Setting Policies

By Chris Johnson  |  Posted 2010-06-28

Established in 2000, US GreenFiber manufactures natural-fiber insulation, fire and sound products. The Charlotte, N.C.-based company, with eight manufacturing plants throughout the United States, sells its products to building-supply retailers, manufactured-housing builders and insulation contractors.

In the face of changing technology and company growth, GreenFiber recently revamped its security strategy. Chris Johnson, senior system administrator, explains how the company strengthened its security defenses to protect its business-critical data, while significantly reducing operating costs and data center real estate.

As US GreenFiber’s business continues to grow, we’re inevitably plagued with a new slew of cyber-threats. External threats—including phishing, Trojans and malware—have always been on the top of our radar, as well as being a high priority in how we approach network security. What haven’t always been top of mind are the internal threats brought about unwittingly by our employees.

The landscape has changed significantly in the last few years, with Web 2.0 applications transforming how we approach our security initiatives and corporate policies. The use of social networking sites like Facebook, MySpace and LinkedIn has added another layer of complexity as a new target for cyber-criminals.

Whether they know it or not, our employees can easily help hackers carry out massive data breaches through these new social platforms. Additionally, although cloud computing has helped take data storage off our shoulders, it presents a new challenge in determining how and where we protect our sensitive information.

These emerging technologies, along with company growth, have forced us to reevaluate how we secure our network, while also increasing performance and efficiency to decrease costs and meet the demands of our growing business. We took an all-in-one consolidated security approach to address new technology trends. By shoring up our security defenses to protect our business-critical data, we were able to cut the overall operating costs associated with managing fewer appliances and to reduce data center real estate.

Less Becomes More

To reduce corporate costs, we recently moved from a frame-based network to a Paetec multiprotocol labeled switching (MPLS) network. To support the new network, we purchased Fortinet’s FortiGate-500A and multiple FortiWifi-60B appliances. Even with the cost of adding the new appliances, we were able to recoup roughly $5,000 in the first month because of the cost savings associated with going from a frame-based network to an MPLS network. We also realized a year-over-year saving of $84,000.

Our new network security infrastructure includes multiple FortiGate-500A appliances deployed at our corporate data center and a FortiAnalyzer appliance for centralized logging and network analysis, as well as a FortiManager appliance for managing all appliances, no matter where they are located throughout our network. The FortiManager appliance enables the IT staff to easily manage our corporate data center’s cloud-based firewall, eight plants and four home offices from one platform.

In addition, the newly designed MPLS network includes FortiWifi-60B appliances at each plant, which has allowed our IT team to offload content filtering, an intrusion prevention system (IPS) and antivirus functionality. This increased the speed of the overall network, enabling our users to directly access resources such as the Internet, e-mail and other business applications without having to route all the data back through our corporate data center.

One of the biggest benefits we’ve experienced with our new security deployment has been the ability to make our environment less complex by eliminating extra appliances. Our network security revamp also enabled us to reduce energy costs by 14 cents an hour and realize significant space savings with the removal of unnecessary appliances.

We were able to consolidate multiple vendors’ appliances into a few Fortinet appliances, thereby reducing expensive data center real estate, which is extremely valuable to a company our size. And even with the extra security appliances, we also were able to scale back 5U worth of rack space.

Setting Policies

In addition to deploying a consolidated security infrastructure, our IT and management teams developed internal policies to shape the way our employees use social networking as business tools. We developed policies that would protect against both internal and external security threats, such as data leakage.

To reassure employees who may have worried that IT was playing Big Brother, our IT department held lunch-and-learn sessions to communicate corporate, remote and plant policies. Open forum and e-mail communications to employees focused on how the policies are meant to protect business-critical data.

The application-control feature in our security appliances allows us to set policies to control who is permitted to use Web applications. Social networking sites are a business tool for our corporate employees, but Fortinet’s application-control functions ensure that unnecessary features such as MySpace or Facebook chat aren’t activated. Other social applications, including AOL Instant Messenger and Yahoo! Messenger, are allowed, but chats are stored and logged within the FortiAnalyzer appliance in case a situation arises that makes it necessary to review IM conversations.

Being able to allow and disallow specific parts of these social networking tools as needed is invaluable because it further protects us from possible threats. Application control is the one additional step our IT team is taking to protect GreenFiber from data leakage and other threats.

Evolving and New Threats

In the past year, our IT team deployed a private cloud on VMware’s vSphere to host many internal applications, including an internal Microsoft SharePoint site, Crystal Reports and Outlook WebAccess. We have been able to stop scores of attacks on these applications through Fortinet’s intrusion detection and prevention functions.

Fortinet data leakage prevention (DLP) technology has helped us secure the movement of confidential and sensitive company and personal information. Confidential data traversing through our network—including Social Security numbers and credit card information—is now protected. This helps us safeguard our customers and employees from having their data maliciously siphoned off by either external and internal threats.

Security affects all aspects of IT, even areas that people rarely consider, such as the help desk. A business help desk is the reactive department of an IT organization: The less they have to react to employee requests for assistance, the more operational the business as a whole is.

Because of our network security deployment, we have experienced a dramatic decrease in help desk calls regarding spam, malware, viruses and computer/network latency issues. Our help desk tracking software, Numara’s Track-IT!, shows that we have reduced help desk calls by about 32 percent. This is just one way our IT team measures the success of the security deployment at GreenFiber.

Our IT team is always looking for innovative techniques to secure the information of our business, our employees and our customers—and to thwart security threats that are evolving daily as cyber-criminals continue to get smarter and more malicious. We will “tiger team” our network infrastructure [test its security by attempting to defeat it] from time to time by means of social engineering, localize denial-of- service attacks on our test-bed cloud and explore exploitation frameworks such as Metasploit.

These efforts help our IT team defend against both external and internal threats, while achieving business objectives that help our bottom line. That approach will enable US GreenFiber to grow steadily and securely.

Chris Johnson, the senior system administrator for US GreenFiber, has more than 10 years of experience in the information technology field. Prior to joining US GreenFiber, he worked for Newell Rubbermaid, General Dynamics and Lead Technologies.