Secure Network Access Solutions for Banks and Financial Institutions. Secure. Easy. Protected. Access.

Transcription

1 Secure Network Access Solutions for Banks and Financial Institutions Secure. Easy. Protected. Access.

2 Cybersecurity A Growing Concern for Banks The banking sector is shifting from using closed, proprietary systems for its network operations to using open systems that facilitate interaction with customers, branch offices, third party administrators, auditors, and Enterprises currently face an 80% employees working from remote locations. New probability of a successful network network innovations such as cloud-based attack costing almost $6 million to applications, wireless networking, customer remediate. kiosks, and mobile devices introduce a new level Ponemon Institute Studies of complexity in the various ways they interact. This complexity increases security vulnerabilities such as unauthorized access, malware attacks, and hacking. Customers demand convenient access to their account information and instant transaction processing, but they also want assurance that their information is secure. Banks collect, store and transmit vast amounts of nonpublic personal information and their networks are prime targets for fraudulent activity. A successful attack poses financial risk to a bank with the added risk of negative publicity that damages reputation. Bank network and security administrators face increasing pressure to provide fast, reliable access to sensitive information while protecting it, creating the potential for tradeoffs between performance and security. Banks and depository institutions are periodically required to demonstrate compliance with legal and regulatory requirements for network security, such as the Federal Financial Institutions Examination Council (FFIEC), the Gramm-Leach-Bliley Act of Regulatory Compliance Adds Network Security Requirements (GLBA), the Sarbanes-Oxley Act of 2002, and, for credit unions, the NCUA's Information Technology Plan. What many of these regulatory provisions have in common is a mandate to establish a security plan, processes, and procedures to ensure that only authorized users have access to sensitive data and are engaged in permitted activities. Bank fiduciaries and network administrators need to demonstrate best-in-class practices for meeting these requirements while minimizing network overhead and the burden of compliance Nasatka Security & Blue Ridge Networks. All Rights Reserved. 2

3 Blue Ridge Networks A Proven Cybersecurity Architecture Blue Ridge provides solutions for banks and their network administrators for trusted remote access to enterprise networks. Blue Ridge s cybersecurity architecture offers an Blue Ridge has never had a reported vulnerability of its solutions. unmatched suite of reliable, scalable, certified, easy-to-install, and affordable solutions that enable secure access to network resources with protection and control of endpoints. For more than 15 years, Blue Ridge has successfully protected networks worldwide for government agencies and business enterprises in banking, retail, healthcare, energy, and industry. The Blue Ridge s cyber security architecture locks down networks, preventing unauthorized access and protecting against malicious code (malware), data leakage, and network attacks while allowing full and easy use of enterprise network operations. The Blue Ridge security approach establishes trust in a company s core infrastructure and then extends that trust to each network tunnel, LAN, remote device, computer, employee, and authorized agent. U.S. Government penetration testing has reported no vulnerabilities in the architecture and there never been a reported penetration of Blue Ridge s solutions. The Blue Ridge architecture uses patented technologies, trade secrets, and best practices that have delivered security and operational efficiencies previously thought unattainable. It is compatible with major vendor Blue Ridge Certifications Include: services such as Microsoft, Linux, Cisco, Apple, FIPS level 2 Blackberry, and Citrix. Security software HSPD-12, PIV compliant operates at Layer 2 and is transport layer FISMA 2010 agnostic, operating with all wire and wireless Extended RSA keys transmission modes: 802.XX, ATM, LTE, MPLS, IEEE 802.1Q VLAN Frame Relay, 3G/4G, Wi-Fi, GSM, and satellite. Blue Ridge s approach is service and network agnostic deployment does not require either user or administrator interventions for deployment Nasatka Security & Blue Ridge Networks. All Rights Reserved. 3

4 Network Security Design Configurations Blue Ridge s architecture provides banks with secure network access over the public internet. The Blue Ridge Project Manager works with the bank s administrator to determine the configuration of the Managed Services BorderGuard or Compact No capital outlay BorderGuard, and to create the Pre-configured network security equipment required policies for each user or groups Easily configurable Enterprise policies of users. 24x7x365 monitoring and helpdesk Bring your own bandwidth Once the BorderGuard infrastructure Managed Data Centers available (single or redundant) is in place, the Blue Ridge team works with the bank s administrator to manage, monitor, and audit information. Installation is easy because the system wraps the existing IT infrastructure and requires no network configuration changes. Bank Data Center Protection Need: Banks require access security for Primary and optional Disaster Recovery Data Centers. Solution: The BorderGuard family provides banks with secure devices for Primary and optional Disaster Recovery Data Centers, all with built-in redundancy and automatic fail-over. Placing a BorderGuard in a Data Center hosted by either the Bank or Blue Ridge allows secure, redundant access to bank records and data Nasatka Security & Blue Ridge Networks. All Rights Reserved. 4

5 BorderGuard Redundancy BorderGuards and Compact BorderGuards can be grouped in pools to provide automatic failover for remote access connections. These pools can be random to provide for load-spreading, or ordered to force the connection to one BorderGuard or a pool of BorderGuards. BorderGuards can be located in different areas and still be pooled for connections. The figure on the right illustrates the pooling of BorderGuards to provide automatic failover for remote access. Master Pool - Ordered Pool 1 selected first; if not available, automatically fails over to Pool 2 Extend Architecture to Branches and ATMs Need: Banks require access to branches and ATM machines from a Headquarters site or Data Center. Solution: The BorderGuard architecture provides banks with secure devices for all sites: headquarters, branches, ATMs, and Data Centers. A Compact BorderGuard enables secure sessions between headquarters and branches along with ATMs, which are protected by RemoteLinks, and can interface directly with a BorderGuard device in a Data Center. All communications are secure Nasatka Security & Blue Ridge Networks. All Rights Reserved. 5

6 Extend Solution to Mobile Workforce and Teleworkers Need: Personnel need to telework securely, and budget cuts may necessitate using legacy equipment. In addition, mobile workers need trusted connectivity from nonsecure facilities and the internet. Solution: EdgeGuard provides a completely isolated desktop, crypto engine and network access for a secure session from a PC anywhere, with no data or residue left behind and no chance of malware intrusion. Boot EdgeGuard is bootable device, and Virtual EdgeGuard is a software installation completely isolated from the PC. EdgeGuard Client enables individuals to access the enterprise network from any remote location, creating a secure session without exposing the network to malware or intrusion Nasatka Security & Blue Ridge Networks. All Rights Reserved. 6

7 Extend Solution to Enterprise Customers Accessing Bank Network Need: Corporate customers require secure access to their data within the bank. Solution: Banks can provide either a Boot or Virtual EdgeGuard device to corporate customers to allow secure access to their financial data while preventing malware incursion and data leakage. Alternatively, a BorderGuard RemoteLink can enable a remote site or user to securely connect to the bank s Data Center. Blue Ridge can also provide Thin Client terminals to provide secure remote access Nasatka Security & Blue Ridge Networks. All Rights Reserved. 7

8 Frequently Asked Questions (FAQs) How do I know my data is secure? Blue Ridge solutions define a strict closed network for communication among trusted elements of an organization s IT infrastructure. At each point of entry to a secured network, there is a Blue Ridge hardware appliance with at least two physical Ethernet ports. One port connects to the trusted network or device. The other port connects to the untrusted network (typically internet). The appliance enforces 100% separation between these ports with the following policy: a. The only data that can move from the inside (trusted port) to the outside port has been fully encrypted and is addressed to another Blue Ridge Networks appliance that is part of the customer s closed network. b. The only data that moves from the outside port to the inside port is data that was successfully decrypted and authenticated as having originated from another Blue Ridge appliance that is part of the customer s closed network. Authentication of arriving data is based upon unique RSA public-key certificates issued for each Blue Ridge appliance. c. At no time does customer data touch the untrusted network. Customer data never shares any switches or buffers with any other customer data. How affordable is the Blue Ridge architecture? Symantec s 2011 Annual Study: U.S. Cost of a Data Breach, released in March 2012, states that data breaches continue to have serious financial consequences, with an average organizational cost per data breach at $5.5 million, and the cost per compromised record approaching $200. Well-meaning insiders and malicious attacks are the main causes of data breaches. The Blue Ridge architecture protects against malware and data leaks, thereby reducing the potential of high costs of remediating a successful attack and generating operating savings. In addition, Blue Ridge solutions can bring efficiencies into an enterprise, including cloud-based operations and secure remote access. The Blue Ridge architecture is easy to deploy, and overlays the organization s existing infrastructure with minimal disruptions. What options does Blue Ridge provide for redundancy? Blue Ridge solutions are not restricted to any specific network carrier, enabling them to bring network diversity and a higher level of redundancy to customer networks. Blue Ridge can auto-fail to another provider if one provider s network goes down. Network diversity can extend to the last mile. Instead of the backup network running over the same copper wire as the primary network, backup can be provided via 2013 Nasatka Security & Blue Ridge Networks. All Rights Reserved. 8

9 inexpensive cable coaxial to provide a truly diverse path. For those that want to go the extra mile, the BorderGuard system can also work over fixed wireless or VSAT. Will my VoIP and other bandwidth-intensive applications work? Blue Ridge fully supports Quality of Service (QoS) demands of advanced voice, video, and data applications. Our experience is that the biggest reason for the lack of quality in VoIP is insufficient or oversubscribed bandwidth. Blue Ridge enables its customers to secure more bandwidth by using DSL or cable at a lower cost than a T1. And because Blue Ridge encryption is Layer 2, it adds very little overhead to each packet. What are the logging capabilities? BorderGuard with Management Console logging capabilities are as follows: IP incoming IP assigned by DHCP Time connect and disconnect MAC address of the remote device Packets in/out during session Bytes in/out during session Which BorderGuard connected to (in the case of multiple BorderGuards) Management plane tunnel statistics User account changes for IP address, permissions, lockout, etc. Any regular admin actions, e.g., BorderGuard up/down, failures, power up/down, administrator privilege changes, etc. Authentication failure attempts, e.g., key length failures, mismatches. What are the Bandwidth requirements? There is no lower limit on bandwidth requirements, but there can be a practical limit based on the user experience. Upper bandwidth requirements are determined by how many BorderGuards are used (BorderGuards are stackable with 1,500 concurrent users per BorderGuard pool, and 200 BorderGuards per Management Console). Users of the Blue Ridge architecture often realize increases in bandwidth efficiency, some as high as 50% more throughput over the same bandwidth. Due to the Layer 2 approach, the BorderGuard generally has smaller packet overhead compared to Layer 3 systems. What standard does the BorderGuard use to create the secure VPN tunnel through the public IP network? BorderGuard solutions use a proprietary variant of IPsec ESB tunnel mode with a security enhanced IKE to create the Layer 2 tunnels. This variant is immune to all known attacks on IPsec and IKE Nasatka Security & Blue Ridge Networks. All Rights Reserved. 9

10 Are Blue Ridge solutions compatible with IPv6? BorderGuard Clients, BorderGuard RemoteLinks and EdgeGuard solutions consist of operating systems and applications that support IPv6 transfer over ISP/Internet IPv4 networks. The IPv6 traffic is transferred via secure Layer 2 tunnels through BorderGuards into the enterprise intranet. Efforts are underway to update FIPS certifications for Blue Ridge products to include the new BorderGuard 7 series devices. With an operating system based on Linux, the BorderGuard 7 series is fully IPv6- capable, and can send tunneled IPv4 and IPv6 traffic through ISP/Internet IPv6 networks. Contact Information For further information, please contact: David Natelson, President of Nasatka Security 1101 Channelside Drive, STE 301 Tampa, FL david.natelson@nasatka.com 2013 Nasatka Security & Blue Ridge Networks. All Rights Reserved. 10