Protecting network ports
North Carolina authority uses Webgate security appliance to filter online traffic
WHEN JOHN FLISHER took the job of information technology manager
at the North Carolina State Ports Authority two years ago, the
agency was just finishing a major upgrade of its network.
'It was long overdue, and it worked out rather
nicely,' Flisher said. However, 'we had no Web
filtering at all. It was an afterthought.'
Although it was an afterthought two years ago, protecting Web
gateways has become an increasingly important priority for
enterprises.
'The Web now represents the most targeted and exploitable
attack surface in an organization's network,' said Doug
Camplejohn, chief executive officer of Mi5 Networks, whose Webgate
security appliance filters traffic for the ports authority.
Distributing malware through Web sites is a growing industry, as
hackers, spammers and phishers transition from e-mail to Web sites,
said Mark Sunner, chief security analyst at MessageLabs. According
to the company's latest threat intelligence report, 30.5
percent of all malicious code found in Web traffic during May was
new, and more than 1,300 sites hosting malware were discovered each
day. It is becoming more difficult to tell the good sites from the
bad.
'Increasingly, they are legitimate sites that have been
compromised in some way,' Sunner said. An exploit, such as
SQL injection, can redirect a Web browser to a server hosting
malicious code. 'As 2008 plays out, this is where we are
going to be seeing an increase in activity.'
Flisher began searching for a tool that would, at a minimum,
provide antivirus and spyware protection and URL filtering at the
perimeter of the agency's network.
'We were looking for something to stick into' the
demilitarized zone, he said.
The authority chose a relatively small network that serves about
200 users at the ports of Morehead City on Bogue Sound, Wilmington
on the Cape Fear River, and an inland terminal at Charlotte. The
network is built with Cisco Systems' Catalyst 4500 series
routers at its core, and Cisco 2960 and 3560 series switches at the
perimeter. It uses wireless connections to track traffic through
the ports and freight coming off and going onto ships. With
wireless access points, the network contains about 400 nodes.
The slump in the U.S. housing market has slowed the growth in
cargo volume moving through the ports. But overall, volume was up 6
percent in fiscal 2007 and up 17 percent for container volume. The
VoyagerTrack Terminal Operating System is the primary application
the ports use on the network. The Terminal Operating System went
into operation in August 2007, replacing the previous e-Cargo Tools
Container Tracking System for container transactions at Wilmington
and Charlotte.
Botnet protection
Flisher settled on Mi5's Webgate appliance because of its
price ' it starts at $3,495 per unit ' and
functionality. It provided URL filtering, anti-spyware and
antivirus software, file protection and monitors for inbound and
outbound communications to spot botnet traffic.
'One big thing I liked was that they had botnet
detection,' Flisher said. It also had a simple hook to a
Lightweight Directory Access Protocol directory so that activity
could be tied to users. 'That accountability was something I
was looking for.'
The latest release of Webgate, Version 4.0, adds controls for
more than 100 applications and protocols, including instant
messaging, peer-to-peer, voice over IP and streaming media. It can
identify and monitor applications, allow or block them by product
or category, and enforce security policies.
Flisher said he was pleased with the company's decision to
add application controls to the product. 'That's
something we've been asking for for a while,' he
said.
Webgate features a Security Services Engine that uses
characteristics from the carrier industry to maximize speed and
throughput, Camplejohn said.
'On the Web, everything is about latency,' he said.
Webgate does in-line inspection of all traffic in each direction at
speeds of 1 gigabit/ sec in its largest enterprise model to provide
latency of less than 2 milliseconds. It works at the network layer,
so 'we don't care what protocol they are trying to
use.' Not all bad Web traffic is on Port 80. 'Although
they mostly come in from the Web, they have a lot of additional
behaviors to send data back out.'
Webgate can handle as many as 30,000 users at the high end, and
multiple boxes can be managed centrally through a central
intelligence unit. The primary factor in the number of appliances
deployed typically is network architecture, Camplejohn said. The
appliances can be deployed at each network site, or traffic can be
backhauled to a central location, which is the way the Ports
Authority is doing it for now.
'We have one box now' at a data center in
Wilmington, Flisher said. 'We're looking to get another
one for Morehead City,' and eventually, he would like to have
one for the terminal in Charlotte. 'I don't want people
dependent on the connection here.'