Private HP e3000-based information needed to be secured for public Internet travel.
In the mercurial world of financial services, instant access to real-time information spells competitive advantage. But securing that information for Internet travel can present a huge technological hurdle. The IT department at CANNEX made the leap with the help of two products: Reflection (thick client) and Reflection for the Web.
There was a time when financial institutions had to phone around to learn how competitors were pricing interest rates and calculation values. Brokers and other financial consumers had to merge data from individual faxes into their own tables.
Today, thanks to the CANNEX System, providers and consumers of financial information can easily download or print out a consolidated view of all financial products and services. The CANNEX System is an application running on an HP e3000 at CANNEX headquarters. CANNEX’s clients maintain product and service information on this system via online access or file transmission.
For nearly two decades, CANNEX has been using Reflection software to give their clients access to the CANNEX System. “From time to time, we’ve investigated other options,” said Steve Waters, vice president of systems at CANNEX. “But they’ve always turned out to be clearly inferior to Reflection.”
CANNEX has an agreement involving Reflection (thick client) and Java-based Reflection for the Web, which they started using in 2000. The agreement allows CANNEX to embed an auto-connector code in Reflection before sending it to their clients. Waters determines whether clients get Reflection or Reflection for the Web based on the functionality they need.
If clients need host-initiated file transfers, CANNEX sends them Reflection, which users can easily install without IT help. To connect, they simply click the CANNEX System prompt and log on to the HP e3000 via modem or the Internet.
If clients don’t need host-initiated file transfers, they get server-based Reflection for the Web. Users go to the CANNEX System web page and download the Reflection applet. Once downloaded, the applet connects directly to the host application, without going back through the web server.
As e-business grew, however, Waters and his team needed a way to protect client data traveling over the Internet. “No one wants modems on their desktops anymore,” Waters said. “They’re slow, cumbersome, and pose a security threat to the corporate LAN.”
Steve Waters – VICE PRESIDENT OF SYSTEMS
Based in Toronto, Canada, CANNEX specializes in gathering and compiling information about products and services offered by financial institutions in Canada, the United States, Australia, and New Zealand. It then redistributes that information to brokers, agents, and analytical service providers via web pages, electronic files, emails, or faxes.
After investigating the new security features in the latest Reflection releases, Waters decided to retain Reflection as their host-access standard. “Nothing else on the market comes close to the depth of security Reflection currently offers,” he said. Reflection was outfitted with SSL/TLS support, and Reflection for the Web now included RSA authentication for SSL, key exchange for SSL, and SSL client authentication and authorization via an SSL proxy server.
The new security options gave Waters an idea: Why not configure Reflection to take advantage of Reflection for the Web’s security proxy server? This would ensure that connections coming from the Internet were encrypted and authenticated. With the help of Technical Support, he brought his idea to life.
The proxy server, which runs on any Java-enabled server or host, sits on CANNEX’s network perimeter and encrypts data between itself and the client. Reflection sessions are configured to pass through the proxy server before connecting to the CANNEX System. This way, the proxy server shields the host from external intruders and safeguards data leaving the network.
The same precautions apply to Reflection for the Web applets. But for web-based sessions, the proxy server also uses digitally signed tokens to ensure that only authorized users can connect to the host. The tokens are deployed to authorized users by the Reflection management server, which checks with CANNEX’s LDAP access control model to verify user authorization. The token system also enables users to connect to multiple host systems through a single open port (port 443) in the CANNEX firewall.
Steve Waters – VICE PRESIDENT OF SYSTEMS
According to Waters, the benefits of upgrading Reflection are clear. He didn’t have to buy any hardware, and it took just 20 hours to get Reflection integrated with the CANNEX System. Best of all, CANNEX’s clients notice the difference.
“Right away, 80 of our clients said they were impressed by the products’ new features,” Waters said. “We usually don’t hear from clients when things are good. That’s unusual and invaluable feedback.