S1, an ASP (application service provider) for the financial industry, is set to go live with its new distributed server architecture and IPsec in its data center, which serves financial-institution customers that use its consumer financial-application service. IPsec lets only an authorized IPsec-based S1 server or firewall talk to a back-end application server or legacy system. "If someone wire-sniffs, all he or she will see is encrypted traffic," says Reese Jacobs, senior technical architect for S1. "I like the fact that out in back of my DMZ I have encryption and the ability to control access to my hosts, and that [an outsider] can't get into a database server."
Even if a hacker were able to ping a back-end database server, IPsec would prevent the unauthorized host from doing more than that. "If there were some rogue process on one of the presentation servers trying to connect to a server, IPsec would reject the connection," Jacobs says. S1's financial-application service lets financial institutions provide consumers with financial services over the Internet or wireless networks. The company also directly licenses its financial-services package, Consumer Suite.
Like most early adopters of IPsec, S1 uses a "shared secret" or shared key, rather than digital certificates, among the servers to authenticate them. That's the simplest way to start out with IPsec, especially in a smaller configuration like S1's, which encompasses only a few dozen servers. When the number of servers multiplies, managing shared secrets gets dicey. Still, S1 and companies like it aren't quite ready to set up shop as a certificate authority to issue, manage and revoke digital certificates, either. A PKI (public key infrastructure) "is not a simple thing to manage--we want to walk before we run," Jacobs says. "Down the road, we will move more to centralized key management and a digital-certificate infrastructure."
S1 supports SSL for the HTTP sessions between clients and its Web servers, and runs IPsec among the rest of the servers. The company considered SSL for all its security, but making SSL work with more than Web sessions requires tool kits and licensing software. Jacobs says S1 chose IPsec because it is protocol-independent and supports things like SNMP traffic, too. "Now that IPsec is being rolled into the operating system, [it doesn't make sense] to go to the trouble of implementing your own [SSL server]," Jacobs says.
Still, there were a few quirks with IPsec at first. When S1 tested it with high-burst traffic scenarios to simulate Web usage and to mimic denial-of-service attacks, IPsec refused all network connections. Some patches from HP solved the problem, which stemmed from the IPsec kernel networking module getting out of sync with the IPsec policy daemon. "We were able to fix this in a day," says Jacobs, who adds that he's happy with the performance of the IPsec implementation thus far.
Meanwhile, managing the IPsec shared keys and, eventually, certificates is the next big issue for S1. The company is interested in automatic key distribution and centralized storage of the keys for IPsec. "Our biggest concern is the manageability of the infrastructure around IPsec," Jacobs says.
REPORTS
ANALYTICS
Follow 
