4-page Case Study - Posted 2/26/2008
Views: 143
Rate This Evidence:
Healthcare IT Alliance Immunizes Networks Against Rogue Access
The South West Alliance of Rural Health (SWARH) is a joint venture of public health agencies in South-Western Victoria, Australia. It provides a region-wide IP network that carries voice, video, and data services. Its clients use a diverse range of hardware governed by SWARH ICT standards, although SWARH has no direct ability to enforce those standards. SWARH was concerned that if an unauthorized person plugged a computer into a network port at any of its 147 sites, they might gain unfettered access. However, installing secure switches at client sites would have been prohibitively expensive. Instead, in February 2008 SWARH began implementing the Network Access Protection feature of Microsoft® Windows Server® 2008. SWARH gained the ability to enforce computer health policies and protect its network from malware. It could also identify every computer logging on at client sites and prevent unauthorized access.
Situation
The South West Alliance of Rural Health (SWARH) provides network services to health and other government organizations in regional Victoria, Australia. Created as a joint venture in late 1997, SWARH delivers voice, video, and data over an IP network to all the major hospitals west of Melbourne to the South Australian border, an area of 60,000 square kilometers.
“Before SWARH was formed, all public hospitals had their own independent network services,” says Garry Druitt, Chief Information Officer of SWARH. “SWARH aggregated their information and communication technology needs. Regional standardization means we have developed significant economies of scale and our members can cut costs.”
SWARH recently expanded its services to government clients outside the health sector. Currently, the organization has 57 clients at 147 sites.
 |
The security edges we set up around each client mean we can control access on a client-by-client basis. |
 |
|
Gary Druitt, Cheif Information Officer, SWARH |
|
|
Despite the success of its network services business model, SWARH was concerned about network security.
Many of SWARH’s sites contained remote access facilities such as wireless networks for consultants, who used their own laptops and frequently moved between sites. These provided potential weak spots where rogue individuals could gain illicit access.
More generally, SWARH had no direct mechanism for site-based audit and policy enforcement, instead relying on client ICT administrators at those sites. As SWARH grew and took on network services for more clients, its network became ever more exposed to the risk of connection by non-compliant workstations and thus increased vulnerability to virus attack.
“If computers do not have the correct level of security, we are vulnerable to an inadvertent malware breakout as well as targeted break-ins,” says Druitt. “Recently, we’ve had some costly experiences with viruses.”
“Our core problem was we didn’t know if unauthorized users were accessing the network and we had no way of checking the health of their machines.”
Solution
SWARH considered a hardware solution, but was not at the right point in its network refresh lifecycle to upgrade its switching infrastructure, which would have involved more than 1000 devices.
“We talked to Microsoft, who told us about the Network Access Protection feature built into Windows Server 2008 and how it might work for us,” says Druitt.
In early 2008, SWARH asked Microsoft Gold Certified Partner Dimension Data to advise on the technical requirements of upgrading to Windows Server 2008. Microsoft’s Rapid Deployment Program for Windows Server 2008 provided the opportunity for SWARH to test how effective Network Access Protection would be.
“Currently, when the user connects to the network, the workstation gets an IP address from the DHCP server,” says David Hanrahan, General Manager, Microsoft Solutions Infrastructure, Dimension Data. “With Windows Server 2008, the DHCP server will only provide an unrestricted IP address to a workstation which meets the baseline requirements such as recent Microsoft updates, antivirus signatures, and spyware protection.
“If Network Access Protection doesn’t recognize the machine or finds it does not meet the baseline health policy, it will be put onto a separate remediation network which has limited access,” explains Hanrahan. “This gives the user the option to fix the problems, comply with policy, and then gain access to the network.”
|
We can offer our clients the ability to enhance data protection on their networks by refusing network access to high-risk workstations. That is fundamental to the integrity and growth of our business. |
|
|
|
|
|
Because SWARH was unsure how well maintained its clients’ computers were, it chose a carefully staggered implementation. After an initial deployment in a lab environment, SWARH trialed Network Access Protection on a subnet at a hospital client site, which contained numerous access points including internet kiosks and a community center.
SWARH initially ran Network Access Protection in monitoring mode, giving it a first glimpse of the computers logging onto its network. Based on this experience, it introduced a baseline health standard and a remediation network that allowed users with substandard computers to update their machines.
Starting in February 2008, SWARH rolled out Windows Server 2008 and Network Access Protection across its client sites.
“We will gradually implement and enforce the health policies to make sure our remediation networks and IT administrators are not swamped,” says Druitt.
Benefits
By implementing the Network Access Protection feature of Windows Server 2008, SWARH gained the ability to prevent infected or risky machines from logging onto its network. It can monitor and identify all machines accessing its network at each site.
Cost-effective access control
The Network Access Protection feature of Windows Server 2008 will improve security and provide much more granular control over who accesses resources, and at a much more economical cost than alternative solutions.
“Instead of having one big network which can be accessed at any point, we will eventually have a network where access is heavily compartmentalized,” says Druitt. “The security edges we set up around each client mean we can control access on a client-by-client basis.
“We knew we had to do something, but we were not in a position to upgrade our network infrastructure. Windows Server 2008 will be around 80 percent as effective as upgrading all the switches, but is well within current budgeted costs.”
Reduced administrative burden
Network Access Protection provides automatic, policy-based protection that does not place onerous demands on IT administrators.
“Previous solutions required IT administrators to customize, manage, and monitor the system, which was an additional task SWARH’s technology staff did not need,” says Hanrahan. “Network Access Protection does everything automatically based on policies.
“Users receive automatic notification that they are being connected to a restricted network, and get instructions on how to fix the problem. This can be a link to download antivirus signatures or the option to automatically enable Windows features such as Windows Firewall or Windows Updates.”
“We have over 100 client sites, and this shifts the burden of health screening from administrators and onto the users,” explains Druitt. “We couldn’t absorb the labor costs of screening all network users – our helpdesk would be overwhelmed. With Windows Server 2008, we don’t have to.”
Maintaining high security standards
SWARH will be able to maintain and enforce security standards across all computers connected to its network.
“We will be able to set a standard level of software updates, virus protection, and spyware prevention,” says Druitt. “For example, if a user has been away and their computer is not up to scratch, they will have to download the latest updates before connecting.”
“Microsoft worked with all the leading security software providers to build Network Access Protection, so it integrates really well with whatever systems SWARH and its clients have in place,” adds Hanrahan.
Wireless security the next step
Once fixed network access is secured, SWARH will be able to extend Network Access Protection to roaming users. Windows Server 2008 can be configured to require additional authentication of users connecting over the wireless network.
“This reduces the potential for hackers to gain access by impersonating legitimate users,” says Hanrahan. “Network Access Protection can maintain consistent standards across all machines that access the SWARH network, even privately owned computers.”
As part of the organization’s scheduled network hardware refresh cycle, SWARH will eventually enforce Network Access Protection at the switch level for both wired and wireless networks without compromising security.
“We can offer our clients the ability to enhance data protection on their networks by refusing network access to high-risk workstations. That is fundamental to the integrity and growth of our business,” concludes Druitt.
Windows Server 2008
Windows Server 2008, with built-in Web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, Web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools like IIS 7.0, Server Manager, and Windows® PowerShell, allow you to have more control over your servers and streamline Web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and help protect your server environment to ensure you have a solid foundation on which to build your business.
For more information, go to:
www.microsoft.com/windowsserver2008
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at
(800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to: www.microsoft.com
For more information about Dimension Data products and services, call
(+61) 3 9626 0770 or visit the Web site at: www.dimensiondata.com/au
For more information about South West Alliance of Rural Health products and services, call (+61) 3 5564 4000 or visit the Web site at: www.swarh.com.au
