Collins finds prevention better than detection

Collins Food Group is something of a pioneer in the fast-food restaurant business in Australia.

Based in Brisbane, the company operates some 113 KFC outlets and 28 Sizzler restaurants nationwide after opening the first KFC in 1969 and the first Sizzler in 1985, both in Brisbane.

Operating out of a central office with VPNs linking the outlets, Collins’ IT people had been aware for some time that their existing traditional firewalls were not adequately protecting them from a range of application-level network attacks.

According to Brisbane-based IT services company Communications Design & Management (CDM) technical architect Ross Taylor, Collins had been looking for an intrusion detection system (IDS) for their network and were in the process of assessing the solutions offered by various network security vendors when they were invited to a presentation by 3Com division Tipping Point of their range of security solutions.

It was here, according to Collins IT manager, infrastructure and restaurant systems, Shaun Smith, that the company was introduced for the first time to the possibilities of Tipping Point’s Intrusion Prevention System.

Determining security needs

Smith says Collins has a traditional Cisco corporate firewall configuration with VPN tunnels to each of the organisations 140 stores. They also use an e-mail scanning product called Mail Marshal, and all Internet traffic is monitored and scanned through an additional product called Web Marshal, as well as anti-virus protection.

“We believed this was protecting most of our e-mail traffic from the flood of e-mail borne viruses and undesirable mail traffic.

“Web Marshal ensured that we could control what sites our users visited and what they could download from the Web to the corporate network. The firewalls are set to exclude all but wanted traffic to our main servers,” he says.

Smith says the things that were unique about the environment were that they have an aging topography where they still run Token Ring for a significant component of their network. To overcome this, they had made use of wireless access points in certain parts of the building.

They also had over 140 external sites to manage and wanted to ensure that security at each of these nodes was strong and that network integrity was maintained.

“With such a varied topography we found it hard to find a network monitoring solution that would help us isolate where we were having problems. We also had no simple tool to let us know what sort of attacks our network was being subjected to,” Smith says.

It was for this reason that Collins sought a solution that could be implemented behind the corporate firewall.

According to Smith, the IT team at Collins were far from experts in this field, so they needed to know how the system could be installed in a way that was most effective for protection from external threats as well as wireless access points.

Taylor says the box was relatively easy to install and had been designed specifically to gather and disseminate information according to an end user’s needs.

It could also be tuned to provide reports on different levels of information. It therefore acts as an intrusion prevention system, unlike the traditional IDSs that the company had in place on its network.

“What they needed was a central security function from their head office, where VPNs from their other outlets are terminated, which could control the flow of all ingoing and outgoing traffic,” Taylor says.

“They wanted to know how they should deploy the box and what sorts of things it could be used to deploy against and how it could be configured to derive maximum value.”

The Tipping Point solution also includes innovative IPS features such as Spyware protection and multi-gigabit throughput.

Tipping Point’s intrusion prevention system offers VoIP security, bandwidth management, peer-to-peer protection and default “recommend settings” to block malicious traffic automatically upon installation without tuning.

Pilot stage

Following the demonstration of the Tipping Point 400 network security box IPS, Collins moved rapidly to a pilot stage using equipment provided for evaluation by CDM.

During this trial and evaluation period, most of the discussion centred around what it was that Collins Group actually needed from a network security perspective.

The Tipping Point IPS proved to be exactly what Collins was seeking, as it provided application, performance and infrastructure protection at gigabit speeds through total packet inspection, whilst also protecting routers, switches and other critical infrastructure from targeted attacks and traffic anomalies.

The box also provided Collins with automated reports, e-mailed in PDF form for management staff with comprehensive information on attacks.

Taylor says the Tipping Point solution also provided an effective “drop in” solution that, in its default state, could pretty much immediately start providing an extra level of awareness to the organisation of potential malicious traffic passing through the existing packet-based firewalls, as well as rating, and stoping, those potential attacks without any further intervention from server or network administrators.Taylor says the primary challenge in implementing the Tipping Point solution was ensuring CDM had an understanding of Collins’ network and what was needed to be protected, such as servers, and potential points of security weakness, such as Internet connections and wireless Networks.

They also needed to organise the network to ensure that data flowing to or from those sources passed through the Tipping Point engine which was then able to classify and protect the organisation from potential threats where necessary.

Smith says that, from Collins’ point of view, the testing and implementation phase of the Tipping Point/CDM solution went remarkable smoothly.

“The Tipping Point box was brought in, we had about 60 seconds of downtime as we plugged it in to our network and from that point on, with the standard rule set in place, Tipping Point began detecting intrusion attempts.”

As the days went on, Smith adds, they were able to tweak some of the rules to better suit what they wanted to monitor or deny, with very little formal training of the product.

Once they had made the decision to go with the solution, the removal of the test equipment and installation was equally seamless, Smith says.

Taylor says the Tipping Point products were extremely intuitive to install, coming with a default set of rules and policies that ensure a high level of protection for the network with no false positives.

“Apart from the momentary interruption to the network link while the Tipping Point box is placed in-line, its operation is transparent to all normal network services,” he says.

Benefits

Taylor says the solution works in-line in the network, effectively as a “bump in the wire”, with specially designed high-speed processing engines to ensure minimal latency on passing traffic. There is therefore no end-user component that has to be installed on desktops or the organisation's servers.

This makes the entire deployment process a relatively simple, and cost effective, affair that does not tie up the time and resources of the organisation’s network administration or server or desktop administration teams.

The protection is also provided transparently at the network layer and traffic generated by end-user devices such as PCs and laptops is inspected and removed from the network, if classified as dangerous.

Smith says Collins had derived numerous security benefits from the new system. Firstly, he says they can now easily control what is happening to their network traffic. Instead of having to scroll through reams of logs which they were previously forced to do, they were now pointed “by exception” to significant events.

“We also have piece of mind that Tipping Point is not just reporting these incidents, but doing something about them, unlike a traditional intrusion detection system.”

Smith says they were also surprised at the number of “attacks” and “attention” the organisation’s servers were receiving. “Although our servers were patched correctly and all security exploits were failing, it was easy to see how simple it would be for someone if we were slow to apply our Microsoft patches.

Interestingly, over time these attacks have died down because the Tipping Point IPS is just dropping this traffic, so to a hacker, it is like our servers just don't exist.”

Smith says his IT department were still learning about the big bad world of hacking, phishing and DoS attacks, but they now felt completely in control of the situation.

“We have the Tipping Point boxes being constantly updated by experts in the Threat Management Centre. The Digital Vaccines for Tipping Point are downloaded automatically via the server and applied so we are constantly protected from the growing and ever changing risks from the Internet,” he adds.

Another major benefit of the system, Taylor says, was that once the Tipping Point management server and IPS are placed into the network, they can be set to automatically update themselves with the continually refined and improved rules and policies being produced from the Tipping Point Threat Management Center.

Future upgrades

Smith also says that, whilst they couldn’t rule out the possibility of having to make further network security upgrades in the foreseeable future, at this point in time they felt they had installed a very successful solution to the ongoing and increasingly inventive risks from the Internet.

“We have no plans to add any more equipment, but we can simply do more with our existing Tipping Point box to further segment our network if we so desire,” he says.

Taylor adds that CDM and Tipping Point are continuing to work with Collins to ensure that they not only get the best protection for their network but are able to refine and retrieve valuable management level reports that give an overview of the security pressures their network is under.