Case study: Deutsche Bank tries to marry wireless and security

Computerworld - PALM DESERT, Calif. -- A company looking to beef up the security of its wireless operations should start with its own policies and standards, according to Ken Newman, director of security and risk management at Deutsche Bank AG. That's because standards and policies form the foundation upon which all security efforts are built, he said during a case study demonstration at Computerworld's Mobile & Wireless Conference here.
For example, employees need to understand that something as simple as setting up a wireless access point can pose a threat to company security.
As for Deutsche Bank, it faced a business problem of needing a system that provides confidentiality and data integrity that would meet government-imposed security considerations. Complicating the effort: Fears that advances in technology meant the entire security program would have a life span of only 12 to 18 months.
After strengthening its policies and standards, the next step in the process was "hardening" PCs and laptops from security breaches with personal firewalls, updates and patches for existing software, upgrades to security software, the use of low-level encryption and the prevention of simultaneous wireless/wired connections, he said.
After taking those steps, Newman said the company set out to go after its own network with the same tools attackers would use. That way, Deutsche Bank could determine what information could be detected, what could be accessed and where it could be accessed from.
The company's physical security force was also brought into the operation, with security guards regularly patroling corporate offices at night with special carts looking for rogue access points employees might have set up on their own. Newman called this "cart stumbling" a play on Netstumbler, which is a tool many attackers use to look for access points. "We have a limited staff, and we can't be everywhere," he said.
The company also regularly monitors Web sites where attackers regularly post discovered access points, such as www.netstumbler.com and www.wigle.net, to see if any Deutsche Bank access points are listed.
On the wireless side, Newman said the bank

• Limits connectivity to the network by placing access points in a DMZ outside the company firewall.


• Limits the types of applications and data available via firewall rules.


• Sweeps for malicious code and viruses.


• Provides for two-layers of encryption -- LEAP and IPSec VPN Tunnel.


• Commits to being a one-vendor shop to eliminate problems associated with using multiple encryption protocols and standards.


• Builds-in strong user-based authentication, such as systems that require secure ID tokens.