Bradford’s Adaptive Network Security Platform has been successfully deployed in a variety of real-world environments to address a range of security requirements. Below are examples of some of those use case scenarios.
Example #1 - Dynamic Provisioning of Network Access
A county hospital is in the midst of rolling out a variety of new medical equipment, including hundreds of new devices that must attach to its network. The CIO is expected to complete the rollout in just days with existing IT staff who are already over-tasked with other responsibilities.
Solution & Benefits
ANS automates the process of provisioning network access for new medical devices, which minimizes the burden on IT staff for moves/adds/changes, while at the same time protecting against unauthorized access by unknown devices.
-
A technician plugs a new medical device into a port on the hospital’s network
-
Before network access is allowed, the following process takes place
-
Medical device is automatically discovered and profiled to determine its type
-
Information about the device is correlated in the ANS policy database
-
Network access is dynamically provisioned based on appropriate policy
-
Access rights will be determined based on the identity and profile of the device
Example #2 - Dynamic Enforcement of Endpoint Security Policy
Due to the sensitive nature of its data, a large bank requires all employees to have data encryption enabled on their computers when transferring information across the network. However, the bank does not have a way to proactively enforce this policy.
Solution & Benefits
ANS automates policy enforcement by integrating a number of disparate security functions, most of which already exist within the network environment. Policy compliance can now be ensured without burdening IT staff, and sensitive data on the network will be protected via encryption.
-
An employee attempts to connect to the network using a laptop
-
Before network access is allowed, the following process takes place
-
Employee is required to authenticate (log in) using valid credentials
-
Laptop is automatically profiled to determine what type of device it is
-
Laptop is automatically scanned to verify that data encryption is enabled
-
Information is correlated in the ANS policy database
-
Network access is dynamically provisioned based on appropriate policy
-
If the employee logs in successfully and the laptop has encryption enabled, network access will be granted; otherwise access may be denied or restricted
-
Employee logs into an application on a network server
-
Application queries ANS policy database to validate policy compliance (in this case that data encryption is enabled)
-
ANS policy database validates policy compliance and grants access to application server
Example #3 - Dynamic Provisioning of Network Access
An employee of a large corporation is working on his laptop while connected to the company’s network. Unknown to the employee, malware on the laptop generates a denial of service attack on a server which could take the server down and lead to costly productivity losses for the company.
Solution & Benefits
ANS leverages a number of disparate security functions within the network environment to detect the DoS attack, confirm the validity of the attack, stop the attack (at the point of access) and notify IT personnel. The offending laptop is quickly isolated to minimize impact to the network and the organization.
-
A laptop on the network launches a denial of service (DoS) attack on a network server
-
An IPS in the network detects anomalous traffic from the DoS attack and communicates information about the attack to the ANS policy database
-
ANS policy database identifies the offending laptop by correlating IP address, MAC address, device profile, and location data, as well as the employee’s identity and role
-
The offending laptop is dynamically isolated from the network to stop the DoS attack
-
ANS allows the laptop to be isolated at the point of connection to the network – i.e., at the switch port or wireless access point – to completely eliminate the threat
-
IT personnel are automatically alerted of the attack
Example #4 - Delegation and Off-loading of IT Tasks
A university IT team is overburdened with daily administrative tasks that prevent IT staff from focusing their time on important projects. The workload results in recurring overtime costs and missed project deadlines. Examples include:
-
The university hosts numerous educational conferences throughout the year. Each conference requires involvement from IT to set up temporary network accounts for conference attendees, numbering from as few as 10 to as many as 100 people per conference.
-
Several departments at the university outsource work through contractors, auditors, and other non-university personnel who require network access. Setting up network access for each of these “guest” users requires direct involvement of IT staff on a daily basis.
-
New “IP-enabled” devices are connected to the university’s network every day. Many of these devices – vending machines, laundry machines, IP surveillance cameras, and others – are the responsibility of other departments, yet IT staff members are tasked with adding new devices to the network and provisioning appropriate network access policies.
Solution & Benefits
ANS relieves IT staff from the daily burden of provisioning network access for new users and devices, while at the same empowering authorized sponsors in other departments to do their own jobs more efficiently and productively.
-
IT creates policies that empower “sponsors” from other departments to have limited administrative control over a specified set of users or devices on the network.
-
Sponsors can then create certain user accounts and/or register devices onto the network (within the limits of the policies which IT has defined for them). For example:
-
A receptionist is able to create temporary “guest” accounts for day visitors
-
An event coordinator is able to create up to 100 “guest” accounts for a conference
-
A finance manager is able to create temporary accounts specifically for auditors
-
A facilities manager is able to connect 50 new IP video cameras to the network
-
Role-based network access for users and devices is dynamically provisioned
-
Access rights for all users and devices added to the network by sponsors are determined based upon the policies that were pre-defined by IT
Information Security Manager
Columbia University Medical Center
