Founded in Zurich, Switzerland in 1863, Swiss Reinsurance Company Ltd (Swiss Re) operates in more than 30 countries and provides its expertise and services to clients throughout the world. Swiss Re’s traditional reinsurance products and related services for property and casualty as well as for life and health business are complemented by insurance-based corporate finance solutions and supplementary services for comprehensive risk management. To operate effectively throughout the world, Swiss Re has established stringent corporate and employee requirements. Security, especially for its IT systems is one of the most important pieces of corporate strategy. A global corporation like Swiss Re relies on a properly functioning IT infrastructure.
The company’s assets in hardware, software and network infrastructure are under constant pressure from the all-encompassing threats of the Internet. Data stealing spyware and malware authors are becoming increasingly sophisticated, and hide malicious code deeply blended inside applications and contents of otherwise normal-looking websites. Therefore, a thorough and deep inspection of all HTTP, SMTP and FTP traffic for unwanted content and malicious “stowaways” is key for IT security. Fully aware of these priorities, Swiss Re decided to revisit its already strong security setup to protect and strengthen its central Internet gateway.
Too many false positives
In the past, Swiss Re has deployed several point products for virus protection and URL filtering. However, the previous solution didn’t offer the level of protection needed for today’s threats; moreover Swiss Re couldn’t accept the high number of misses and false positives the solution generated. The existing content security in place also took too much time to administer and maintain. When reviewing existing infrastructure, one of the key issues that emerged was the lack of adequate reporting functionality across all of these point products. There was no central interface for reporting and monitoring functions that logically belonged together. Instead, this functionality was dispersed across individual point products. “Our existing solutions didn’t allow fine-grained filtering rules: either they blocked too much or not enough,” says Christian Bai, Senior IT Infrastructure Architect with Swiss Re. “Policy exceptions just couldn’t be defined as tightly as desired.” In addition, Swiss Re was growing and rapidly adding new users. The old security platform could no longer meet the company’s needs.
High expectations for its content security solution
Swiss Re had developed a list of requirements that its new solution had to meet. Special focus was put on the ability to check SSL encrypted Web traffic, as this was a key requirement for a future-proof investment. “Without a solution to read and check the HTTPS protocol for malware we would be leaving our gates wide open for hackers,” says Bai.
The company’s second key requirement was the ability to deploy multiple anti-virus engines simultaneously. “We have a far better chance of receiving new signature updates and being protected against new vulnerabilities and emerging malware by following a multi-level vendor strategy,” explains Bai. ”Of course, every anti-virus vendor wants to be the first detecting new vulnerabilities. But in reality, multiple vendor diversification is the best method for keeping reaction times to a minimum.”
Ultimately, the new Web security solution needed to cut down on operating expenses. For administration purposes it was important to have central management in a Web GUI, so configuration of Web traffic was clear and easy to accomplish. Because Swiss Re wanted an enterprise-ready solution, delegated administration capabilities were also required. System engineers from the IT department needed a different level of administration capabilities than the typical help-desk manager.
The McAfee Web Gateway device offers the highest level of flexibility because of its ability to define very granular rule sets and enforce them.Christian Bai
Senior IT Infrastructure Architect, Swiss Reinsurance Company Ltd
Why choose Web Gateway
After extensive evaluation of different solutions, Swiss Re selected McAfee Web Gateway (Webwasher) from McAfee’s Network Security Business Unit (formerly Secure Computing). “The McAfee Web Gateway technology and appliance met our requirements best,” explains Bai. “The Web Gateway appliance offers the highest level of flexibility because of its ability to define very granular rule sets and enforce them.”
Moreover, the use of multiple anti-virus and anti-malware engines checking all traffic in a row provides added protection. “We were also convinced by the utterly intuitive user interface,” explains Bai. Swiss Re’s technical staff really liked the SSL scanning capabilities. “McAfee and its Web Gateway technologies are pioneers in this area, fully integrating SSL scanning in one neat package,” continues Bai. “The Web Gateway SSL-Scanner solution is far easier to manage than other products in this area, especially when handling certificates.”
Swiss Re also purchased the URL Filter solution to ban questionable Web content of extreme or inappropriate nature. Swiss Re also blocks the usage of unwanted file types like ActiveX, Java Applets, File-Sharing or Instant Messaging.
Swiss Re has deployed Web Gateway across all regions providing traffic inspection for their 10,000 employees. The product configuration is broken down as follows: Americas—four Web Gateway 5500 appliances; Europe—four Web Gateway 5500 appliances and one Web Gateway 550E (serves as off-loaded master); and Asia— two Web Gateway 1000 appliances. They also supplemented this configuration with four Web Gateway 550E appliances serving as scanners for guests accessing the wireless LAN; two Web Gateway 1000 appliances for the integration environment; and two Web Gateway virtual appliances serving as the test environment for McAfee Web Gateway Version 7.
“For financial services companies like Swiss Re, security of IT systems is significantly more important than for other industrial enterprises”, explains Roland Bonadurer, McAfee’s Corporate Account Manager. “All business processes are mapped in their IT setup. If hardware or software fails, business comes to a dead halt. This explains the increasing willingness of insurances, banks and other financial institutions to protect their systems at the highest standards.”
The project was managed by and locally deployed at the customer site by the Swiss security integrator InfoTrust AG. “Because of our close cooperation with InfoTrust, we were able to quickly and successfully finalize our negotiations with Swiss Re,” comments Bonadurer. “One of McAfee’s Sales Engineers helped with the setup of the test environment in Zurich and thereby provided a good amount of knowledge transfer. So far, Swiss Re has not needed dedicated training sessions.”
“The implementation was completely unnoticed by our users,” concludes Bai. “In my opinion, that’s the best we could’ve achieved. Ever since the deployment, our McAfee Web Gateway appliances run smoothly and fulfill all our expectations.”