CARMEL, Ind. - Baker Hill is adding some hardware to the software it uses to protect the confidentiality of the client information pouring in and out of its servers. The financial services software company, a specialist in loan processing and relationship management technologies, has deployed the Teros Gateway, a small red box that helps augment the security provided by anti-hacking software such as firewalls and virus detectors. The increasing use of ASP solutions and Web services, along with the constant onslaught of hack attacks on Microsoft systems and the need to keep up with patching new vulnerabilities, helped drive the decision to add additional bricks to the cyberwall at Baker Hill, which serves more than 150 credit unions and banks. "We evaluated what was available and liked what we saw with the Teros appliance," says Eric Beasley, senior network administrator at Carmel-based Baker Hill. "It sits in front of our Web servers and like a traditional firewall, we build rules for it that define what we will allow in and out of our systems, and it enforces those rules." Such enforcement can help prevent problems such as identity theft, according to Abhishek Chauhan, chief technology officer for Teros, a Santa Clara, Calif., company that says it helps secure an estimated $50 billion in transactions a year at a number of the largest financial institutions. "The Teros Gateway is a hardened security appliance that sits in front of Web infrastructures and inspects incoming application requests as well as outgoing responses from the Web server," Chauhan says. "It can detect the presence of confidential data in application responses, such as credit card, account and Social Security numbers, and it can block, remove or mask the information before it is disclosed," he says. That protects data being moved around by Web applications using HTML or XML standards, and augments firewalls, which let secured HTTP and SSL traffic through "with little or no analysis," Chauhan says. "Teros Gateways operate at the application level, not at the network level. They terminate all application sessions and perform a full parsing of application data. This means they deconstruct all bi-directional traffic and verify that each component adheres to the parameters and structure defined by the application languages, such as HTML or XML," the Teros CTO and co-founder says. "By understanding the language of the application, Teros Gateways can secure the application from attack and prevent application misuse," Chauhan says. The Teros Gateway boxes also turn the tables on hackers by "doing what's called server masquerading, allowing you to advertise to the world that you are something you're not," Beasley says. "Our Web servers are Microsoft IIS systems, but since the user never connects to the servers directly, only to the Teros Gateways, it can be configured to masquerade as any other type of Web server we want. For instance, we typically let the world know that we're a Netscape Enterprise server. Such masquerading allows us to fool a lot of automated script attackers into thinking we're something we're not," the Baker Hill network expert says. And because the Teros Gateway boxes are assessing network traffic at a level removed from the operating system, that relieves some of the pressure to immediately apply Microsoft-issued patches to vulnerabilities to signature-based attacks without testing the patches' potential impact on the system they're intended to protect, Beasley says. "Sometimes the medicine is worse than the disease," he says. "For instance, with the Sasser worm, the patch for that caused some servers to be unable to boot. It also was so complicated to install that some people just didn't do it. Now we can look at patches at a more leisurely pace and apply them to our Web servers when we're comfortable with them." The credit unions using Baker Hill to handle hosted member data also can be more comfortable, too, Beasley says, because the company's systems have passed SysTrust (similar to SAS 70) intrusion testing and other "third-party examinations perfectly." "They're very concerned about these security issues and confront them every day," Beasley says. "This is one more way we can reassure them." -

[email protected]