A dramatic rise in external security threats, coupled with stringent regulatory demands for information security controls and the rising cost of network intrusions, is pressuring financial institutions more than ever to define and protect their network perimeter. Network security requires several measures to insure the perimeter is adequately protected from malicious Internet and other external attacks.

Description

Network security at the Internet perimeter involves more than just installing a firewall. Careful consideration should be given to:

• Firewall selection: Hardened operating system / appliance types are generally more secure than a firewall application on a non-hardened operating system. A compromised non-hardened operating system can give an attacker a point of attack to launch further activity. Hardened operating systems are modified operating systems with non-essential services & protocols removed, and typically are supplied by the firewall vendor.
• DMZ topology: Configuring your network to include a DMZ (short for demilitarized zone), by placing a computer or small subnetwork between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet, protects your internal network from external threats. Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS servers. Access from the DMZ network to the internal network should be controlled by firewall rules specific to the DMZ. No system in the DMZ should have multiple interface cards that bypass the firewall for internal access.  Configure DMZ-to-internal firewall rules to allow only required services.
• Firewall configuration and review: The firewall rules must be configured to restrict open ports and services to those that are necessary, and to provide the required degree of logging and reporting. Review these rules regularly to verify that only the needed ports are open, and that rules reflect current requirements. Establish alerts for any changes made to the configuration (akin to new combinations being added to a vault. Review firewall traffic logs to confirm that ports that are open are used; if they are unused, consider closing those ports.
• All external, 3rd party access to internal systems are secured:  Outside access to internal systems must be controlled by a firewall, including application service providers (ASPs) on frame relay networks, external service providers,  and employee home access.  Virtual Private Networks can ensure communications are encrypted and allowed only from a specific IP address. All connections originating external to the network require access control by a firewall. Should an external system at an ASP be compromised, unauthorized access to internal systems will be minimized by a properly configured firewall.
• Home office VPN access: Home office connections to the internal network via VPN’s (Virtual Private Networks) can expose the internal network to viruses, spyware, and unauthorized access to internal systems.  To minimize risk, the home office computer system must have protection against viruses and spyware, and must allow only authorized VPN connectivity to the internal network. VPN rules should prevent access to the Internet except through the corporate firewall.
• Detailed logging and real-time reporting: Configure the firewall for detailed logging to capture external and internal activities. Establishing adequate archiving of this audit data allows a review of interesting activities. Prioritize logs based on bank policy. Reporting of critical events should be on a real-time basis via email or firewall console alerts. In addition, regular testing of audit and reporting systems should be done to verify malicious activity does not occur undetected. Logging and reporting must also be tamper proof, so that malicious users can not make changes to these systems.
• Intrusion Detection Systems: A firewall is only your first line of defense. A properly configured and managed Intrusion Detection System (IDS) provides notification of malicious activity that the firewalls are unable to detect, such as CodeRed attacks (a worm that infected vulnerable systems through a standard HTTP Internet protocol). A properly configured IDS does not burden the IT staff with false alerts. Additionally, an IDS system can provide notification of compromised internal systems including those infected with trojan and spyware programs, unauthorized usage of the Internet including visits to pornography sites. IDS systems will also identify network configuration issues that affect performance of the internal network. Select an IDS that provides reports containing useful technical information. An IDS reporting system that includes only high-level charts and graphs may not provide sufficient technical details to identify threats before they become problems. 

Impact

Weak perimeter defenses can allow the enemy into your network. The result of such an attack can range from simply experiencing slow network performance to more serious security breaches such as exposure of private customer data (leading to identity theft) and of company financial information (which could result in serious financial losses). Consider, for example, that Bank of America ATM firewalls left a UDP port open on their firewalls in January, 2003. This allowed the Slammer worm to enter and spread through their internal network. If rendered the bank’s 13,000 ATMs inoperable for six hours.
According to the 2004 Deloitte & Touche Global Security Survey of the Financial Services Industry, 83% of financial institutions acknowledged that their IT systems had been compromised in the past year. This compared to just 39% reporting breaches in the previous year. The greatest source of compromise in 2004 came from viruses and worms. In both 2003 and 2004, such attacks originating external to the network were reported to be more common than those originating internally.
 Issues at the perimeter that may lead to vulnerability to a security breach and possible financial loss include, but are not limited to:

• Compromised firewall:  A compromised firewall provides a hole for a hacker to gain unrestricted access to the internal network, often using standard protocols such as telnet or NetBIOS. A compromised firewall can be reconfigured by a hacker to allow broader Internet-based access to internal systems.
• Logging / reporting failure: A logging or reporting system failure can allow malicious activity to go undetected, resulting in a compromise of internal systems. Additionally, this failure will not provide forensic evidence needed to determine the origin of malicious activity to prevent future problems.
• Configuration incidents:   Unconstrained configuration changes can expose internal systems to unauthorized Internet access. Review and monitor all configuration changes.
• Compromised system not in DMZ:  An internal system which becomes compromised can give the attacker unrestricted access to the internal network. If the compromised system was in the DMZ, impact would be contained to the DMZ. However, if the compromised system is in the internal network, the potential impact is much more severe.
• Lack of an IDS or IDS configuration problems:  An IDS is your early warning system when an attack is launched and is able to penetrate your firewall. An improperly configured IDS may not detect security breaches, such as a trojan program running on a internal system that emails sensitive information to malicious attackers.  A high number of false alerts can overburden the IT staff, causing the staff to miss real instances of harmful activity.

Recommendations

As financial institutions make greater use of web services to improve productivity, and expand their client services to include technologies supporting online bill payment, Internet banking, and electronic claims submission, network-based security risks also increase. Limit your exposure by strengthening security at the edge of your network. Protecting your perimeter requires the IT staff to:

• Properly select, install, configure, manage, and maintain the firewall. The firewall is the main protection from Internet threats, and requires trained personnel to make it effective.
• Periodically perform vulnerability assessments of your network perimeter. Quickly address risks.
• Regularly monitor and analyze firewall log reports and audits for patterns of suspicious activity.
• Select a reliable, robust IDS system, which provides detailed information to aid security personnel in identifying corrective steps to minimize risks. Verify IDS signatures are current with latest exploits.
• Locate the IDS inside the firewall. This allows the firewall to perform its primary job (filter thousands of incoming packets), and the IDS to efficiently monitor the remaining network traffic.
• Review home office VPN configurations and verify anti-virus and anti-spyware programs are current. Enable VPN connectivity only for authorized users, and require authentication for access.

How Assurity River Group can help

With Assurity River Group’s managed security services, our certified security staff will:

• Examine your firewall logs for problems, help identify risks, and recommend corrective actions.
• Perform regular external scans of the firewall to check for unauthorized and unnecessary open ports, and recommend configuration changes.
• Provide onsite configuration review, determine proper firewall rules, and verify that internal systems are safe from Internet and other external network access.
• Help select, install, configure, and administer firewalls and Intrusion Detection Systems.
• Provide managed firewall / IDS services, where our security experts know how to use these tools to get the maximum protection, and to distinguish false alarms from real threats.  We understand your network, and can help your IT staff.

Assurity River Group’s trained security personnel are available to assist your organization be proactive in mitigating attacks against you and your customers.

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.