Pitney Bowes’ advanced security system reaps returns

You have to learn to walk before you can run. That’s what Pitney Bowes discovered as it developed a unique security system designed to lock down access to its global network.

Pitney Bowes, a leading mail system vendor, had to upgrade its IP infrastructure — particularly how it handled DNS and DHCP — before it could tackle the complicated task of authenticating users connecting to its network and controlling access to network resources based on who they are.

Pitney Bowes cobbled together its system using DNS and DHCP appliances from Infoblox, configuration management software from BigFix and endpoint security software from Endforce.

The company spent $700,000 on its new network access control (NAC) system, but says it is already reaping returns on that investment both in improved network security and better performance.

"There has been a reduction in unknown devices on the network. That was our primary driver for this project," says David Giambruno, director of engineering, security and deployment at Pitney Bowes. "But we have also seen an increase in network performance that is improving the user experience. We’re able to measure improvements in the network’s overall latency."

Pitney Bowes may be on the leading edge, but it isn’t the only company to roll out NAC. While 4% of corporations have deployed NAC, 36% plan to purchase the technology in 2006, according to a recent survey of 149 companies by Forrester Research.

Robert Whiteley, a senior analyst with Forrester, says only a handful of corporations are rolling out comprehensive NAC solutions that include upgrades to DNS and DHCP infrastructures.

"The most common thing I see is folks trying to start out with software like Endforce that does endpoint integrity checking. Then they realize they have to upgrade DNS and DHCP," Whiteley says. By tackling the IP infrastructure and security problems at the same time, the Pitney Bowes approach is "world class"’ he adds.

"The thing that’s smart about what Pitney Bowes is doing is that by improving the underlying IP management infrastructure, they’ve also enabled a better VoIP architecture and a better wireless architecture and a better mobility architecture,’’ Whiteley says. "This is good common sense."

Creating a unified IP management infrastructure was a challenge for an organization as large as Pitney Bowes, which is a $5.5 billion manufacturer of hardware and software for managing mail and packages in 185 countries.

Pitney Bowes’ network has 37,000 users globally, with 30 large locations and several primary data centers. The majority of the network runs on IP, with less than 2% of network traffic running on other protocols.

Prior to the NAC rollout, Pitney Bowes used a variety of systems for managing DNS and DHCP including Microsoft’s Active Directory, Lucent’s QIP and open source BIND software. With this hodgepodge of systems, Pitney Bowes’ IT staff had to manually upgrade routes between its DNS systems.

"It was a very inefficient system that created a lot of unnecessary traffic and a lot of weird application issues," Giambruno says. "DNS requests are very small packets, but we were seeing lots of them all over the network. It’s one of those things that can be tolerated but after a while it adds tremendous latency and causes weird problems inside applications and user problems."

Giambruno says that when the company decided to deploy NAC, his team of six network engineers and security specialists decided they also had to fix DNS and DCHP.

"When you look at controlling access to your network, 99% of it is through DHCP," Giambruno says. "Users have to log in to get an IP address, and then they’re on your network. If you can manage that process, you can significantly reduce your risk profile. You also reduce outages and the duration of outages because you eliminate unknown configurations on your network."

After surveying the NAC market, Pitney Bowes decided to create what Giambruno dubs the security sandwich:

On the bottom layer is DNS and DHCP appliances from Infoblox, which provide IP addresses to known systems.

In the middle is BigFix, which provides policy-based network management controls. The BigFix software populates the Infoblox devices and the EndForce databases with user information.

The top layer is Endforce’s software, which checks unknown systems for compliance with security policies.

One benefit of this three-layer approach is that it is transparent to users, who don’t have to register into the new NAC system.

"Our user community has no idea this [upgrade] has happened," Giambruno says. "The only thing they know is that if they have a guest, there is a communications process that happens….We are only impacting the things we don’t know about, and from a user community point of view that’s very important."

Pitney Bowes began deployment of its new NAC system in May and will be finished by September. Installation at the primary data centers and the largest corporate offices is complete, and Pitney Bowes is already seeing benefits.

"It is working to eliminate the number of unknown devices on the network. We’ve been able to see that number drop," Giambruno says. "We think we’re going to see end user experiences improve because of better latency. We’ve already been able to take anywhere from 30 to 80 milliseconds out of end user requests.’’

Once the new NAC system is fully installed, Pitney Bowes hopes that its stronger IP management infrastructure will boost network reliability.

"We should get a reduction in outages and the duration of outages because we globalized our infrastructure and took a unified view of it and can manage it as a system,’’ Giambruno says. "We also should see a reduction in the time and effort it takes to manage DNS and DHCP."

Forrester's Whiteley says it will be hard for Pitney Bowes to calculate a ROI for having a sound IP management infrastructure and solid network access controls but he says its value is immeasurable.

"NAC is an ecosystem. It requires you to take multiple moving parts and coordinate them,’’ Whiteley explains. ``But more importantly, from a security standpoint, it’s a philosophy that is proactive and preventative. When you actually build a real framework for NAC, you take care of a multitude of sins."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)