Net Integration Gets Green Light

An assessment reveals many vulnerabilities to mitigate before a network merger can begin.

A couple of months ago, I described the problems that I uncovered in my initial assessment of the security issues that accompanied my company’s acquisition of a fairly large competitor [“Putting the Brakes on Net Integration,” Nov. 27]. Now I can report on what we did to resolve those issues.

Among the things our vulnerability assessment turned up were a lack of antivirus software, missing security patches, a nonexistent password policy and unsecured wireless access points. All of those problems would keep me from approving a Multiprotocol Label Switching (MPLS) network circuit between the acquired company’s main office in Connecticut and our own main corporate data center.

We also discovered that remote offices in Germany, Singapore and Malaysia all had point-to-point virtual private network connections running over regular Internet connections through local providers. The VPNs ran between the remote offices’ SonicWall firewalls and a Symantec firewall installed at headquarters in Connecticut. I wanted to obtain the security configurations of those three remote firewalls to validate the security policies that were in place. I was able to do that for Singapore, which looked fine. But I couldn’t get anywhere with Germany or Malaysia, where the third-party providers wouldn’t cooperate.

I had no choice; I had to consider those firewalls suspect and add them to the list of items that needed remediation before I could authorize the network team to activate the MPLS circuit.

To solve this dilemma, I sent one of my security engineers to Connecticut to swap out the Symantec firewall with a Juniper Networks SSG-550 unit. This fairly new line of firewalls is very nice. Not only are they standard firewalls, but they also provide antivirus protection, intrusion prevention and content filtering, and can serve as VPN concentrators. The Juniper product is an ideal platform for midsize to large remote offices (which the Connecticut office will be), since we don’t have to purchase separate devices for all of those chores. To give you a sense of how much easier this is, in the past, our standard bill of materials for a remote office included a Juniper NetScreen-204 or 208 firewall, a Blue Coat Systems Inc. appliance for Web filtering and caching, a Juniper Intrusion Detection and Prevention product or a Snort sensor for intrusion detection, and a Nortel Contivity VPN concentrator.

The firewall swap-out in Connecticut was successful, and we replaced the SonicWall firewalls in the offshore offices with Juniper NetScreen-50 firewalls, since they were very small offices.

Turning my attention to antivirus and software vulnerabilities, I mandated that all servers and desktops be configured with Trend Micro OfficeScan, updated with the latest security patches and configured for automatic updates. Our acquisition didn’t use Microsoft’s Systems Management Server patch management service or an automated means of pushing out software or configuration settings. That meant each machine would have to be attended to individually, and that could take a while. Besides its headquarters in Connecticut, our acquisition has a large office in New Mexico. Those two locations each had two IT guys serving about 200 employees. To speed up the process, I had each location hire contractors to help out. They were instructed to upgrade the desktops, install the Trend Micro antivirus software, update the security patches and enable automatic updates so that the desktops would remain compliant. Within a week, we had a 95% compliance rate, which I considered a success.

I also had the IT guys configure a domain password policy to meet our corporate standard. Users had been free to create any password they wanted, and about 65% of those passwords could be cracked in less than an hour.

Next up were wireless access points. APs were connected to the company’s internal network, with the SSID being broadcast and a shared WEP key used to associate to the AP. Our company standard is to terminate APs on a separate virtual LAN and have users tunnel into the company network via the VPN for Internet and intranet access. We also use WPA and TKIP, which is a much more robust encryption standard. Unfortunately, the acquisition’s APs were old and didn’t support current security standards. Since only a couple of people were using wireless, I simply had the APs removed for now. Wireless will be reinstated when our network team installs our corporate-standard APs, Cisco Aironet 1200s.

Final Obstacle

Of course, nothing in IT goes as planned, and the remediation was no exception. Just when things seemed to be going smoothly, management announced a layoff of about 85 acquisition employees. This is a huge cut in a company with a workforce of about 400. So, on top of the remediation, I had to come up with a plan to ensure that network access would be terminated for departing employees upon notification and that no opportunities for intellectual property theft would arise. Fortunately, our review of the acquisition’s architecture had provided me with a solid understanding of the various points of entry, from physical access to dial-up modems, and we were able to effectively remove access within a few hours after the notifications started.

Finally, at the end of the first week of the new year, I gave the network team the green light to install the MPLS circuit. The network technicians had been hounding me for the go-ahead, but I waited until I felt that we had laid the groundwork for a safe connection. But we’ll be keeping an eye on things now that our networks are merged, since there are risks. For example, if any malicious code is propagating through the acquisition’s network, it could make its way to the rest of what is now one corporate network.

What Do You Think?

This week’s journal is written by a real security manager, “Mathias Thurman,” whose name and employer have been disguised for obvious reasons. Contact him at, or join the discussions in our security blogs:

To find a complete archive of our Security Manager’s Journals, go online to

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon