Changing Compliance Mandates Drive an Urgent Need for Inline Security Solutions

Take a minute to see how one premier financial institution used better visibility to meet the Payment Card Industry Data Security Standard (PCI DSS) — avoiding fines up to $10,000 per day.

This case study, Changing Compliance Mandates Drive an Urgent Need for Inline Security Solutions, demonstrates how end-to-end control of the company’s data sources helped harden data security and meet compliance requirements, and how you can too.

As a bonus, you will also gain insight into how to achieve flexibility and scalability in your network moving forward.

This particular institution, a leading payment processing technology and solutions company in Europe, provides businesses with credit card and online payment processing. After audits found limited visibility into their network, the firm faced fines of USD 10,000 per day until Payment Card Industry Data Security Standard (PCI DSS) compliance was established. Working with Ixia technology, the firm was able to gain better visibility and simplify network monitoring with a traffic classification process for better load balancing and data filtering. Read this case study to see how the customer implemented an inline Security Fabric which saved them $3 Million on inline firewall and IPS deployments.

Company: Large European payment services financial institution

Key Issues:

• Impending fines for lack of PCI DSS compliance
• Inline security deployments were extremely complex

Solutions:

• 2 x Ixia Inline Network Packet Brokers
• 16 x Ixia iBypass Inline Copper Bypass Switches
• 22 x Ixia iBypass Inline Fiber Bypass Switches

Results:

• Saved $3M on purchase of new firewall and IPS appliances
• Delivered a 10x ROI vs. initial deployment plans
• Security tools are now connected in an HA configuration
• Freed up budget for additional security tool investments

Inline security fabric saved $3 million for inline firewall and IPS deployment

Financial institutions worldwide are revamping their data centers to comply with fast-changing industry regulations. This particular institution, a leading payment processing technology and solutions company in Europe provides businesses with card and online payments, and processing. Their network carries over 30 million transactions per day. After audits found limited visibility into their network, the firm faced fines of USD 10,000 per day until Payment Card Industry Data Security Standard (PCI DSS) compliance was established.

Complying with rigorous PCI DSS regulations

The company urgently needed to demonstrate PCI DSS compliance which requires firms to build and maintain a secure network, and specifically to install and maintain a firewall to protect cardholder data. To satisfy this requirement, the company selected Cisco firewalls and Sourcefire intrusion prevention systems (IPS) to improve its inline security. Also, they needed to restrict access internally to cardholder data.

The company approached Ixia to help deploy its new security appliances in a high availability configuration to eliminate the risk of downtime.

To meet this requirement, Ixia provided its inline Security FabricTM, allowing the company to install their new firewall and IPS devices in a highly scalable, high availability configuration. The solution also allowed them to restrict physical access to cardholder data through detailed role-based access controls, packet stripping, and data masking.

Scalable firewall and IPS deployments

The company initially looked to connect their new security appliances directly inline in their networks. But this model created a complex, difficult-to-scale security infrastructure. Ixia proposed deploying the more flexible Ixia Security Fabric, built around Ixia network packet brokers (NPB). This approach allowed the company to easily aggregate its inline traffic to make optimal use of its firewall and IPS inspection capacity. Consolidating the firewall and IPS appliances generates economies of scale, making the most efficient use of security tool capacity possible. There was now no need to deploy a 10Gbps firewall on every 10Gbps network link, many of which might only have 2-3Gbps of traffic.

The NPB aggregated all inline traffic from multiple inline bypass switches and load-balanced it across the consolidated firewall and IPS units. This solution ultimately saved the company approximately $3 million from a small $290,000 investment in Ixia equipment. This amounts to a full 10X return on investment (ROI).

These savings allowed the company to eventually add BlueCoat SSL Decrypt and FireEye security appliances to fortify its security posture even further. And with the Ixia Security Fabric, these new security tools were deployed with little to no downtime.

High availability firewall and IPS deployments

The security team was particularly enthusiastic about the resiliency of Ixia’s inline Security Fabric, and the easy-to-use interface of its NPBs. Having end-to-end control of all their data sources from one central location minimized the need to involve network personnel in gaining access to network traffic for inspection, monitoring, and troubleshooting.

The original proposed inline deployment model also introduced multiple new points of failure in each network link, which concerned the networking team due to the increased risk of tool failures causing network downtime. Instead, redundant Ixia iBypass switches and NPBs were deployed to monitor all security tools using high-speed heartbeat packets and configured to route traffic around any device in the event of a failure condition. The resilient Security Fabric eliminated network downtime due to inline security tool failures, tool performance and congestion issues, and tool maintenance and configuration activity.

Future dividends

As financial data centers worldwide are overhauled and upgraded, IT teams are seizing the opportunity to implement new or enhanced security defenses that demand more robust deployment architectures. Ixia’s powerful, inline Security Fabric combines bypass switches and NPBs to provide a single-source, end-to-end security solution ideal for complying with the demands of PCI DSS.

The remarkably cost-efficient Ixia Security Fabric helps companies harden their security architectures with the flexibility and scalability to meet future needs.

Source: Ixia