Introduction of network security mechanisms in a LAN

Krka is Slovenia’s largest pharmaceutical company, a manufacturer of medicines, cosmetics and veterinary products. The Krka group employs over 8,500 people, 4,400 of whom are situated in Slovenia. The company created over €1 billion in income in 2010, making it one of the world’s leading manufacturers of generic pharmaceuticals. Krka is building its success through strengthening business connections and partnerships in development, supply and marketing. Work processes at Krka depend heavily on network infrastructure. That’s why the company needed a reliable, efficient and secure environment.

The basic network configuration was no longer compliant with the highest security standards. Increased mobility of users and use of laptops easily created many unwanted traffic flows. Such flows represented a possible security risk and reduced network speeds, negatively influencing company operations. To reduce the influence of users on the network and decrease unwanted traffic, Krka introduced multiple layers of security mechanisms at the edge of the network.

"By introducing a fully customized solution, we were able to improve network overview significantly. We achieved better utilization of services on both the server and client sides."

Samo Somrak, Deputy Head of the Information Infrastructure and Telecommunications Service, Krka

Integrated security solution

In addition to introducing superior security standards, Krka expected the solution to upgrade network functionality, while maintaining existing network structure. Development and implementation of the solution was a combined effort by Krka and NIL professionals.

NIL carried out the following tasks in accordance with Krka’s expectations:

The solution is based on multiple layers of access controls that ensure the compliance of devices with internal Krka policies. It enables gradual introduction of new security solutions that are linked to network equipment or upgraded through working devices.

Introduction of security mechanisms in three phases

Prior to implementation, all solutions and upgrades were tested by simulating real-life scenarios and possible issues. After successful testing, the configuration was transferred from the test environment to the production network.

All procedures were carried out on existing network and server equipment, which dramatically accelerated finding and implementing an appropriate solution while keeping implementation costs at an acceptable level.

Krka case study 2010

In phase 1, access was denied to devices that could abuse standard communications channels. Potential intruders were prevented from hindering the network, gathering data or influencing work processes in any way.

In phase 2, the security controls were moved closer to clients. Users and workstations can access network resources on the basis of authentication. Authenticated corporate clients can access local company networks, and guests have access to very limited network resources. Identification was enabled for user devices (e.g., printers) that are part of the working processes and have access to very limited internal resources.

In phase 3, engineers implemented the last layer of security controls, requiring workstations to conform to company security policies and enabling access to network resources only after compliance verification. Devices that fail to conform to security standards are denied network access, but granted access to suitable security updates.

The final security configuration was completely adapted to fit the existing network infrastructure at Krka. The upgrade was performed with no additional investment in hardware or software. The solution provided the next step in creating a highly reliable and predictable network platform underlying Krka’s critical business processes. 

Business benefits

  • Unifed solution for 4,400 employees in Slovenia
  • No additional investment in hardware or software
  • Three layers of security
  • Reduced unknown and unwanted network traffic

Solution characteristics

  • Prevented abuse of client network addresses
  • Eliminated misuse of network services
  • Controlled network system for all clients
  • Upgraded functionality and maintained organization of existing network
  • Sustained functionality of all applications
  • Provided access to upgrades and settings, enforcing compliance with security standards
  • Regulated access for guest users