is just KaZaa - there are currently 80+ known P2P applications in use. As a result, CompUSA couldn’t lock out P2P traffic with the PIX alone.

“Defense In Depth”

Monroe and Hykonnen turned to BlueVantage (www.bluevantage.com), a consultancy focusing on enterprise web management and security issues, among others. BlueVantage offers a managed service for controlling enterprise web and P2P abuse based on Blue Coat’s ProxySG product line. Working directly with Blue Coat and BlueVantage, CompUSA deployed redundant ProxySG 6000’s in-line between the PIX firewall and the corporate LAN. The ProxySG maintains a database of granular policies governing users’ (and user groups’) use of the Internet, including bandwidth, protocol, time-of-day and content allowances. In conjunction with these features, the Blue Coat platform also runs Secure Computing’s (www.securecomputing.com) SmartFilter URL filtering application on-box, enabling CompUSA to restrict and block access to non-business URL’s such as MP3, movie
and sports sites, as well as the web clients for P2P applications.

The combination of the Cisco PIX firewall and the Blue Coat ProxySG/SmartFilter gives Monroe what he calls ?¢‚Ǩ?ìdefense in depth?¢‚Ǩ¬ù. The firewall is able to restrict the ports through which P2P traffic enters the corporate network to port 80 only, at which time the ProxySG/SmartFilter parses out and blocks the sessions inside of web traffic. The end result is a secure network performance optimized for business use.

Monroe and Hykkonen evaluated other solutions, including standalone URL filters and proxy appliances, but found that both the capital expense and management overhead involved in isolated systems was far greater. The Blue Coat solution also offers a number of other features including virus scanning, caching, instant messaging control and denial of service (DoS) resistance, among others. Additionally, BlueVantage is offering the P2P control as a managed service, allowing CompUSA to pay a monthly fee vs. absorbing the capital cost of the ProxySG platforms, much like a managed router service.

The Payoff

After implementing the Blue Coat solution in conjunction with its Cisco PIX firewall, CompUSA has significantly improved its private WAN performance and security, as well as greatly reducing its overall operational costs. Monroe estimates that this security and web policy management infrastructure saves CompUSA more than $1M in annual bandwidth costs, which when combined with productivity gains equal an estimated $20M savings annually. Additionally, the added insurance of improving defenses against a catastrophic security breach, as well as liabilities (such as music industry suits from the RIAA), goes uncounted but cannot be overstated.

What Does It All Mean to Your Enterprise?

The security, performance and productivity issues faced by CompUSA are representative of many enterprises today, both large and small. If you don´t currently have visibility into utilization of your network today, now is the time. Here are a few key steps to getting started

?¢‚Ǩ¬¢Perform a Network Audit - either internally or via a third party. Look for congestion hotspots in the network, and attempt to get data about users and applications driving traffic (top talkers, top listeners, etc.) as granular as possible.

?¬¢‚Äö√ᬮ¬¨¬¢Implement an Internet Usage Policy - develop a formal set of policies governing employees’ use of the Internet during business hours. Include acceptable use policies, forbidden behavior, etc., and solidify the policy with stated disciplinary actions for violations.

?¬¢‚Äö√ᬮ¬¨¬¢Look Inside Out - do not focus only on securing the enterprise network from outside intruders. Look to solidify internal security from both malicious and unwitting threats ?¬¢‚Äö√ᬮ¬¨¬¢Deploy “Defense In Depth” - utilize multiple layers of internal security to ensure maximum defense and performance protection.