The Internet is an increasingly dangerous place, particularly as network attacks have evolved from a hacker’s hobby to a sophisticated and lucrative business. This article discusses three “pillars” of network security and describes how to combine them into a multi-tiered security infrastructure.

Firewalls
Firewalls use simple rules to selectively block network and Internet traffic. For example, if FTP sites are off limits to your institution, your firewall can be configured to block access to the FTP port. You might also block your employees from visiting Hotmail by blocking traffic to www.hotmail.com.

Firewalls can also be configured to block everything except specified traffic. For example, you can restrict employee access to simple web sites by blocking traffic in your firewall to all but ports 80 and 443 — the locations of most websites. You can even block all websites except your own!

Unfortunately, Internet attackers can easily circumvent firewall blocking techniques. FTP servers can use a different port, and websites can act as gateways to blocked sites without your firewall knowing. Is there a way to verify your restrictions? Yes — it’s called Intrusion Detection.

Intrusion Detection
The second pillar of network security is Intrusion Detection Systems (IDS). These systems look for intrusions in process such as ‘accessing a forbidden website’ or ‘Trojan horse attempting to control a workstation.’ The IDS records each dangerous pattern and alerts network security personnel.

This approach is highly effective in discovering illicit traffic. However, an IDS must be carefully configured to send alerts only on dangerous traffic. A mistuned IDS often sends alerts on perfectly normal traffic, and may miss dangerous packets because it isn’t looking for them.

Also, the IDS is unable to stop troublesome network traffic. Someone must review the attack information and attempt to block it. This can take time, and sometimes cannot be completed before the network sustains lasting damage. This limitation has led to the third security device — Intrusion Prevention.

Intrusion Prevention
Intrusion Prevention Systems (IPS) combine the firewall and IDS technologies. IPS watches network traffic like an IDS and determines whether to pass any given traffic like a firewall.

The IPS actually assesses traffic patterns to evaluate the type of network access and to determine whether it should be permitted. While an IDS can only note an ongoing attack and pass the alert to an analyst, the IPS will stop the attack by blocking traffic between the attacker and its victim.

Careful configuration is very important for the IPS. A mis-configured IDS will only send harmless alerts which can be ignored; but a mis-configured IPS will deny legitimate traffic, giving network staff and employees huge headaches when they become victims of mistaken digital identity. However, when properly tuned, an IPS is an incomparable defense against network-based attacks.

A Bank’s Network Defense Strategy
Could your bank forego firewall and IDS devices in favor of an IPS? Possibly. But COCC finds that well-defended banks typically install all three pillars of security when they construct their network defenses.

We recommend that traffic arriving at the bank’s network first pass through an IPS that watches for abnormal service requests and automatically denies anything resembling an Internet-based attack. Your bank can work with its IPS vendor to minimize disruptions of legitimate network traffic.

Once past the IPS, your Internet traffic encounters the firewall. We set these devices to deny nearly all incoming traffic except for replies to outgoing requests and a limited selection of services such as website traffic and incoming email.

Finally, from within the bank’s network, we recommend a large network of IDS sensors to monitor the network for anomalous traffic. This final line of defense alerts bank staff to unusual traffic patterns and then determines whether further action is needed.

Together, this three-level security system has proven highly effective in protecting banks from network-based threats.

Beyond the three tier security system, COCC recommends tight regulation of traffic originating inside the bank’s network. Internal firewalls and IDS machines are used to verify that attacks are not launched from within. Outbound traffic to the Internet is similarly monitored to prevent unauthorized network access from either the bank or the Internet networks.