Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."

Download it now to read this article plus other related content.

Only after Perez exhausted the useful pieces of his existing infrastructure did he fill the gaps with new investments.

"We realized that if we were going to consolidate and still match or exceed performance, this was the time to go in some new directions," Perez says. A transition plan for phasing in new technology was roughed out, based on feedback from United's business units and IT department. Representatives from United's pilot and flight attendant organizations also took part, as did several airport reps and the company's internal corporate audience. A plan was built around the business needs of each United appendage and the technology requirements put forth by IT.

The assessments showed that divisions using a Cisco Systems IDS were having the greatest success at detecting attacks and malicious activity. Perez decided to rip out the myriad other IDS solutions and standardize on Cisco-Works Security Information Management Solution v2.2, believing United could replicate the product's success across all divisions while driving down costs through decreased training and maintenance expenses.

Performance testing was conducted on baseline legacy data, and comparison analyses were done on throughput and security levels as new systems were implemented.

Similarly, Perez found that United was getting a lot out of its software security solutions; supporting the hardware that these solutions resided on was the problem. To simplify the network

    Requires Free Membership to View

and reduce hardware costs, United turned to Crossbeam Systems' high-performance security appliances for hosting Trend Micro's AV and content filtering, as well as Secure Computing's SmartFilter URL filters. The cost savings were apparent from the start, and United's security improved.

Choices like these helped Perez make the financial case. "The hardware investment helped us consolidate and leverage our existing investment in software."

Perez believes United will further reduce security costs through less-expensive support and maintenance contracts. Less training and staff support will be required, since everyone will be using the same equipment.

Consolidation, however, wasn't always the answer. United was trying to cut as much cost as possible, and if that meant leaving multiple, cheap software programs running where one expensive one would do, Perez's hands were tied. For example, United ran three separate software packages to handle URL content filtering and antivirus.

In particular business units, however, United standardized on Aladdin's eSafe product suite.

As a major buyer, the airline was able to gain considerable negotiating leverage when it went shopping for a single-source solution to handle both functions. However, if the Trend Micro and Secure Computing combination worked and was cost effective for a particular unit, it stayed.

"We had to justify everything we did through cost-savings," Perez says. "If it cost more money than the present model, we weren't doing it."

Virtually First Class
Perez admits that there are trade-offs with any rearchitecting project. On one hand, a consolidated system gives the IT team centralized control over security. The flip side, of course, is that the single centralized system gives hackers and malware writers a bigger target. For all its faults, a fragmented, heterogeneous infrastructure at least limits the damage an intruder can do. "If you do compromise one thing, you don't get the whole store in a diverse infrastructure," says Gary Morse, president of security consultancy Razorpoint Security Technologies.

The key to securing a standardized network is in making a distinction between "fragmentation" and "segmentation." Fragmentation leaves pieces scattered about; segmentation brings everything under one roof, but builds partitions between different business units and information repositories to preserve integrity.

United decided that virtualization was the best way to segment its new network because it provided the same effect as physical separation, but without the expense of purchasing and deploying new hardware.

"As we consolidated, we took a lot of these infrastructures and kept them logically segmented through virtual technology, even if they were physically all one unit," Perez says. "With virtualization, we can build in a lot of diversity within an infrastructure while still creating a lot of resilience. This way, we avoided the 'all your eggs in one basket' scenario."

In such architectures, legacy divisions and interdepartmental barriers are preserved with virtual partitions. Behind the scenes, data is discretely divided. Yet, everything exists within a unified framework that's easier to manage and less costly to maintain.

"The fewer doors, the fewer that you have to lock," Perez says.

Moreover, the changes are essentially transparent to users. Avoiding huge cultural changes was every bit as important to Perez as any adjustments made in terms of hardware and software. He wanted a seamless transition, reducing complexity and increasing usability. The magic of security would remain behind the scenes.

This was first published in March 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: