Delaware bank layers desktop, network security to keep data safe

Wilmington Savings Fund Society, a Delaware bank, was looking to protect its desktops and servers from intrusions that could affect bank business adversely, and decided that layering gateway protection (compare gateway-security products) with desktop and server security platforms could help it reach its goals.

A combination of gateway appliances with desktop and server software protect the network and individual machines, and contribute to meeting the regulations imposed on banks, says Robert Eastwood, the bank's vice president and director of operational risk.

The bank network has more than 600 users spread over 36 sites, which are connected via a full-mesh MPLS network with bandwidth ranging upward from T-1.

To defend the network, Wilmington Savings relies on endpoint protection from Cisco's CSA agent and Trend Micro's antivirus software; and adds perimeter protection from gateway firewall, intrusion-prevention-system (IPS) and VPN software on Cisco ASA appliances. It also uses Proofpoint e-mail protection that looks for viruses, spam and sensitive content, Eastwood says. The CSA agent can block bank data from being transferred to thumb drives and other devices that could be used to carry sensitive data outside the network. Blocking data transfers helps meet the regulations under which the bank operates.

Proofpoint can block data from leaving via e-mail by linking nearby key phrases. For example, if an e-mail included the phrase "account number" and a string of numbers in account format was nearby, the e-mail could be blocked, encrypted or held until a compliance office had the chance to check it out, Eastwood says.

The bank uses 802.1X authentication via its Cisco switches to make sure only authorized machines can gain access. "We don't permit connecting non-bank assets to the network," Eastwood says. "So for example, if a vendor comes in, they cannot connect to our network. The machine is not recognized, not granted access, thus preventing a virus or some other malware from venturing into the network." he says.

The bank does not use network-access control, but is considering NAC as a way to reduce the risk of infection further (compare NAC products). NAC would link machine authentication with user authentication, and would test devices for compliance with security policies before granting access.

In the meantime, the bank uses behavioral screening of devices via the CSA agent's IPS capabilities to prevent the spread of malware that might find its way onto the network.

Eastwood feels confident the IPS will cut off attacks on systems by exploits targeting known vulnerabilities the bank has not yet had the chance to patch, he says. "CSA looks at traffic and the activity of the system it is installed on to discover behavior that may indicate an attack in progress," he adds.

The IPS gives the bank breathing room to test, for instance, Microsoft patches before deploying them, making sure they won't interfere with critical desktop applications. "We want to make sure they don't step on any of our business applications prior to deploying them," Eastwood says. "You want to hurry to up and push out a patch to fix the security vulnerability but you shoot yourself in the foot because you messed up your business application."