02:00 PM
GEHA Taps Network Access Control to Close a Security Loophole
Secure building access and fortified IT perimeters provided little comfort when a network threat appeared internally at Government Employees Health Association. "Late in 2005 an unfamiliar host name obtained an IP address," recalls Justin Gerharter, senior systems engineer for GEHA, which provides health insurance for federal employees. "We hunted it down and discovered a consultant had plugged in a laptop. It was the slap in the face that turned network access control [NAC] from a want into a need."
Independence, Mo.-based GEHA ($1.8 billion in premium income) immediately began researching options, but "The field was too immature and existing solutions would have added too much network complexity," explains David Woy, GEHA's network services manager. "So we waited a year. By late 2006 NAC/intrusion-prevention combinations were on the market, solving two challenges for the price of one."
In early 2007 GEHA narrowed its focus to a software solution from a major networking vendor and an appliance-based option from Mountain View, Calif.-based Nevis Networks that provides both pre- and post-connect endpoint security monitoring. "The established vendor didn't include intrusion prevention, nor could they demonstrate a completely working system," Woy claims. "On the other hand, Nevis had full production installs, ... intrusion prevention was included and the system was a vendor-agnostic drop-in solution. As a whole, Nevis was overwhelmingly less expensive both initially and long-term."
A contract was signed and equipment was delivered by September 2007. "Getting it up and running using the IT department as the test environment took only four hours," reports Gerharter, adding, "Efficiency and self-service were other attractions -- for every task Nevis quoted, the established vendor had estimated it would take 10 times longer, with the vendor performing the work."
After running the solution for two weeks in IT, GEHA began migrating the balance of its 800-user Microsoft (Redmond, Wash.) Windows-enabled LAN onto the Nevis appliance. Within two months it was protecting more than 2,000 access ports. "Our biggest problem occurred when a technician took a thin client off the shelf and Nevis prevented it from accessing the network because it hadn't been mapped into the appliance yet," Gerharter notes. "We resolved that by entering our entire hardware inventory into the appliance."
The NAC solution was fully deployed by November 2007. "Almost immediately an employee called to complain that his laptop was unable to access the network," says Woy. "Sure enough, he'd brought in a personal laptop from home."
Unfortunately the intrusion-prevention component fell a bit short. "It was impossible to selectively turn on intrusion prevention for testing with a subset of users," Gerharter explains. According to Nevis, the requested functionality will be available in mid-2009.
Regardless, GEHA continues to leverage the Nevis appliance to improve network control. "By the end of the first quarter [of 2009] we'll have all of our Citrix [Fort Lauderdale, Fla.] servers protected by Nevis," notes Woy. "This will benefit our company's new telecommuting initiative. Using the rules-based capabilities of the NAC, we'll give telecommuters self-service tools that enable our system to scan their home setup to ensure they've applied all of the relevant upgrades and security patches."
Case Study Profile
company: Government Employees Health Association (GEHA; Independence, Mo.; $1.8 billion in premium income).
lines of business: Health insurance.
vendor/technology: Nevis Networks' (Mountain View, Calif.) Network Access Control (NAC) appliance.
challenge: Improve LAN security and management.
Anne Rawland Gabriel is a technology writer and marketing communications consultant based in the Minneapolis/St. Paul metro area. Among other projects, she's a regular contributor to UBM Tech's Bank Systems & Technology, Insurance & Technology and Wall Street & Technology ... View Full Bio