Imagine this: Extra revenue through securing your own networks

We’re not the biggest company in the world, but we just happily spent more than $40,000. No, it wasn’t a new midlife crisis Boxster for the CEO – we just made an investment in gear to protect our various server farms, and we’re tickled pink about it.

We’re not the biggest company in the world, but we just happily spent more than $40,000. No, it wasn’t a new midlife crisis Boxster for the CEO – we just made an investment in gear to protect our various server farms, and we’re tickled pink about it.  Now the fact of the matter is that we would have much rather paid a carrier a monthly fee to do it for us, but that option simply was not available from our existing providers.  And we have to ask the question (and ask it in a loud tone of voice) – why the heck not?

TeleChoice operates various servers for our internal consultant access, external client and partner access, and topical public sites that we run.  Protecting these sites is no different than any other enterprise facing threats from script kiddies, crackers and other ne’er do wells.  You have to secure your assets if you do business online. 

The progression of steps we took, of expenses we paid, and functionality we installed is probably no different from that of any other company.  We started out spending money on patch maintenance capabilities to make sure we had the most recent patches from software vendors and that was fine.

Then we invested in a dedicated firewall appliance. It did its job, but – like all firewalls –  was only able to stop network traffic on services we did not use.  It was unable to do anything about the most vulnerable service we have in use today, HTTP on port 80.  Increasingly our systems – particularly our development servers (routinely accessed by contract programmers) – were subject to intrusion attacks.

Truth be told, some of these attacks got through our existing security.  Tracking these attacks was no easy task – playing detective on a large server installation takes time.  Some intrusions are so subtle that finding them can be just as much luck as experience.  It’s not hard to make a business case for stopping this before it happens, so we started, quickly, looking for options.

We took our troubles to our service providers and they were happy to offer managed intrusion detection services from partners – none of our providers offered such services on their own. Our providers usually began their pitch with an Intrusion Detection Service. 

This typically amounted to little more than full time monitoring of our firewall (at $2,000 a month!).  While cheaper than hiring a full time employee, this services still did not solve our core problem – attacks that could get through our firewall and exploit an unpatched hole  on our servers.  Instead, it just provided a slightly faster means of discovering what we already knew – that we were under attack!

The next step up from our providers (starting at $4,000 per month) was a true Intrusion Prevention service. Unfortunately,  this service would have required a wholesale reconfiguration of our network, and that was just something we couldn’t afford to do operationally. 

For us, the solution came not in a managed service, but in the hardware investment we discussed at the beginning of the column. We bought and installed several of TippingPoint’s UnityOne Intrusion Prevention systems. The results were immediate and remarkable.

Because a vital production server was under attack, our IT director went it alone and installed the first unit without the help of the sales engineer. In fewer than 20 minutes he had our first box unpacked, installed, turned on, and operating.  We fiddled briefly with the reports and the monitor to see what was going on but did not need to make any changes to default configuration of the box.  In the first hour the device blocked 10,000 bad packets, all of them direct exploits and attaches to get through our defenses.  A quick check on our managed switches showed our internal network traffic dropped 40% which increased our internal network performance by close to 20%. 

The second box we evaluated took 15 minutes and the one after that less than 10 minutes.  Over the next month the attacks grew.  But none have gotten through, so far, after four months of operation.  Exactly the way it should be. 

This success, in our minds, begs the question: why don’t carriers take TippingPoint, or another vendor’s products, and stick them at the carrier interconnection points to stop all of this stuff from getting into and out of their network?  Since so much of this traffic comes from machines that have already been compromised it just makes sense to filter out the known obvious exploits and save the capacity for clients (like us) that will happily pay for it if it’s available.  The amount of traffic savings we’ve seen has varied, but if 25%, 30%, 35% or more of the network capacity could be freed up by installing such gear at the endpoints, doesn’t that make more sense than just buying more capacity?

We think this is really becoming table stakes.  We’re past the time when dealing with intrusions was just an annoyance.  It’s costing companies money – it was certainly costing us money.  Isn’t solving these kinds of business problems why new products and services are launched in the first place?

So while we’re sure that we’ll get a lot of feedback about service and options we didn’t try, the fact remains that no one we spoke with offered a managed solution that would work for us.  So we went with the age-old solution.  We bought boxes.  Good ones too. We would have rather bought a service, and saved the money for the Boxster instead.