Smithin K R
ING Life
Risks of using Internet as part of a Business Solution
Internet security concerns have clouded the performance of many e-commerce sites as well as various financial instruments based on web for very long. The biggest reason for such an annoying setback for Internet is the anonymity it is capable of providing the attacker. The perpetrators are hardly recognizable in the maze of ‘mirrors’ within mirrors and spoof IP addresses that are set up to hide the hosts of malwares, Trojans, worms, that cankers the utility of a web service.
Any business providing services to clients via internet shall be open to a number web based security and privacy breaches. Some of them are 1. Unauthorized access to network - wherein attackers alter or destroy private files (accounting, academic records, medical, etc) 2. Denial of Service (DoS) attacks such as Ping of Death, SYN flood, LAND attack, are used to freeze the network services temporarily or sometimes even permanently until the whole hardware system is replaced 3. Viruses and 4. Private data leakage.
Non technical attacks are also a major concern of internet based business schemes. Some entities are known to disguise themselves as genuine service providers to trick the customers into providing sensitive information. This can be a major concern since these entities use an authentically matching website (of that of the original site) for this. Such an attack is called Phishing attack.
There are countless ways in which network security can be sabotaged. An attacker, with a little imagination, motivation and an immense amount of resources, can successfully break into any network with ease. Network hacking ways like 1. IP Spoofing 2. DNS spoofing 3. Session Hijacking 4. Network snooping, etc have affected the business of many in the past.
Analysis of Current Solution
ING life is using a VPN (Virtual Private Network) to help the brokers connect to their services. VPNs eliminate the need of a private line as well as cut the costs of its installation and maintenance which could have proved to be unbearable for private use. But as mentioned earlier security concerns of VPNs are huge since the company would be using the most exposed mode of communication and data delivery available today. But there are many viable solutions available that could turn this one around. Such as firewalls and data encryption.
ING life chose to go with Pix Firewall as the medium that filters the data packets and connection requests that come through its network to the host server. But how far a firewall is capable of delivering what it promises? For this it is important that we understand how data moves through Pix Firewall in brief.
The data packets on arrival at the higher security level of Pix Firewall are checked to see if its validity based on Adaptive Security Algorithm (ASA) . After the brief analysis to check the authenticity of the received data packet is done, the firewall adds checksum bits and other fields as required before passing to the lower security level. All outbound packets are permitted while all inbound packets from unprotected networks are discarded.
Pix firewall provides a Failover system that allows one to configure two Pix firewalls with identical settings for fault tolerance. They also provide Java filtering that prevents an inside system from downloading Java applets that act as conduits for external malicious programs to enter the network. The other major functions done by Pix firewall can be summarized as 1. Mail Guard-safe conduit for SMTP 2. Multiple Interfaces- up to six 3. URL filtering 4. Hide the real network identity of internal network from outside networks. And they also support a variety of protocols.
The Pix Firewall has the agility and adaptability that is essential for utility software of such purposes. The features of the firewall are the best in the market as well. The security concerns of Extranet can be humbled by using a promptly kept and maintained firewall. There should be a team of technicians working round the clock to make sure that the firewall is performing well in this front. For a company that doesn’t fall into a false feeling of security and is vigilant to understand the evolutions and changes going in the threat market shall thrive without any big troubles. Extranet is therefore a viable solution.
Recommended Alternative to Extranet
The problem with VPNs is that they are not only broadcasting private data all over the world but also they are providing access to their private network through this system. Even though we can hope that Pix firewall can protect ING life from anything malicious a significant thought is that it is not just data loss that we have to worry about.
The day to day functions of a company is based on sensitive data that are stored in the company’s intranet. It is almost impossible for a third party to steal these data and successfully decrypt them without an encryption key. But what if the attacker was capable of crashing the entire private network of a company? Attacks such as Phlashing are used by hackers to gain access to the hardware components of a private network so as to alter its firmware . Such a compromised network cannot be used again without hardware replacement. The whole operations of the company come to a halt during such difficulties.
Even with firewalls, a company is vulnerable to insider attacks if they are given access to the private network of a company. With the increase in brokerage partners it shall become difficult to find the weakest link during an attack. Since under such circumstances data loss is not the major concern (as higher order encryption could avoid data loss) a viable solution would be to use Cloud Services.
Cloud services include the different cloud computing services such as 1. Software as a Service (SaaS) 2. Platform as a Service (PaaS) 3. Infrastructure as a Service (IaaS). Each of these services has a purpose of their own. For example, if we use IaaS we do not have to buy expensive hardware components such as the NT servers, SNA gateways, etc and own them physically. We could rent these services from cloud computing companies which can be accessed from any computer that has internet access.
The need of maintaining and updating expensive firewall software are no longer required in such schemes. Since the companies that provide cloud computing options shall also provide firewall services through Software as a Service (SaaS), there is no worry about maintenance and no need for a technical team to look into the network security. And the biggest advantage of all is that there is no way any security threat can cause the system to break down. The private network of ING life shall always remain intact.
Each company providing cloud computing services shall be providing data backup options in case of any system break down from their front. The highly encrypted data (such as using more than 2048 bit encryption keys) shall be proven incredibly hard for attackers to decode. And if we are to change the encryption key, say every six months, then there is no way an attacker, even with the aid of a supercomputer, can keep up with our security system. This scheme ensures that even with the vulnerability of cloud computing to security breaches, company data shall always remain safe. And since the company is careful not to provide these attackers access to our private network through internet (using VPN), there is no way they can cause any damages.
This is advantageous in the sense that our data will always be safe and our system will always be running with the least amount of physical as well as financial resources used from our part.
References
Examnotes. (2001). Cisco PIX Firewall Fundamentals. Retrieved January 28, 2016, from Powerfast: ftp://ftp.powerfast.net/pub/manuales/cisco/pdfs/Cisco-PIX-Firewall-Fundamentals.pdf
O’Raghallaigh, E. (2010). Security Issues in E-Commerce. Retrieved Jan 18, 2016, from WebScience: http://webscience.ie/blog/2010/security-issues-in-e-commerce/
Schultz, E. E. (2016). Firewalls: An effective Solution for Internet Security. Retrieved January 28, 2016, from ITtoday: http://www.ittoday.info/AIMS/DSM/83-10-40.pdf
Sen, J. (2010). Security and Privacy Issues in Cloud Computing. Kolkatta: Tata Consultancy Services.
SonicWall, Inc. (2001). Internet Security Issues and Solutions for Small and Medium Companies. SonicWall, Inc.
