A10 Networks Delivers Network Identity Management to China Construction Bank

China Construction Bank Corporation was incorporated in China in 1954 and retains leadership roles in areas such as corporate banking, personal banking and treasury operations. Today the bank has 14,250 branch outlets and as of June 2005, China Construction Bank had 4,224.1 billion RMB ($521.8 billion US) in total assets, 2,374.4 billion RMB ($293.3 billion US) in total loans and 3,781.3 billion RMB ($467.1 billion US) in total deposits.

China Construction Bank was ranked 25th among the world’s top 1,000 banks based on tier-one capital by The Banker magazine in July 2005 and its H shares began trading on the Hong Kong Stock Exchange in Q4 2005.

China Construction Bank needed to improve and integrate its internal operations, focusing on the following areas:

1. Multiple access devices were deployed to provide employee access, including Nokia IP380 VPNs and Huawei 3Com 802.1x client software. Instead of authenticating against different sets of user accounts, a centralized and easy-to-manage AAA (authentication, authorization, accounting) platform was needed to improve overall network security and simplify user account management and provisioning – keeping accounts and passwords accurate and up-to-date.
2. China Construction Bank already had internal RADIUS and Novell eDirectory servers, which stored their user accounts. The bank needed a management platform that could work seamlessly with these platforms and include the ability to edit remote user accounts on the platform itself.
3. The bank desired a central event log solution to improve overall network traffic visibility and make it much easier to track single user events or critical and/or endangering network events. The bank highly desired an integrated technology solution that could resolve IP or Mac addresses to user identity (IP-to-ID) instantly across network logs from various VPNs, routers and firewalls.
4. China Construction Bank needed to understand the applications traversing its edge and how much bandwidth each was using.
5. The bank needed to see which users were using each application to identify the heavy users of non-business related applications.

Solution

To solve requirements 1 – 3:
China Construction Bank deployed A10 Networks’ IDsentrie identity management appliance in a plug-and-play topology to quickly meet all of the above challenges. First, Nokia IP380 VPNs and Huawei Quidway 3026 switches were added as NAS devices. With a quick configuration, these devices could forward their AAA requests directly to IDsentrie to centralize authentication tasks from remote users.

Next, the RADIUS and Novell eDirectory servers were added as managed data stores. All the existing accounts on the eDirectory server showed up immediately on IDsentrie’s easy-to-use Web GUI – simplifying account provisioning and management. IDsentrie provided remote user management features and enabled administrators to edit remote user accounts locally on IDsentrie. With rapid and simplified configuration on the IDsentrie unit, administrators could determine which server to proxy AAA requests to, based on user groups or on network access devices.

Finally, IDsentrie’s auto-configuration feature was used to redirect the Nokia IP380’s traffic logs as well as logs from other routers and switches. By centralizing these critical logs into IDsentrie’s IEM (IDentity Event Manager) module and leveraging IDsentrie’s IP-to-ID technology, the bank was able to instantly resolve critical events back to the responsible users and display current network status summaries on a user basis rather than an IP address basis – making network reports much more meaningful.

To solve requirements 4 – 5:
The bank deployed a pair of EX Series secure WAN management appliances behind its corporate firewalls in transparent mode to quickly allow the company to obtain application and user activity information without any topology changes to their environment. With the EX’s application visibility and identity features and its ability to tie into IDsentrie’s IP-to-ID feature, the bank instantly started seeing which users were responsible for each application being used. From these identity-based reports, the bank was able to identify the top users of non-business related traffic and take action to traffic shape these low priority applications to ensure bandwidth and availability of critical business applications.

By understanding “who is doing what on the network” without having to perform extensive identity forensic activities, the bank’s IT staff can quickly resolve network problems and bandwidth issues without significant overhead – saving them many hours per week. The IT team now has the reporting infrastructure to show management the problematic applications and responsible users – making their jobs much simpler and giving them a way to justify network enhancements and changes.

Success

China Construction Bank has attained the ability to fully centralize their authentication, account management, and logging functions for their employee access to their internal network. The bank has also attained the ability to see and manage their bandwidth much more effectively by using identity-based reporting and the ability to fully traffic shape and prioritize traffic.

This greatly increases the bank’s overall network security and visibility, streamlines WAN traffic flows, reduces the impact of non-business applications, and simplifies routine tasks for its IT staff at the same time. By seamlessly integrating existing network access devices with RADIUS and eDirectory servers, A10 Networks’ IDsentrie proved to be an easy-to-use, plug-and-play appliance that supports heterogeneous network devices.

With IDsentrie’s dashboard displaying the top 10 bandwidth, Web and FTP users etc., network administrators can obtain a quick snapshot of current network traffic payloads and the users responsible.

IDsentrie’s IEM module leverages built-in IP-to-ID technology to instantly resolve user identity for traffic logs derived from firewalls or other devices. This provided a powerful tool to quickly identify users involved in a security attack or network alert so immediate action could be taken.

By deploying the EX Series in transparent mode, answers to tough or impossible questions relating to application and bandwidth use were quickly attained. With A10’s unique identity-based reports, the bank can now intelligently manage its WAN and Internet bandwidth and make accurate decisions on which applications to restrict or limit. With the non-business applications under control, the bank is seeing much better response times for its legitimate business applications and productivity is increased while management overhead is decreased.

About A10 Networks

A10 Networks was founded in 2004 with a mission to provide innovative networking and security solutions. A10 Networks makes high-performance products that help organizations accelerate, optimize and secure their applications. A10 Networks is headquartered in Silicon Valley with offices in the United States, Japan, China and Taiwan. For more information, visit http://www.a10networks.com.