Branch Office Security: Saving Money while Saving Your Network?

Did you ever think there would be a day when additional network security measures actually save money? The common wisdom is that network security is a necessary expense, with the only benefit being risk reduction. Well, the good news is that implementing better security can be financially rewarding for many companies, especially financial companies.

A common characteristic of financial organizations is location. These businesses need to be located where their customers are. For financial organizations, especially banks, branch offices are a necessity. These branch offices provide personal service to customers and the opportunity to serve their customers in new ways, but providing the same experience. Connectivity to the central office provides the baseline for a unified user experience, and although the employees in the branch office help implement this experience, it is the ability to be connected to the central office through network connectivity, that allows them to perform these duties, and better serve customers. Without a successful network infrastructure the branch office cannot meet the demands of its clients and without a comprehensive network security posture these offices face the threat of breaches and network attacks.

Financial services companies are naturally concerned about keeping security tight because of the critical nature of the assets they handle for their customers, and this is no different when it comes to network security. Products such as Firewalls, Intrusion Prevention, Anti-virus and URL filtering are available to help mitigate the network protection risks, but because of the number of security products, the expense to purchase, deploy and manage these solutions have traditionally been too much at the branch level. As a result, financial services companies have chosen to limit security product deployments to the major gateways to the Internet and a few key points within their networks. To limit their exposure at the branch office – which still need network connections – companies have opted to purchase “leased lines” or private network connections which – in theory – have only the company’s traffic running on these networks, and are extremely expensive when compared to standard Internet connections.

There are three problems with relying solely on private network connections for remote office network security:

1. These connections are expensive, and typically run three to four times more expensive than a higher bandwidth connection directly to the Internet. So for each office, a financial services company is spending upwards of $1,000 per month more than the cost of a direct connection to the Internet.
2. These leased lines do *not* guarantee privacy of transmitted data between the branch and the central office, and they do not necessarily preclude the possibility of attacks coming from within the “private” network. In most instances, the private lines are typically provided within a shared infrastructure. Even technologies such as MPLS can be compromised by an insider within the ISP or a crafty hacker.
3. Any attacks from within the branch by a malicious employee or an outside attacker who gained access to the branch network through some mechanism would go entirely unnoticed because there is no Intrusion Prevention at the branch. How could attacks happen in a branch office? A rogue wireless access point, a web browser compromise when an employee was surfing a malicious website, a malicious boot disk or USB flash drive containing malware are just a few possibilities.

If there were some way to take the best of breed security products deployed at an enterprise’s primary network gateway, and deploy them at the branch offices that use leased private lines, each branch location would be able to reduce the cost of their network connectivity by an estimated $1,000 per branch. A financial organization with 100 branch offices could see a savings of $1.2M per year.

Now, if a branch location was able to implement the same enterprise-level security that is located at the corporate network gateway, network connectivity would be maximized providing an even better and faster network connection. This can result in a significant improvement in productivity. Less time to make a transaction, means the ability to make more transactions in the same period of time, and more transactions means a more efficient revenue stream.

Traditionally, enterprise-level security products are expensive and complex. Deploying, configuring and managing these solutions can add cost and may require more resources to be allocated to network security, especially when industrial-strength security usually involves firewalls, VPN concentrators, Antivirus protection, Intrusion Prevention, URL filtering capabilities, and Anti-spam solutions. Now for branch office and regional locations, a new security product category offers a solution that can dramatically reduce this problem: Unified Threat Management appliances.

Unified Threat Management (UTM) is a class of products which sought to combine Firewall, VPN, Intrusion Prevention, Antivirus, URL Filtering and Anti-spam into a single appliance product, and provide all these functions at a very low cost. So, do UTM appliances costing less than $1000 per office measure up in terms of security to the best of breed security products deployed at the primary corporate Internet gateway? The short answer is, some do and some don’t.

Even though UTM data sheets routinely advertise complete protection in a single appliance, they fail to provide sufficient detail on how much protection they actually provide. UTM is just a name, and no appliance has to pass a test to qualify to become a UTM, so protection level is typically nowhere near the same protection you would get from a standalone best of breed security product. Many UTM vendors, who protect against a few network attacks, happily claim “Intrusion Prevention” in their appliance. As long as you can black-list a few URLs, they will gleefully advertise “URL Filtering”. The only part of UTM appliances that are typically up to snuff, are the firewall and VPN modules, which are well known to allow attacks over open ports without so much as a pause for further analysis. In fact, there seemed to be a massive name change among firewall vendors as they realized that the name “firewall” was out, and “UTM” was in, and the UTM market ballooned impressively.

Financial Services companies have not been fooled by the general hype of UTM claims, so they have simply continued to bear the additional costs of dedicated Internet connections. But now, there is a better way. There are a few UTM solutions that are built entirely out of single function security product components, and therefore, have the security DNA of single function products built into the incredibly economical UTM form factor.

So how do you tell the difference between the re-named firewalls and the real security powerhouses?

Your first clue is price. The cliché “You get what you pay for” stands true. Anything under $700 is not likely to protect you from much more than a port scan. Some UTM vendors have the security DNA to provide you with real protection in a UTM, and also offer appliances under $700, but the fine print is that you only get the real security heritage if you stay away from the bargain section.

Your next clue is whether the UTM security modules come from stand-alone security products and is a direct descendant of that technology.

If you dig into the details, you can really tell the difference by asking your vendors what exactly they block for each security module, and how accurate it is. The reason accuracy is important is that if you have spent any time working with network security; you know that false positives result in very loud, very urgent “TURN THAT OFF” emails and phone calls from upper management. False positives can feel worse than having no protection at all. Is your vendor really going to tell you how many false positives they have? No, because they either do not know, or do not want you to know. So how do you determine accuracy? Ask your vendors about their false positive rates indirectly, by using the question; “How many Intrusion Protection signatures do you BLOCK by default?” If a UTM vendor blocks something by default, that means they are pretty sure it won’t cause a problem. Then compare the answer for each security module to stand-alone product specifications. Ask these questions for EVERY security module that you plan to use.

To start things off, let’s examine Proventia Network Multi-Function Security (Proventia MFS) appliances, from IBM Internet Security Systems (IBM ISS). Here are each of the security modules and how much each one blocks by default:

• For Intrusion Prevention, over 7400 vulnerabilities are blocked by default. IBM ISS is the world leader in Intrusion Prevention products, and that same industrial strength security used at the primary gateways of the largest banks in the world is built into all of the Proventia Multifunction appliances, even the low-end models. Interestingly, IBM ISS is so confident in their protection prowess, they will put a money-back guarantee on their protection if you use Managed Security Services.
• For Antivirus and anti-malware, over 340k known viruses are blocked by default, and unknown viruses are blocked using industry leading behavioral antivirus technology from Sophos.
• For URL filtering, IBM ISS hosts the largest URL database in the world, with over 9 billion web objects categorized into 62 categories.
• For Anti-spam (if you would use this at the remote office) Proventia Multifunction blocks over 95% of spam with less than 1 in 100,000 false positives. The Proventia Multi-Function is the only UTM appliance to be certified for spam filtering by ICSA.

At some point, it is best to break out your attack tools and do some testing, but getting these metrics from your vendors will make your short list much shorter with very little effort. Also don’t forget that protection comes at the cost of performance, so make sure that low-priced UTM appliances can handle the load when security modules are enabled. This is tricky when looking at performance datasheets, because most UTM solutions only publish firewall throughput, with no mention of performance when any other security modules are turned on. Make sure you get the real performance numbers when protection is enabled, otherwise, you may be in for a rude surprise when security comes at the cost of throughput.

The example above used a financial organization with 100 branch offices as the sample for cost savings based on network access, but, when deploying a UTM solution at each of these 100 branch offices, there should be a reasonable concern for resource burdens associated with the deployment, configuration and management at each location. This calls for another piece of due diligence. If there are several security modules at each branch, you need to ask how your vendor reduces the management with strong central management functionality.

Again, taking Proventia MFS from IBM ISS as an example, there are several security management features available that will reduce your cost of management even though you are increasing protection. IBM ISS provides a central management system called SiteProtector, which enables enterprise security management with a hierarchical policy system. Hierarchical policy means managing firewall, VPN, IPS, URL Filtering and Anti-spam policies in groups. Instead of applying 100 firewall policies to 100 firewalls, there are special group-based management functions in SiteProtector which manage the 100 firewalls with only a single simple firewall policy. When it comes to branch offices, they typically have the same network topology at every branch, and the same firewall rules to define that topology, but with different IP addresses underneath that topology. SiteProtector can separate firewall rule definition for the topology from the IP address definition, using a feature called “Dynamic Network Addresses”. This allows a single (and short) firewall rule list that applies to all branches, with the IP addresses defined on a per-branch basis. The same characteristics apply to all of the security modules, so there are actually fewer policies to manage than traditional branch firewalls.

Another concern to consider is how your UTM will stand up against the threats of tomorrow. One thing is for certain, the threat landscape will change, so be sure that your UTM appliance has the architecture to meet these changes. If an entirely new security module is required, will your vendor be able to upgrade all your branches remotely without hardware upgrades? The example from IBM ISS, Proventia Multifunction, has the architecture to add new software, and an update system that can entirely replace the operating system remotely in groups of hundreds of appliances. This will save time and money when the next “big threat” becomes prevalent.

With enterprise grade security at the branch office, you can reduce your bandwidth costs while improving network speed at the branch. The most important thing about industrial strength security, is that you can start thinking about fully utilizing the power of the Internet to enable new value added services at the branch that weren’t possible before because of security concerns, like providing a wifi hotspot for bank customers, or new web-based collaboration tools for your branch employees to offer new services with customers, or other branch initiatives that inspire customer loyalty and lower costs.

Proventia Multifunction: Big Security for the Branch Office, from IBM.

Innovation That Matters.