The Customer Situation
Halkbank, headquartered in Ankara, Turkey, is the country’s seventh largest bank and the fourth largest network with 586 branches nationwide. Looking to migrate from their leased line and ATM infrastructure, Halkbank decided to take advantage of the cost savings and increased bandwidth offered by Metro Ethernet. They understood the benefits of this transition, as well as the challenges they would face regarding the security of their data as it traversed this new infrastructure.
Halkbank processes millions of financial transactions every week. While the cost savings offered by utilizing Metro Ethernet were attractive, Halkbank was very
concerned about the security of their data and the innate vulnerabilities of a Metro Ethernet infrastructure, including:
VLAN hopping
—Overloaded networks can sometimes push data onto another network
Ethernet sniffing
—Hackers can tap into a network undetected and inspect or steal data
Insider attacks
—Disgruntled employees looking to make easy money can steal data and sell it
Service provider attacks
—Employees from service providers or government-owned network providers can have access to your data
Wireless attacks
—Once your data is in the air, it is vulnerable to anyone that can pick up the signal
Mis-configuration
— A simple service provisioning configuration error could expose all the company data
Halkbank decided not to move forward with their migration unless a solution was available to mitigate these security vulnerabilities. Internal research performed by Halkbank concluded that encrypting their data transmissions was the only security strategy that would guarantee that their data would be kept safe.
The Requirements
In order to move forward with the network transition and still protect their company and customer data, Halkbank recognized the need for a network-level data encryption solution. They needed a solution that worked native to a Layer 2 infrastructure and that was capable of encrypting based on VLAN ID. This capability was key, as it would enable Halkbank to choose which data streams would be encrypted and which would be sent in the clear. The solution would also need to work with their custom hub & spoke topology and accommodate their rollout schedule without adding complexity or time-consuming configurations.
Halkbank decided on a phased transition to Metro Ethernet, starting with 4 back-up lines. Once those lines were up and fully functioning, they would begin a staggered deployment to 22 other nodes, including their primary link. Halkbank also required support for point-to-mulitpoint encrypted links and an automated encryption key manager for their multicast applications. Most importantly, the solution would not be allowed to impact their Quality of Service (QoS) applications nor could it add more than a few microseconds of latency to their overall network performance.
The Bidding Process
Halkbank held initial meetings with four vendors- two offering IPsec-based solutions and two bringing Layer 2 encryption solutions. Due to the performance issues and additional complexity with an IPsec-based solution, Halkbank immediately eliminated those proposals.
At the request of Halkbank, the two vendors with Layer 2 encryption solutions were selected for further testing. Once the initial testing was complete a Request For Proposal (RFP) was released detailing the requirements mentioned.
The first vendor proposed a strict point-to-point implementation at each node. Halkbank understood the complexity involved in trying to manage this type of deployment. They also recognized that this type of solution would be difficult to manage, it would not work with their secure multicast applications and it did not fit with their overall large-scale deployment strategy.
We responded to the RFP by offering their 100Mbps Ethernet Security Gateways (ESG100) that are centrally managed by CipherEngine Policy and Key Manager. In contrast to all other proposed solutions, our solution fulfilled all of the customer requirements, including a simple deployment roadmap to meet Halkbank’s long-term deployment strategy and the ability to encrypt multicast traffic.
The Installation
Halkbank was eager to implement the encryption solution and continue with their network transition. However, they were not willing to take any chances with their data by rushing through the installation and deployment process. On day one, we staged the first phase of the initial deployment for testing. The Halkbank network team was impressed with the simple installation and deployment of CipherEngine and the ESG100 Security Gateways.
Because of the success of the initial deployment, Halkbank decided to immediately move forward and encrypt a link from Istanbul to Ankara. Early in day two, Halkbank was sending and receiving encrypted traffic between the two sites. “We are impressed with the seamless deployment of the first link and we understand the value of the installation and operation simplicity of the solution for our future expansion of other network concentration sites,” said Suleyman Yildirim, the network manager for Halkbank.
The remaining ESG100s were deployed into the remaining initial sites just as smoothly. Using CipherEngine, Halkbank was able to centrally configure the ESG100s and generate and distribute security policies and encryption keys into the network.
Within a matter of days, Halkbank was sending and receiving encrypted network traffic from four sites, without performance loss or adverse effect to their QoS.
The Result
Since the successful installation of the network encryption solution, Halkbank is realizing the anticipated cost savings while maintaining the highest level of data security available. This modern encryption infrastructure provides Halkbank with the lowest latency and highest performance encryption available and enables Halkbank to utilize existing VoIP and multicast services while encrypting the data transmissions.
Halkbank is currently working on the next phase of the overall deployment of new Metro Ethernet sites.
