Health trust finds a way to block attacks quickly

As IT manager for Homefirst Community Trust, the largest health and social services community trust in Northern Ireland, he realised that any breach of the system could cause a breakdown in services or the loss of private data.

"We were not getting all the patching done quickly enough, and there were certainly vulnerabilities," he says.

At a meeting of the organisation's risk assessment committee, Black flagged up the danger as serious, and was given the green light to find a suitable solution that would help the team rise to the challenge.

Searching for, and finding, a solution At first, he went hunting for patch management systems, and looked at a range of products from the likes of St. Bernard, Bigfix, Shavlik and Microsoft SMS.

Immediately, Black ran into problems because many products could not handle the mix of Windows 98 and XP that Homefirst still runs. Broadening his search, he realised he needed something more proactive to help control more than 2,000 PCs spread over more than 100 locations in the province.

As he explains: "The problem with patching is that it's reactive – you're playing catch-up all the time. We share a network with the rest of the NHS in Northern Ireland and have one point of access to the internet. If for any reason that access was down, we'd be unable to access patches. We needed to get some breathing space, so that if we can't get hold of the patch, we can prevent ourselves being infected in the meantime."

This led him to choose a set of solutions from Sygate Technologies that did not do patch management, but which he felt could help him gain greater control over the range of machines on the network, and provide that necessary "breathing space".

The Sygate Secure Enterprise (SSE) suite consists of a growing range of elements that enable devices on the network to be monitored and updated from a central point. Black chose the Sygate desktop firewall plus management software that would allow him to monitor, deploy and enforce policies around the organisation.

The key benefit is that it enables every employee to work flexibly and securely, without slowing the performance of individual machines. The organisation is able to adapt the security policy for individual users, because SSE recognises different user environments such as dial-up, LAN connection and WiFi. As SSE detects the connection type, pre-assigned policies for that environment can be automatically implemented on the fly without any user interaction.

The system drills down to a fine grain level of analysis and is able to deny all services except those specifically permitted by the enterprise security policy. SSE can hide endpoints from port scanning and also filter both outbound and inbound traffic. It can also centrally log suspicious traffic for full audit and analysis. The set-up and alteration of any policies are centrally configured, administered and delivered to each remote machine automatically at preset check-in intervals.

According to Black, SSE also alerts Homefirst as soon as any potential security problem arises, providing time to take necessary preventative measures before any damage can be caused – the breathing space he wanted.

Satisfied and pushing for more The way the system is applied to the network means that any ports or applications that are made vulnerable by the emergence of a new worm or virus such as the Blaster variants can be very quickly identified and shut down, stopping infection and preventing its spread throughout the organisation.

"Vendors say you should apply patches in a controlled environment, but we don't have the luxury of having a complete mirror of our systems," he explains.

"So having the firewall in place gives us a bit of time to make sure there is no actual damage done. We can do a bit of research on the internet to make sure the patch isn't going to crash the systems and create more problems. Then we apply it."

Although the system is still going through final tests, it has already begun to pay dividends. During the recent Sasser worm attack in May, Black was able to report a completely clean sheet.

"During the recent Sasser attack, we were able to report port-scanning activity, but we got no infection. We are seeing activity that we would not have been aware of before," he says.

"We are now in a position to know what is happening on the network and to report that back to the centre. It is a comfort-factor. That was definitely the proof of concept for us."

He says the installation has gone without any major problems, and his one fear – that the overall performance of machines and networks would suffer – have proved unfounded. "We were worried initially about the effect on bandwidth and performance. We feared the polling traffic might swamp the network," he recalls.

But when they tested the Sygate agent, it had "almost no noticeable effect on the individual machines' performance". And it is very controllable, in terms of how often it communicates with the management server and how much information is exchanged. "We have turned it down to a low level so that it has little to no effect," he says.

The Sygate management software, which runs on a Windows 2000 server, is a Java application that Black describes as "well-designed and easy to use. You can hit it with a browser from anywhere – it is SSL secured."

Although the reporting facilities of the system are fairly basic, he says they provide him with all the information he needs about system alerts.

"The more we use it, the more use we can see for it. The Host Integrity module can check for all sort of things, and force things down on to machines – not just Microsoft patches, but also application updates," he says.

One example is a start-up file that reminds people of health and safety rules. If the rules change, then the new file can be downloaded so that it appears the next time people start their machines.

"It doesn't do patch management as such, but you can use it to enforce policy rules. If the patch is not in place, you can use it to tell the machine where to go to fetch the new patch and apply it," he explains.

Once the system is fully deployed, Black sees a major reduction in the amount of time his staff will need to spend in going out to deal with individual machines. The other big benefit is the heightened awareness of what is actually happening out on the network.

"We were never aware of suspicious network activity before," he says. "Now within ten minutes we get an email telling us which machine is being attacked and which ports are being scanned. It will be a big saver of time."

With the added control, Black is also pressing Sygate to add new functions. "I told the Sygate engineer that it would be great to do inventory and software licensing. He replied that they were 'working on it'. The agent is reporting back what is on the machine, so it's an obvious next step."