Systems are almost always changed after initial designs are accepted,
with the result that the very architecture of the evolved network
of computers may contain "holes" or vulnerable points.
The causes are many, but software developers and systems administrators
sometimes take shortcuts while completing their new systems, at
times creating vulnerabilities where none existed before. A review
of the architecture design, accompanied by an as-built review of
the system, can identify these unexpected vulnerabilities and suggest
to ESTec reviewers the changes necessary to fix the network architecture
and restore the desired level of security to the system.
Customer: A Small Southeast US Bank
Services: Network Architecture Review
Problem: The bank had recently purchased an Internet banking application,
which then was installed by the application's developer. Management
wanted a third-party assurance that the architecture was secure
after this change to the system.
Solution: An ESTec consultant reviewed the design for the internet
domain and visited the site and reviewed the as-built architecture,
preparing recommendations for changing the system to achieve the
required information safety throughout the operation. E.g., while
the software vendor recommended a connection directly between the
Internet Banking computer in the Demilitarized zone and the bank
mainframe, ESTec noted that this was not proper practice and recommended
additional mainframe controls to ensure that the connection was
adequately controlled. A review of the as-built system revealed
that the connection was not to the mainframe, but to the internal
network (which connected to the mainframe). Because the as-built
conditions did not match the specified architecture, additional
vulnerabilities had been created. ESTec removed the new vulnerabilities
by producing a properly configured VPN that went through the firewall
to the mainframe.
Results: The bank's original policies and security levels were restored
quickly to the final architecture of the network, and the new system
worked without any deterioration in security or performance.