Insurance firm Hub International is in acquisition mode, having pulled off three in the second quarter of 2007 alone. This makes getting newly acquired firms quickly connected to critical resources on the Hub International network a high priority. Once, this was a time-consuming process that demanded a high level of expertise.

"We've worked days getting a VPN in. It was just a nightmare," states Tarron Weir, vice president and chief technology officer for Hub International. "Not that we couldn't do it, but it required highly trained senior engineers."

To expedite the integration process with its latest acquisitions, the company took advantage of a new SSL-based site-to-site VPN. Today, Hub International can accomplish the aforementioned task in about 45 minutes.

Hub International can take a white-list approach, in line with the prevailing "principle of least privilege" approach to security.

Hub International is a North American insurance brokerage providing a broad array of property and casualty, life and health, employee benefits, reinsurance, investment, and risk-management products and services throughout offices located in the United States and Canada. Since 1998, Hub has completed more than 120 acquisitions as part of its strategic commitment to expansion and to provide seamless coverage for a growing customer base.

While these mergers and acquisitions make sense from a business perspective, the IT staff is responsible for providing the on-ramp for bringing new companies into the fold and ensuring they are rapidly accretive. According to Tarron, "We are constantly on the lookout for solutions and technologies that will make our lives easier."

For acquisitions, Hub subscribes to the principle of least privilege, by essentially denying newly acquired firms access to everything, then backing up and providing access to essential resources. "Once we complete an acquisition, it's critical to have network communications immediately and communications to certain applications," Weir explains, "but we don't want to give them the whole house. You have to make sure you have people VLANed off or cordoned off so they don't have access to the different parts of the business that they don't need access to."

The firm chose Array Networks' SiteDirect site-to-site SSL VPN for secure remote communications, offering third-party site connectivity scenarios such as partner extranets, customer engagement and acquisitions. Typical site-to-site VPNs establish a Layer 2/Layer 3 connection between two locations, essentially turning two remote networks into one larger network. That means all resources at each location are readily accessible to users at the other end, at least until administrators take steps to deny access to certain servers and applications.

VIRTUAL LAN MORE CUMBERSOME

Prior to SiteDirect, Hub accomplished this task using a traditional virtual LAN approach, which required working out differences between the various types of hardware each side used, as well as internal IP addressing issues that required the use of double network address translation (NAT).

Both Hub International and the companies they acquire typically use NAT to allow them to publish their assigned IP address to the Internet, but use more, and different, IP addresses internally. That means two companies using the same internal IP addresses would not be uncommon. Working around such issues with traditional VPNs requires NAT devices on both ends, a configuration known as double NAT, which adds time and complexity to the configuration.

"Absolutely, we have run into situations where we had duplicate IP addresses. It seems to be the rule rather than the exception. In fact, we ran into that situation again with our latest project based out of Fort Lee," confirms Weir.

SiteDirect avoids such conflicts through a technology dubbed resource publishing, which enables IP addresses to be provisioned using a dynamic host-configuration protocol server or from a specified pool of addresses. Resource publishing automatically performs a one-to-one translation of source and destination IP addresses, based on the local IP addresses provisioned by SiteDirect at each endpoint, thus obviating the need for administrators to configure NAT rules.

Hub can now take a white-list approach, in line with the prevailing "principle of least privilege" approach to security. Instead of assuming all resources will be available to users at an acquired company, SiteDirect extranet publishing technology makes available only those resources that IT specifically indicates, whether they are applications, servers or subnets. All remaining resources are invisible to the newly acquired organization.

SiteDirect allows Hub to quickly provide newly acquired companies access to certain financial and billing applications, for example, but not to portions of the business that do not concern them. "It allows us to button it down right to the application itself," Weir says. "We might want to just give them billing, or just give them our financial system where they can do some read-only stuff.

"It's a great help to us, versus exposing the entire network," he adds. "That's been a basic bedrock principle for us; do you want to deliver the application or the network? We want to deliver the application."

QUICK INSTALLATION TIME

In addition, while traditional VPNs required extensive setup, Hub International was able to install SiteDirect in a matter of minutes. "With SiteDirect we can put some of our lesser-experienced engineers on the task," Weir explains. "They can walk in and have a new site up in less than an hour. That helps us a lot, because we're not taking cycles away from someone who could be doing something more strategic."

Installing SiteDirect requires no information about the internal topology of either network, making working around issues such as IP addressing simple. Because all traffic is tunneled over SSL connections, which typically use TCP Port 443, SiteDirect avoids tricky firewall and NAT traversal issues.

The solution also enables all sites to employ common technology, so the company does not have to retrain its IT personnel each time an acquired company brings along a VPN with which Hub engineers are not already familiar. Moreover, SiteDirect provides an affordable backup solution to the DS-3 and wide-area Ethernet services that connect branch sites to Hub's headquarters and its three primary disaster-recovery sites. Should the primary circuit fail between two sites, SiteDirect can connect them via the Internet.

"We are using this solution strategically as an acquisition and integration tool," Weir says, "but we're also using it in many other practical instances, such as failover, almost like we used to use ISDN and things like that."

For more information from Array Networks (click here)

Compliance and the AS/400

by John Earl

The IBM System i (as the AS/400 is now known) carries some of the most critical and sensitive data in the organization. While industry and government compliance initiatives require the protection of personal and confidential data, the average System i may have a litany of security configuration violations that indicate the data is not being protected. Some of the most glaring deficiencies include:

Group ownership of data. Many System i applications were secured with an authority scheme that designates a single ID as the owner of all files and programs. That same owner profile is also the group ID for all application users. This means that every application user will operate with application owner rights by virtue of their membership in the group. This vulnerability presents an unacceptable level of risk.

To discover whether a system has this problem, start by looking at the most important files on the system–the payroll or credit card file–and ask the system administrator to show who has authority to read it or change it. If the list of users includes group IDs with large membership lists (or worse, the system group "public"), proceed with the assumption that individual files are not well secured.

Unmanaged access control. With the adoption of TCP/IP networking protocols, users may now have access to the System i using PC-based tools such as open database connectivity, which allows dynamic data exchange through common tools such as Word and Excel. Users with tools that can access the data, coupled with the legacy of group profile ownership, present the perfect storm of vulnerability.

To see whether the system has this worst-case scenario, select a user ID without any administrative rights and attempt to launch an FTP session against the System i. If logon is successful, attempt to download data from the system using the FTP command: get qgpl/qddssrc.qdsignon c:\myfile.txt. If the file can be downloaded, access control on this machine is not closely managed.

Too many chiefs. One of the more surprising findings on the System i is the large number of security officers, or root-level users, on each system. An average of 8 to 10 percent of all system users may be operating with root-level authority.

Check the system by having the system administrator list all users with "allobj" (essentially root) special authority. This list should be small and each user should have an obvious need for special authority. Additionally, powerful profiles should all be audited, and their logs regularly reviewed.

The most-effective solution for the first two issues is to implement server exit programs, which perform host-based firewall functions, inspecting the incoming traffic and applying business rules to determine if traffic is permitted or not. These programs also log all incoming requests, providing an audit trail that can be invaluable in an emergency.

Too many users with too much power is a problem that, while common to many platforms, seems to be a larger concern on the System i. Because these powerful user IDs have complete run of the system, staff should monitor and control the use of high-powered IDs and have a review process that determines that each use was appropriate. The essentials of any solution should include the ability for IT staff to temporarily check high-powered profiles, the ability to audit and monitor the actions of these users, and an emergency process for fixing production problems with a minimum of red tape.

John Earl is vice president and chief technology officer for The PowerTech Group, Kent, Wash.

For more information (click here)