Protecting the Network at the Dept. of Corrections
By Jerry Horton
As a technology professional, I am always interested in new developments in the workplace, such as the now ubiquitous bring your own device trend, which opens new and productive ways for employees to work remotely or on the go. Employees today know and like to use their own devices, which can help both productivity and training. In addition, independent surveys indicate that—thanks to BYOD—some employees may work an additional 20 hours per month for their companies. Unpaid.
However, in my experience, BYOD can be both a watershed and an enormous headache if not implemented properly. Protecting a corporate network from unauthorized access, rogue applications, malware, and loss or theft of confidential data is a challenge. It becomes much more complex and potentially even dangerous if you implement such a strategy without appropriate technology tools, such as next-generation firewalls, to intelligently weed out malicious traffic at multiple ports.
As the network systems manager for the sprawling Mississippi Department of Corrections (MDOC), a large part of my job is keeping sensitive data free from cyber-intrusions. Our network hosts prisoner and parolee data, a prisoner banking system, medical records, and reports and files on our staff, guards and investigators. If our network data is ever compromised, the ramifications are far-reaching at both the individual and the operational level.
Our 3,000 MDOC employees are spread out among the prison, field offices and jail facilities. We oversee inmates in three state prisons, four private prisons and 15 regional jails. In addition, we have a network of approximately 1,600 users in the field, including corrections, parole and probation officers. We also have authorized external users from agencies nationwide, such as the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the U.S. Marshals Service and the Department of Homeland Security.
All of these personnel depend on access to the department’s application resources, including an Oracle-based offender-tracking system, inmate medical records, inmate banking system, and a probation and parole system, as well as Outlook email and file sharing.
BYOD Made Compliance Tough
A few years back, many of our employees started bringing in their own smartphones, laptops and similar devices. Several of them had software installed to do BitTorrent traffic. We thought we were protected by our Cisco ASA firewall, but it soon became evident that monitoring all the traffic at various ports—especially at the application layer—was not possible because we lacked visibility into our network.
Upshot: We were constantly under attack, and that made it very difficult to maintain compliance with the Mississippi Department of Information Technology Services (ITS) standards. Among the many issues we had was that our ASA firewall was compromising our field offices’ Web filtering, which meant traffic wasn’t getting filtered in large areas of our organization.
ITS kept a strict watch over our activities and sent notices via email. Let’s just say we had a lot of correspondence from ITS.
But that was all just a prelude. The scenario became a real problem when we found we were getting hit three or four times a week with the likes of Trojan.Zeroaccess, BlackHole, Backdoor and other attacks. As the number of issues increased, we also experienced vulnerabilities via peer-to-peer applications.
Another challenge arose from the fact that we had recently moved our Web filtering over to iPrism. But, because of how the ASA firewall functions, any of our field offices with a VPN tunnel terminating on the ASA firewall were allowed to bypass the iPrism box. This meant the data wasn’t being filtered. I spoke to our reps, but they couldn’t help because I was asking for a task the ASAs were not technologically equipped to do.
I remember saying, “Well, that’s not good because I’ve got hundreds of users out there in more than a hundred field offices who come in and connect like that. That’s not going to work.” This marked a clear shift in our strategy; we knew we had to deal with these issues and find a solution.
Remote access had become a big problem—especially with controlling third-party endpoints. Many of our regional jails and private prisons house about 8,300 of our inmates, and these facilities are required to use our system to track all their records. We don’t control those facilities, so we needed to make sure the records were protected.
We needed newer and more flexible firewalls—and stricter policies on BYOD and remote access.
Implementing Next-Generation Firewalls
The first thing we did was look at firewalls and a remote access solution that would offer us ways to scan and verify third-party endpoint devices, as well as allow our employees to connect to resources from outside the core network. Previously, remote access meant that we didn’t hear from our people for days; we needed to do better.
We did a lot of research and finally decided on Dell SonicWALL because the appliance offered the most flexibility, the best set of features and the easiest interface. Our choice was the E-Class Network Security Appliance (NSA) E5500 Next-Generation Firewall. It features application intelligence and control and can help us analyze and regulate thousands of unique applications, whether encrypted or not. In parallel, we installed the Aventail SRA EX6000, which gave MDOC a full-featured, thin-client “in-office” connectivity for up to 250 concurrent users from a single appliance.
I didn’t want to depend on just one box, so I deployed dual firewalls in high-availability mode to ensure that systems crucial to public safety would remain operational at all times and protect our data.
Then, as if on cue, right after we deployed the NSA E5500 and SRA EX6000, we had an attack. The Dell SonicWALL firewalls blocked it. We ran the report and realized that we were on the right track.
Everything became much simpler once these appliances were installed. For example, if someone was having an issue with running or accessing files or data, we could input the user’s address, scan the logs and see if the issue was at the firewall level. If so, we could view the traffic from the machine and drill down to discover the problem.
Ensuring Remote and Mobile Security
On a day-to-day basis, we have about 200 people in the field who need remote access. Our Aventail SRA EX6000 allows employees such as parole officers to conveniently and securely access parolee records. Similarly, our staff and officers can access email and MDOC resources from remote locations.
This solution has increased staff productivity and reduced costs for the department because administrative users have anywhere/anytime access to all the resources they need, and IT has secure, controllable access.
As we installed our new firewalls, we knew we needed BYOD policies that would help keep our sensitive mission-critical resources secure and easy for IT to control. Therefore, we implemented several new policies that allow only certain employees to bring their own devices. In our case, that applies to high-level executives, employees in the field (such as parole officers) and our investigators, who track down escaped prisoners.
We also developed a use agreement. Under that policy, people visiting the prisons or jail facilities may not bring in their own devices. If they do, we have to confiscate and possibly wipe them.
Our business is to keep inmates secured and guards secure. To achieve this goal, data security cannot be an afterthought: It is truly mission-critical when people’s lives and property are at a very real risk.
Ultimately, Dell SonicWALL firewalls gave us the ability to get the full picture of all our network traffic. Now we can go in and monitor the application layer—which we couldn’t do before—and have granular control. It all comes down to us knowing, rather than hoping, that the MDOC network, including the records all of its employees and inmates, is secure.
And one more thing: Since installing these products, we have achieved a 100 percent reduction in attack penetration.
Jerry Horton is the network systems manager for the Mississippi Department of Corrections.