Computerworld - A couple of months ago, I described the problems that I uncovered in my initial assessment of the security issues that accompanied my company’s acquisition of a fairly large competitor [“Putting the Brakes on Net Integration,” Nov. 27]. Now I can report on what we did to resolve those issues.
Among the things our vulnerability assessment turned up were a lack of antivirus software, missing security patches, a nonexistent password policy and unsecured wireless access points. All of those problems would keep me from approving a Multiprotocol Label Switching (MPLS) network circuit between the acquired company’s main office in Connecticut and our own main corporate data center.
We also discovered that remote offices in Germany, Singapore and Malaysia all had point-to-point virtual private network connections running over regular Internet connections through local providers. The VPNs ran between the remote offices’ SonicWall firewalls and a Symantec firewall installed at headquarters in Connecticut. I wanted to obtain the security configurations of those three remote firewalls to validate the security policies that were in place. I was able to do that for Singapore, which looked fine. But I couldn’t get anywhere with Germany or Malaysia, where the third-party providers wouldn’t cooperate.
I had no choice; I had to consider those firewalls suspect and add them to the list of items that needed remediation before I could authorize the network team to activate the MPLS circuit.
To solve this dilemma, I sent one of my security engineers to Connecticut to swap out the Symantec firewall with a Juniper Networks SSG-550 unit. This fairly new line of firewalls is very nice. Not only are they standard firewalls, but they also provide antivirus protection, intrusion prevention and content filtering, and can serve as VPN concentrators. The Juniper product is an ideal platform for midsize to large remote offices (which the Connecticut office will be), since we don’t have to purchase separate devices for all of those chores. To give you a sense of how much easier this is, in the past, our standard bill of materials for a remote office included a Juniper NetScreen-204 or 208 firewall, a Blue Coat Systems Inc. appliance for Web filtering and caching, a Juniper Intrusion Detection and Prevention product or a Snort sensor for intrusion detection, and a Nortel Contivity VPN concentrator.
The firewall swap-out in Connecticut was successful, and we replaced the SonicWall firewalls in the offshore offices with Juniper NetScreen-50 firewalls, since they were very small offices.
Turning my attention to antivirus and software vulnerabilities, I mandated that all servers and desktops be configured with Trend Micro OfficeScan, updated with the latest security patches and configured for automatic updates. Our acquisition didn’t use Microsoft’s Systems Management Server patch management service or an automated means of pushing out software or configuration settings. That meant each machine would have to be attended to individually, and that could take a while. Besides its headquarters in Connecticut, our acquisition has a large office in New Mexico. Those two locations each had two IT guys serving about 200 employees. To speed up the process, I had each location hire contractors to help out. They were instructed to upgrade the desktops, install the Trend Micro antivirus software, update the security patches and enable automatic updates so that the desktops would remain compliant. Within a week, we had a 95% compliance rate, which I considered a success.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
