County stops spyware attacks

Gateway scanning solution is a new approach to scanning high-volume Web traffic.

Earbie Matheney, left, manager, network management, and Shannon Clyde, information security officer, were fighting a losing battle against spyware attacks.

A few years ago, the security and help desk teams of the Travis County (Texas) information and telecommunication systems (ITS) department began seeing a tremendous increase in spyware bogging down PCs–to the point where some employees could not work at all. They deployed a desktop product that would temporarily install, run and clean up spyware, but only one computer at a time.

It was typical to see hundreds of infections on a single PC–one machine had more than 1,500 instances of scumware. Further exacerbating the problem, each instance would constantly call back to the “mothership,” using CPU, memory and I/O to the point of making the system unusable.

The ITS team realized it was fighting a reactive, losing battle before information security officer Shannon Clyde designed a layered strategy to eradicate and block future spyware infections. The strategy called for antispyware on workstations and a gateway appliance that would stop malware at the gateway before it could infect workstations. ITS then began looking for an efficient, easy-to-deploy, simple-to-manage, enterprise-class solution that would not burden the staff and that could provide a view into the health of the network and workstations.

“We chose a recognized leader in the antivirus market and an early entrant in the Web security gateway scanning marketplace,” says Clyde. “While other products in the solution suite worked great, we struggled for years to make the HTTP scanning feature work on the gateway scanning appliance. Despite repeated attempts by the vendor to fix the slowdowns and crashes that we were experiencing, they just could not identify the cause, let alone resolve the problem. After exhausting all of the vendor’s stated options, we knew it was time for a replacement.”

Travis County is one of the largest urban counties in Texas and home to the state’s capital, Austin. County officials provide a wide array of public services to citizens, including justice and public safety, health and human services, election management, parks, transportation, and tax assessment and collection. County officials also manage the millions of public records associated with the delivery of these services.

Numerous responsibilities
The ITS department provides county officials with a central source for meeting their information technology needs. ITS operates a shared data center facility supporting numerous technology products and services. ITS also manages the county’s telecommunications services and provides a reliable, robust and secure network infrastructure supporting voice, data, video and Internet applications. For ITS, keeping malware such as viruses, worms, Trojans and spyware from disrupting business and endangering public records or county information assets is key.

As a high-profile target, Travis County, like other public sector entities, must defend against sophisticated new threats, maintain the confidence of the tax-paying public and demonstrate compliance with the highest information assurance standards. The county must also maximize the effectiveness of tax dollars by employing security technologies that are both simple to manage and highly effective.

The county shares the Greater Austin Area Telecommunications Network (GAATN), a high-speed metro-area network, with other state and local governments. The county uses GAATN to interconnect its many service locations located throughout the county and for its Internet on-ramp provided by the University of Texas. The county telecommunications infrastructure contains more than 250 LANs, 60 WANs and 4,000 IP devices, supporting roughly 4,000 employees, including remote and mobile workers, who use 3,500 workstations to conduct day-to-day business.

ITS turned to Government Technology Solutions (GTS), a reseller of information technology security solutions to government agencies, which introduced ITS to a real-time gateway scanning solution from CP Secure. CP Secure’s stream-based scanning technology is a new approach to scanning high-volume Web traffic for spyware and viruses. Stream-based scanning takes small, simple Internet streams as the basic unit for scanning and uses parallel processing to enable high throughput, low latency and high concurrent connections. The result is real-time scanning of Web traffic.

ITS chose to deploy a CP Secure trial unit onto its network to test in parallel with the existing appliance so staff could be sure the results were reliable and accurate.

“Every time the original appliance slowed down or crashed, the CP Secure appliance kept chugging along,” reports Clyde. “It kept working, but eventually it did begin to slow down a bit. When we saw the performance slow down, we were concerned we were seeing a repeat of our earlier experience with the original appliance.”

problem is solved
“The CP Secure team responded by remotely assessing the situation through its secure support tunnel and immediately identified a problem on our network. A couple of workstations were using up all of the connections to the Internet in what was basically a denial-of-service (DoS) attack against our Internet service. We were able to identify the offending workstations, stop the DoS attack and restore the gateway to full operation.”

With the prior product, ITS had to engage professional services to handle the deployment because staff had no previous experience with the appliance and the configuration was highly complex. A professional services consultant spent multiple days trying to install two appliances for HTTP, FTP and POP3 scanning. After the consultant left, ITS learned the appliance had been installed incorrectly, with many features either misconfigured or left unconfigured. They struggled for months with the vendor’s support team to recover from the improper installation and were only able to make it right when the reseller and the vendor sent engineers onsite.

“The CP Secure was extremely easy to deploy,” says Earbie Matheny, ITS network manager. “The step-by-step directions were easy to follow, and CP Secure’s support team walked us through the simple configuration options. The appliance was up and scanning in just 10 minutes.”

Even more important to Clyde and Matheny, Travis County’s primary defense against spyware shifted from a reactive, resource-intensive workstation-by-workstation approach to include a preventive gateway approach, allowing the county to conserve limited IT resources and focus on other issues.