Remote access methods used at Financial institutions

[janeiem]

For work, I have been asked to do a benchmark study of what other foreign financial institutions strategy is regarding remote access. Ie.
==>Do you use dial up (over the modem line) remote
access and if so do you use Shiva, SecurID cards?
==>Do you have a VPN setup and if so what kind of
VPN (vendor name) and how does it work (brief
overview)?
==>Who do you allow to remotely access the systems
(IT only, IT and business users)?
==>What applications can people access using the
remote connection? (Lotus Notes, all
applications, non-mission critical applications
etc)?
==>What kind of security controls are in place over
the remote access process? (Access,
authentications, encryption, etc?)

I need to have these answers for various financial institutions by Friday, May 30th.

Specific company names will not be used, but I need to know them so that I don't duplicate them in the consolidation of results.

Thanks for any help that you can provide.
JM

 

[BeerGood]

You may find that most financial institutions will be reluctant to talk about how their remote access/security systems are setup, for obvious reasons. Frankly, I make it a point at any company to refuse to divulge exactly what is used unless the person/company being dealt with signs a confidentiality agreement.

Anyhow, for a large financial company I know of, the systems used are:
* Cisco/securid providing dial-in access - mainly used for IT/Support
* Combination win2k/cisco/sun/securid equipment providing choice of access to email (OWA), or full VPN - for all business users (requires aproval from manager as costs are charged back to each business unit depending on number of users)

This way people can access their email from pretty much any site that has internet access by using OWA (securid/128bitssl encrypted). From their laptop/pc at home, they can install the vpn client and get onto the corporate network via their local ISP (either dialup or broadband) and access anything they want. There are some Citrix servers that some users access as well. In the rare event of an emergency/internet link being down, remote access is still available via straight dial-up for IT/Support. The internet link is pretty robust as there are two separate pipes in two cities, load balanced with cisco gear so if one goes down the other takes the full load.

Cheers

 

[janeiem]

Thanks for the help on answering the q's. Yes, I know people are sensitive to disclosing technical info on their firm (and rightfully so!), which makes this exercise in a very short time period extremely difficult.
I do appreciate the response though. Just a few more q's:
1) Do you enforce personal firewalls on home user PCs? ie. is there anyway to check in an automated fashion for this?
2) Do you enforce antivirus software checks/mandate it as a term to be able to access the VPN for home PC's?
3) Do you allow a user to be connected to their home Internet connection while also be connected to the work VPN remotely?
4) Do you find the security risks of using CITRIX different from using an IPSec based VPN. If so, what is the major differences from a security point of view?
Thanks for your help!

 

[BeerGood]

1. No - it would have been nice (we tried zonealarm, blackice, and my favourite tiny personal firewall -

http://www.tinysoftware.com/),

but was seen to be too hard to manage properly. This was a year or two ago so they've probably improved so may be worthwhile investigating for any new implementations. People with broadband connections (so whose pcs were most at risk of being attacked because their workstations are frequently left connected to the internet for long periods of time & whose ip adddress rarely changed) were generally provided with a netgear router (eg an RT314) that then would give them with a number of local ports (workstation/laptop/printer) plus protect them a bit via NAT but would still work with the VPN.

2. Yes

3. No (the vpn software automatically blocks it - causes some complaints about speed when accessing the internet when connected to the vpn, but not many: "So why are you browsing the internet via the VPN? Just disconnect from the VPN and then browse" - reply "Oh.... ok....".)

4. The VPN is perhaps a little more secure but the citrix setup isn't too bad assuming you're also using a CSG. On top of that, using some form of token authentication such as Securid almost guarantees that the person getting in is an authorised person. The big advantages to Citrix include not having to install & keep updated software on the remote user's pc, not having to worry about backing up data on the remote users pc, not having to worry about losing corporate/sensitive data on a pc that may at times be unprotected to the internet or perhaps even stolen, and not have to worry about the virus(es) that may have been dumped onto the pc by the employee or their kids..... basically, the management overhead is MUCH lower along with some nice security advantages. The biggest security issue is the possibility that someone might have their pc "0VVn3d" by a hacker who can remotely control it and thus get onto the corporate network - less likely with the vpn. The protection there is regular anti-virus updates and the securid card. Frankly I think it's nice to have both options available as some things don't suit Citrix, but Citrix does have a lot in it's favour...

Cheers