Wilmington Savings Fund Society, a Delaware bank, was looking to protect its desktops and servers from intrusions that could affect bank business adversely, and decided that layering gateway protection (compare gateway-security products) with desktop and server security platforms could help it reach its goals.

A combination of gateway appliances with desktop and server software protect the network and individual machines, and contribute to meeting the regulations imposed on banks, says Robert Eastwood, the bank's vice president and director of operational risk.

The bank network has more than 600 users spread over 36 sites, which are connected via a full-mesh MPLS network with bandwidth ranging upward from T-1.

To defend the network, Wilmington Savings relies on endpoint protection from Cisco's CSA agent and Trend Micro's antivirus software; and adds perimeter protection from gateway firewall, intrusion-prevention-system (IPS) and VPN software on Cisco ASA appliances. It also uses Proofpoint e-mail protection that looks for viruses, spam and sensitive content, Eastwood says. The CSA agent can block bank data from being transferred to thumb drives and other devices that could be used to carry sensitive data outside the network. Blocking data transfers helps meet the regulations under which the bank operates.

Proofpoint can block data from leaving via e-mail by linking nearby key phrases. For example, if an e-mail included the phrase "account number" and a string of numbers in account format was nearby, the e-mail could be blocked, encrypted or held until a compliance office had the chance to check it out, Eastwood says.

The bank uses 802.1X authentication via its Cisco switches to make sure only authorized machines can gain access. "We don't permit connecting non-bank assets to the network," Eastwood says. "So for example, if a vendor comes in, they cannot connect to our network. The machine is not recognized, not granted access, thus preventing a virus or some other malware from venturing into the network." he says.

The bank does not use network-access control, but is considering NAC as a way to reduce the risk of infection further (compare NAC products). NAC would link machine authentication with user authentication, and would test devices for compliance with security policies before granting access.