| QUICK VIEW |
Problem
Private HP e3000-based information needed to be secured for public Internet travel
Solution
Used Reflection for HP and Reflection for the Web’s security proxy server to encrypt and authenticate data
Results
Safer information sharing, thanks to stronger protection from hackers and other known security threats |
In the mercurial world of financial services, instant access to real-time information spells competitive advantage. But securing that information for Internet travel can present a huge technological hurdle. The IT department at CANNEX Financial Exchanges made the leap with the help of two Attachmate products: Reflection for HP and Reflection for the Web.
Based in Toronto, Canada, CANNEX specializes in gathering and compiling information about products and services offered by financial institutions in Canada, the United States, Australia, and New Zealand. It then redistributes that information to brokers, agents, and analytical service providers—including Merrill Lynch Canada, TD Waterhouse, BMO Nesbitt Burns, Intuit, and Microsoft—via web pages, electronic files, e-mails, or faxes.
The CANNEX System
Before the existence of CANNEX and other companies like it, financial institutions had to phone around to find out how their competitors were pricing interest rates and calculation values. Brokers and other consumers of financial information had to merge data from individual faxes into their own tables.
Today, thanks to the CANNEX System, providers and consumers of financial information can easily download or print out a consolidated view of all financial products and services.
The CANNEX System is an application running on an HP e3000 at CANNEX headquarters. CANNEX’s financial institution clients maintain product and service information on this system, either via online access or file transmission. They rely on Reflection terminal emulation software to access the CANNEX System and keep their information current.
Continuing a 20-Year Partnership
CANNEX has been using Reflection software for nearly two decades. “From time to time, we’ve investigated other options,” said Steve Waters, vice president of systems at CANNEX. “But they’ve always turned out to be clearly inferior to Reflection.”
The CANNEX-Attachmate partnership has been an evolving one. In the beginning, CANNEX deployed one Attachmate product, Reflection for HP, for internal purposes only. Later, CANNEX became a value-added reseller for Reflection. Now CANNEX has a product integration agreement with Attachmate involving Reflection for HP and Java-based Reflection for the Web, which the company started using in 2000.
The agreement allows CANNEX to embed an auto-connector code in Reflection before sending it on to their clients. Waters determines whether clients get Reflection for HP or Reflection for the Web based on the functionality they need. If they don’t need to do host-initiated file transfers, they get Reflection for the Web. If they do need that functionality, CANNEX sends them Reflection for HP.
When Reflection for HP is involved, users can easily install the CD on their desktops without any help from IT. To connect, they simply click the CANNEX System prompt and log on to the HP e3000 host via modem or the Internet.
Reflection for the Web, on the other hand, does not require any end-user installation because it resides on a web server. When users reach the CANNEX System web page through their browsers, they can download the Reflection applet to their desktops. Once downloaded, the applet connects directly to the host application, without going back through the web server.
Spotlight on Security
For CANNEX and its clients, data is an asset that needs ironclad protection. When modems were the primary access mechanism, security wasn’t an ongoing problem. Users came in through the CANNEX modem pool and CANNEX paid their toll charges.
The rise of the Internet changed everything. “No one wants modems on their desktops anymore,” Waters said. “They’re slow, cumbersome, and pose a security threat to the corporate LAN. With most financial institutions moving to e-business, we knew we had to find a way to protect their private data.”
After investigating the new security features introduced in the latest releases of Reflection for HP and Reflection for the Web, Waters and his team voted once again to retain Reflection software as their host-access standard.
“Nothing else on the market comes close to the depth of security Reflection currently offers,” said Waters. Reflection for HP was outfitted with SSL/TLS support, a critical feature that is not provided by MPE operating systems. And Reflection for the Web, which already provided 168-bit 3DES encryption, was bolstered with RSA authentication for SSL, key exchange for SSL, and SSL client authentication and authorization via an SSL proxy server.
Ingenuity at Work
As Waters contemplated the security options available in his upgraded Reflection products, he had a brainstorm: Why not configure Reflection for HP to take advantage of Reflection for the Web’s security proxy server? That way he could ensure that the connections coming in from the Internet would be encrypted and authenticated. With some help from Attachmate Technical Support, he brought his idea to life.
The proxy server, which runs on any Java-enabled server or host, sits on the network perimeter of CANNEX and encrypts data between itself and the client. Reflection for HP sessions are configured to pass through the proxy server before connecting to the CANNEX System. This way, the proxy server shields the host from external intruders and safeguards data once it leaves the confines of the network.
The same security precautions apply to the Reflection for the Web applets, which also pass through the proxy server. But for web-based sessions, the proxy server does more than SSL encryption. It uses digitally signed tokens to ensure that only authorized users can connect to the host system. The tokens are deployed to authorized users by the Reflection management server, which checks with CANNEX’s LDAP access control model to verify that the user is authorized to connect to the host system.
In addition to reducing deployment headaches, the token system enables users to connect to multiple host systems through a single open port (port 443) in the CANNEX firewall. This simplifies security configuration, especially across multiple firewalls.
Clients Speak Up
According to Waters, the benefits of upgrading his Reflection products are crystal clear. For starters, he didn’t have to buy any hardware, and it took just 20 hours to get Reflection integrated with the CANNEX System. But best of all, CANNEX’s clients had something to say about the improvements in performance, centralized management, and security.
“Right away, 80 of our clients said they were impressed by the products’ new features,” he said. “We usually don’t hear from clients when things are good. That’s unusual and invaluable feedback.”