No Vacation Time for Celebrity Resorts

By Drew Robb

(Back to article)

Visit Celebrity Resorts' website and you are treated to a slide show of people strolling along white sand beaches, playing golf, hiking in the Colorado Rockies and lounging in the sun by a pool.

But those images are strictly for the customers, not the IT security staff — just because they are in the resort business, it doesn't mean they can ever take a vacation.

“We operate a private network that runs from here to Hawaii with all our resorts' Internet services coming back through DS3 connections into Orlando,” said Scott Zane, senior director of Support Services at Orlando, Fla.-based Celebrity Resorts. “We are also running VoIP, so we can't afford to have anomalies on our network that would interfere with our QoS (quality of service).”

To keep it that way, he adopts a defense-in-depth strategy; adopting more layers to protect his network from attack than his customers use to guard against the cold when downhill skiing at Celebrity's Steamboat Springs' resort.

Virus Roulette

Privately-held, the company owns and manages a more than a dozen time-share resorts stretching from Atlantic City to Honolulu, as well as engaging in condominium development, property management and financial services. Zane joined the firm about four years ago around the time the company acquired assets from a bankrupt competitor, tripling its number of resorts from three to nine and nearly quadrupling its staff.

He had been on top of security at his former employer and hadn't had a virus outbreak in three years. But his first and only outbreak occurred at Celebrity shortly after arriving. So he made his first security change. Since the McAfee anti-virus (AV) license was expiring in about a month he decided not to renew it.

He characterizes AV as a “roulette game” — it is a game of chance where anyone can get hit at any time. But since he had good success with Panda Software's BusinesSecure suite at his former company, he decided to go with that rather than McAfee.

The suite protects Microsoft Exchange servers, file servers and workstations from malware, as well as providing Web content filtering. Zane's first target was to set up content filtering on email, to prevent problems similar to the infection that had just hit the company.

Since the software has a lower resource consumption than other suites, he found he could run it on the primary domain controller (PDC) rather than a dedicated server.

“That is how minimal the resources are required to manage it,” he said. “BusinesSecure doesn't bog down the domain controller at all or interfere with DHCP, DNS and all the rest running on the PDC.”

Threat Vectors

Given the rising number of potential threat vectors, security suites are becoming a popular option for consumers as well as businesses.

“While point-products are still more usually deployed, the trend is towards enterprise suites,” said Natalie Lambert, analyst for Forrester Research. “Integrated suites are a much better approach as the various tools work closely together, threat prevention is more comprehensive and management is a lot easier. When three-year antivirus contracts come to an end, many companies will buy a suite instead.”

There is a certain logic to it, particularly for small and mid-sized businesses. Global enterprises have the resources to hire specialists to maintain a full array of point security products. But when a smaller crew needs to manage all IT functions, not just optimize the firewall settings, certain security functions need to be outsourced.Using a managed security provider is one option, but the more common approach is to let a software vendor choose your security software and settings. No, it is not the ideal approach, but neither is it ideal to leave it in the hands of already overloaded IT staff.

“I've never found that any one vendor has a panacea for security,” said Howard Backus, network administrator for Delta Dental Plan in Little Rock, AR.

Zane agrees.

“Our initial firewall is managed by Bell South, and we run a Cisco PIX firewall on top of that which is configured to block hacking, before it goes to a security appliance,” Zane said.

Why the added appliance? A few months ago, Zane noticed a huge spike in the amount of spam. He's not the only one who noticed. In mid-November, the European Union advised its member-states to boost their anti-spam capabilities, estimating that the worldwide cost of spam in 2005 was 39 billion Euros.

And that figure is far less than what it will be in 2006 as spam loads continue to skyrocket. Email service provider Postini, for example, reported recently the amount of spam it had detected nearly tripled between June and November of 2006.

“I was desperate about the amount of spam we were getting,” Zane said. “We had our Exchange server cranked down, were running a black-list and rDNS, and I was still getting thirty-to-forty pieces of spam per day.”

(rDNS (reverse domain name service) is an anti-spam method that involves verifying whether the IP address in an email matches the domain name. If they don't match, it is considered spam.)

He spent time investigating different anti-spam solutions and opted for a security appliance as the best way to solve that problem and also augment his existing layers of security.

“The appliance took five minutes to configure, and now I get, at tops, maybe four to five pieces of spam a day; if I get any at all,” said Zane. “It has cut down our spam by 90 percent at least.”

Although his new box includes Internet content filtering, he doesn't subscribe to that service. Instead, he continues his multi-vendor approach: Panda’s GateDefender for spam and an iPrism appliance for content filtering made by St. Bernard Software Inc. of San Diego, CA.

“One thing I like about the iPrism is that it integrates with Active Directory so I can, for example, give the executive group unlimited Internet access,” he said. “GateDefender I have to give an IP address.”

He said the iPrism is far more costly it allowed him to recoup 60% of his bandwidth the day he blocked MySpace.

With the above actions, Zane has managed to keep his network virus free, minimize spam and bandwidth waste, but he still recognizes that he can't afford to relax.

“Will I someday have something that gets through, some strange variant that comes out?” Zane asked. “Yes, I might, but I have armed myself as well as I can.”