SoylentNews is people
SoylentNews
Robert X. Cringely points out the hidden costs of running corporate IT over the public internet:
How cheap is IT, really, if it compromises customer data? Not cheap at all. Last year’s Target hack alone cost the company more than $1 billion, estimated Forrester Research. The comparably-sized Home Depot hack will probably cost about the same. JP Morgan Chase is likely to face even higher costs.
He wonders why companies aren't shifting to dedicated networks, like they used to make with leased lines.
Taking a bank or retail network back to circa 1989 would go a long way toward ending the current rash of data breaches. It would be expensive, sure, but not as expensive as losing all the money that Target and others have recently done.
Is this practical? If so, how would it be accomplished with modern equipment?
(Score: 0) by Anonymous Coward on Friday October 10 2014, @04:46PM
Actually not true.
You can build meaningful security...
Websites have firewalls to block all traffic except say 443. Port 80 is redirected to 443 via a different router and webserver, so control is in place.
Websites talk to APP severs again via different firewall and port and encryption.
APP servers talk to database servers via again another router and port and encryption.
Database servers handed off again to via another router and port to handle actual processing of credit card data and order
Now this is where we are getting into the actual network of the company. Which again is using different routers and VPN between sites.
Local internet connection at any is out. Only allowed to go back to corp, and corps firewall and inspection allows traffic to internet, if at all.
Yes, that is allow of equipment, you may want to use a single large CISCO router to do it all. DO NOT DO IT. That makes a single point of failure if a configuration goes bad. Different routers/firewalls between different segments. At least two nic cards in each server - one of the "internal" and one for the "external", with the default router to the bit bucket. Firewalls block in BOTH directions. So again bad traffic cannot leak out.
It is the layers of an Onion. At no point do you allow each of the different networks to SHARE a common box/firewall. The traffic is all encrypted and none is using "open" connection. ie: the traffic terminates in a service that limits what can and cannot be done though it. If any layer is broken, then you cutoff access to next layer quickly.
Also reuse the IPs between networks! All private of course. This limits more information gained by a breach, because it has to travel a very tight course though in levels and machines. PORT and IP, so it cannot bore a new hole out to the Internet.
Help once on this with an insurance company. There was firewall between internal users and main servers. This allowed only a "telnet" session on port 22 and printers on 9100. This way if the server after a upgrade, turned on SQL query functionality to network (unknown to operator), the users could not get access to the new port - firewall blocked it. The server could not access anything expect on 22 or 9100. The network scan of the server's network, would show it up.
Belt and Suspenders!