Most web application vendors offer a number of complementary security solutions that can be delivered as part of a larger solution. In the case of HK, for instance, they went with a combined Local Traffic Manager (to improve app delivery) and BIG-IP ASM solution.
For customers of Check Point, many want the ability to consolidate external web protection with internal controls to prevent abuses. AAA of New York has processes and procedures in place when employees need to bring information into the network.
“In the past, applications such as Dropbox were a concern as they enabled people to get around our processes and allowed them to send out or bring in documents and files which could compromise our security,” said Fred Komoroski, CIO, AAA New York.
Global investment bank Greenhill & Co. must comply with strict federal requirements for capturing the content of all interactions with customers. However, Greenhill was experiencing numerous issues with its incumbent firewall from Juniper Networks. In particular, monitoring and controlling webmail was problematic.
Webmail applications were easily evading detection by legacy “port-blocking” firewalls and other security infrastructure by tunneling over SSL. Greenhill needed a flexible solution that would deliver network visibility, even into activities tunneled over SSL, and then allow it to select which users to block, assign different blocking criteria for certain users, and set such policies based on an Active Directory (AD) group.
“We needed better visibility into our network in order to block access to certain applications – especially Gmail over HTTPS,” said John Shaffer, Greenhill’s Director of Global Systems and Technology. “We could see users were circumventing our blocking solution by switching to SSL encrypted versions of webmail applications.”
The situation raised concerns internally about the firm’s vulnerability to data leakage and its overall compliance stance.
Shaffer read about Palo Alto Network’s PA series firewalls in a trade publication and decided to test one out. The demonstration instantly unearthed users accessing Facebook, Gmail, RSS, Google Desktop, AOL Instant Messenger (AIM), Meebo, Skype and Yahoo! Mail.
“For the first time we could see exactly which users were accessing specific applications,” said Shaffer. One of the features that won over Greenhill’s IT team was Palo Alto’s ability to control application access on a per-user basis through integration with Active Directory.
Now that it has been deployed, the PA Series has helped Greenhill rein in webmail usage by blocking access to it unless a user has been added to the company’s Webmail Exception Users Group in Active Directory.