Pitney Bowes' advanced security system reaps returns

You have to learn to walk before you can run. That’s what Pitney Bowes discovered as it developed a unique security system designed to lock down access to its global network.

Pitney Bowes, a leading mail system vendor, had to upgrade its IP infrastructure — particularly how it handled DNS and DHCP — before it could tackle the complicated task of authenticating users connecting to its network and controlling access to network resources based on who they are.

Pitney Bowes cobbled together its system using DNS and DHCP appliances from Infoblox, configuration management software from BigFix and endpoint security software from Endforce.

The company spent $700,000 on its new network access control (NAC) system, but says it is already reaping returns on that investment both in improved network security and better performance.

"There has been a reduction in unknown devices on the network. That was our primary driver for this project," says David Giambruno, director of engineering, security and deployment at Pitney Bowes. "But we have also seen an increase in network performance that is improving the user experience. We’re able to measure improvements in the network’s overall latency."

Pitney Bowes may be on the leading edge, but it isn’t the only company to roll out NAC. While 4% of corporations have deployed NAC, 36% plan to purchase the technology in 2006, according to a recent survey of 149 companies by Forrester Research.

Robert Whiteley, a senior analyst with Forrester, says only a handful of corporations are rolling out comprehensive NAC solutions that include upgrades to DNS and DHCP infrastructures.

"The most common thing I see is folks trying to start out with software like Endforce that does endpoint integrity checking. Then they realize they have to upgrade DNS and DHCP," Whiteley says. By tackling the IP infrastructure and security problems at the same time, the Pitney Bowes approach is "world class"’ he adds.

"The thing that’s smart about what Pitney Bowes is doing is that by improving the underlying IP management infrastructure, they’ve also enabled a better VoIP architecture and a better wireless architecture and a better mobility architecture,’’ Whiteley says. "This is good common sense."

Creating a unified IP management infrastructure was a challenge for an organization as large as Pitney Bowes, which is a $5.5 billion manufacturer of hardware and software for managing mail and packages in 185 countries.

Pitney Bowes’ network has 37,000 users globally, with 30 large locations and several primary data centers. The majority of the network runs on IP, with less than 2% of network traffic running on other protocols.

Prior to the NAC rollout, Pitney Bowes used a variety of systems for managing DNS and DHCP including Microsoft’s Active Directory, Lucent’s QIP and open source BIND software. With this hodgepodge of systems, Pitney Bowes’ IT staff had to manually upgrade routes between its DNS systems.

"It was a very inefficient system that created a lot of unnecessary traffic and a lot of weird application issues," Giambruno says. "DNS requests are very small packets, but we were seeing lots of them all over the network. It’s one of those things that can be tolerated but after a while it adds tremendous latency and causes weird problems inside applications and user problems."