Unless a financial institution takes additional steps to protect its communications, connecting work-at-home traders to the trading floor on the Internet opens information technology infrastructures to attack and compromise. Exposure to the Internet can be a serious threat for a planned disaster recovery site as well. Fortunately, there are ways to protect the telecommuter and a backup site that can make everyone happy.

Data protection starts with a firewall that excludes certain types of traffic arriving from the Internet. However, a PC at the branch usually is allowed to open a connection through the firewall to the Internet, and once opened that connection becomes vulnerable to a virus or worm. Hence there is the need for constantly updated anti-virus software on every PC and server.

To give a remote trader full access to tools requires voice service, particularly in the form of a turret with all the lines and functions provided in the office. Voice over the Internet leaves many people with a queasy feeling when the goal is secure privacy. Some VoIP vendors do offer encryption from IP phone to IP phone, but the cost can exceed what "queasy" can justify. As a result, few firms encrypt VoIP today. Worse, VoIP dynamically assigns port numbers and in doing so requires opening any of a large number of paths through the firewall. Not all firewalls allow opening "pin holes" on demand, so some users leave open a wide range of ports, a serious compromise.

The architecture shown in the drawing protects both voice and data on the Internet by encrypting all packets. Equally important, every packet arriving from the Internet must be encrypted with the correct secret key. That is, probes and attacks from the Internet--and anything else not encrypted properly--are simply discarded. A secure Virtual Private Network (VPN) router protects all transmissions, no matter where that router may be--teleworkers can move to a hotel room or the disaster recovery site and enjoy the same functionality.

Note that the encryption is performed in one device per location: the access router at the teleworker or backup site (and a larger device at headquarters). Large disaster recovery sites might have a bigger VPN device similar to the one at headquarters. There is no need to incur the expense and complexity of adding encryption to every PC, phone, and turret. Focusing encryption in one device justifies the addition of dedicated hardware in the access router, offering key benefits:

• An acceleration chip encrypts much faster than a software application in a PC or phone, minimizing delay so that encryption does not diminish voice or application performance, and
• Added encryption capacity facilitates multiple encrypted connections (tunnels) to different locations (a teleworker could talk to other traders, the research department, and the boss while pulling data from multiple ticker feeds and regional centers).

A smaller number of encryption devices also simplifies handling of encryption keys.

In this design, all Internet traffic funnels through the central site, where the IT department can more easily apply and manage sophisticated anti-virus, intrusion prevention, and other security techniques. Centralizing these functions can also reduce the cost of ensuring high availability through redundancy, compared to deploying redundant components at all sites. Voice from the public network can be accepted at the remote site as well as headquarters, with calls transferred between sites over the secure IP tunnel. The declining cost of bandwidth favors that side of the trade-off against the cost to distribute top security and direct Internet access to all locations. That trend appears to be continuing as fiber reaches closer to every business location.

William Flanagan is President of Flanagan Consulting, 703-242-8381; email: bill@flanagan-consulting.com; web: www.flanagan-consulting.com. This article was written on behalf of Encore Networks, www.encorenetworks.com.