 |
Three Pillars of Bank Network Security
By Kevin Hamel, Vice
President, Security Officer |
|
The Internet is an increasingly
dangerous place, particularly as network
attacks have evolved from a hacker’s
hobby to a sophisticated and lucrative
business. This article discusses three
“pillars” of network security and
describes how to combine them into a
multi-tiered security infrastructure.
Firewalls
Firewalls use simple rules to
selectively block network and Internet
traffic. For example, if FTP sites are
off limits to your institution, your
firewall can be configured to block
access to the FTP port. You might also
block your employees from visiting
Hotmail by blocking traffic to
www.hotmail.com.
|
 |
Firewalls can also be
configured to block everything except specified
traffic. For example, you can restrict employee
access to simple web sites by blocking traffic
in your firewall to all but ports 80 and 443 —
the locations of most websites. You can even
block all websites except your own!
Unfortunately, Internet attackers can easily
circumvent firewall blocking techniques. FTP
servers can use a different port, and websites
can act as gateways to blocked sites without
your firewall knowing. Is there a way to verify
your restrictions? Yes — it’s called Intrusion
Detection.
Intrusion Detection
The second pillar of network security is
Intrusion Detection Systems (IDS). These systems
look for intrusions in process such as
‘accessing a forbidden website’ or ‘Trojan horse
attempting to control a workstation.’ The IDS
records each dangerous pattern and alerts
network security personnel.
This approach is highly effective in discovering
illicit traffic. However, an IDS must be
carefully configured to send alerts only on
dangerous traffic. A mistuned IDS often sends
alerts on perfectly normal traffic, and may miss
dangerous packets because it isn’t looking for
them.
Also, the IDS is unable to stop troublesome
network traffic. Someone must review the attack
information and attempt to block it. This can
take time, and sometimes cannot be completed
before the network sustains lasting damage. This
limitation has led to the third security device
— Intrusion Prevention.
Intrusion Prevention
Intrusion Prevention Systems (IPS) combine the
firewall and IDS technologies. IPS watches
network traffic like an IDS and determines
whether to pass any given traffic like a
firewall.
The IPS actually assesses traffic patterns to
evaluate the type of network access and to
determine whether it should be permitted. While
an IDS can only note an ongoing attack and pass
the alert to an analyst, the IPS will stop the
attack by blocking traffic between the attacker
and its victim.
Careful configuration is very important for the
IPS. A mis-configured IDS will only send
harmless alerts which can be ignored; but a mis-configured
IPS will deny legitimate traffic, giving network
staff and employees huge headaches when they
become victims of mistaken digital identity.
However, when properly tuned, an IPS is an
incomparable defense against network-based
attacks.
A Bank’s Network Defense Strategy
Could your bank forego firewall and IDS devices
in favor of an IPS? Possibly. But COCC finds
that well-defended banks typically install all
three pillars of security when they construct
their network defenses.
We recommend that traffic arriving at the bank’s
network first pass through an IPS that watches
for abnormal service requests and automatically
denies anything resembling an Internet-based
attack. Your bank can work with its IPS vendor
to minimize disruptions of legitimate network
traffic.
Once past the IPS, your Internet traffic
encounters the firewall. We set these devices to
deny nearly all incoming traffic except for
replies to outgoing requests and a limited
selection of services such as website traffic
and incoming email.
Finally, from within the bank’s network, we
recommend a large network of IDS sensors to
monitor the network for anomalous traffic. This
final line of defense alerts bank staff to
unusual traffic patterns and then determines
whether further action is needed.
Together, this three-level security system
has proven highly effective in protecting banks
from network-based threats.
Beyond the three tier security system, COCC
recommends tight regulation of traffic
originating inside the bank’s network. Internal
firewalls and IDS machines are used to verify
that attacks are not launched from within.
Outbound traffic to the Internet is similarly
monitored to prevent unauthorized network access
from either the bank or the Internet
networks.The Internet is an increasingly
dangerous place, particularly as network attacks
have evolved from a hacker’s hobby to a
sophisticated and lucrative business. This
article discusses three “pillars” of network
security and describes how to combine them into
a multi-tiered security infrastructure. |
