Secure Network for Banking and Financial Sector

Download Report

Transcript Secure Network for Banking and Financial Sector

Secure Network for Banking
and Financial Sector
-
INdian FInancial NETwork
By
Dr. V.P Gulati
IDRBT
Agenda
 Genesis of INFINET & Architecture
 Banking Applications
- Intra Bank Applications
- Inter Bank Applications
 Network Security Components
 Enterprise-wide Network Infrastructure
 Financial Networks
 Security Targets
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Genesis of INFINET
 In the year 1994, the Reserve Bank of India formed a
committee on "Technology Up gradation in the Payment
Systems". The committee recommended a variety of
payment applications which can be implemented with
appropriate technology up gradation and development
of a reliable communication network.
 As recommended by the Committee, the Institute for
Development & Research in Banking Technology [IDRBT]
was established by the Reserve Bank of India in 1996 as
an Autonomous Centre for Development and Research
in Banking Technology.
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Genesis of INFINET Contd..
 In July 1996, in a meeting of the Chiefs of
Public Sector Banks, chaired by the
Governor of Reserve Bank of India, it was
decided that a reliable nationwide
communication backbone for the Banks
and Financial Institutions be established.
RBI entrusted the task of setting up this
backbone to IDRBT.
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Genesis of INFINET Contd..
 IDRBT established the VSAT based INFINET
Network at the IDRBT Campus, Hyderabad.
 The Network inaugurated on June 19, 1999.
 The Hub site is owned, managed and
operated by IDRBT.
 Remote VSATs, installed across the country
over 300 locations are owned by respective
member banks.
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Genesis of INFINET Contd..
 Terrestrial Network (Leased Line) connecting
21
cities
commissioned
and
made
operational in the year 2001.
 The terrestrial network seamlessly integrated
with VSAT Network.
 The entire Network
managed through
Integrated Network Management System
(UniCentre TNG and CISCO Works)
 24 X 7 Network management from two
locations namely at IDRBT, Hyderabad and
RBI, Mumbai.
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
INFINET (VSAT Network)
Network
Online Inroute
Backup
Inroute
Outroutes
#1
20
7
512 Kbps
#2
20
7
512 Kbps
#3
8
3
512 Kbps
#4
Total
Read for shifting of new
VSATs
48
2 Mbps*
17
* 2 Mbps Broadband outroute can be availed on every network

2003 Remote TDM/TDMA VSATs

17 PAMA VSATs

Full transponder – Transponder no. 8 on INSAT 3 B

17 nos. of super links

IINSAT 3B
INSAT 3A

Full Transponder + 1/8th Additional Transponder
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
INFINET (LEASED LINE) BACKBONE
NETWORK
JAMMU
CHANDIGARH
LUCKNOW
JAIPUR
DELHI
KANPUR
CALCUTTA
BHOPAL
AHMEDABAD
GUWAHATI
MUMBAI
PATNA
NAGPUR
GOA
BHUBANESHWAR
PUNE
BANGALORE
HYDERABAD
KOCHI
THIRUVANANTHAPURAM
CHENNAI
4 X 2 Mbps
2 X 2 Mbps
2 Mbps with
ISDN Backup
Institute for Development and
Research in Banking Technology
Links of Banks getting
NMS at Hyderabad
Connected to
Back up NMS at Mumbai
INFINET Network
Integration of VSAT network
with Terrestrial network
July 26, 2003
V. P. Gulati
Banking Application
1. Intra Bank
 The transaction taking place within the Bank such as
Funds Transfer, E-Mail, HR, Personnel and Administrator
etc.,
 Branches
Head Quarter / Regional Office/Zonal
Office / Specialized Branches
2. Inter-Bank
 The transaction taking place between the Banks,
between the Bank and Central Bank (RBI) such as
Clearing and Settlement, Electronic Fund Transfers
(EFTs) etc.,
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Intra-Bank Applications








Funds transfer and payment message (Intra-bank)
Inter Branch Reconciliation (IBR)
Quick disposal of loan / investment proposal
Forex information from branches to the office
dealing in Forex
Fund information from clearing centers to the fund
management office for optimal allocation of funds
Cash Management Product
Treasury Management (TM)
Any Branch Banking
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Intra-Bank Applications Contd..





Asset Liability Management (ALM)
General Communication
Software distribution in the bank
Human Resources Development and Personnel Administration
Organizational / Customers data base may include:
- Statutory returns
-
Control returns
Standardized returns
Adhoc reports
 Management Information Systems
- Borrower’s profile
-
Branch profile
Employees analysis
Products / services profile
Business profile of branches
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Inter-Bank Applications
 Electronic Funds Transfer (EFT)









Clearing and settlement systems
Exchange of Defaulting Borrowers’ list among RBI and banks
Shared ATMs Network
EDI services to the extent they pertain to payment cycle of
EDI
Currency chest accounting
Reporting of government account transactions (Central and
State Governments)
Reporting of BSR, R-Returns etc., to RBI
Asset Liability Management (for reporting to RBI)
Returns to be submitted by the banks to Department of
Banking Supervision (DBS) for off-site supervision and
monitoring
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Inter Banking Applications Contd..
 Public Key Infrastructure (PKI)
 Structured Financial Messaging
System (SFMS)
 Mail Messaging System (MMS)
 Public Debit Office - Negotiated
Dealing System (PDO-NDS)
 Real Time Gross Settlement System
(RTGS)
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
IDRBT Certifying Authority



Fulfilling the need of
trusted third party
services in ecommerce
Licensed CA by CCA,
government of India
Issues and manages
digital certificates
having legal sanctity
under IT act 2000 for
banking and financial
sector
Institute for Development and
Research in Banking Technology
Attained excellent
standards complying
with information
technology act, 2000
 Certificate policies
and practices of high
standards supporting
certification services
of IDRBT CA

July 26, 2003
V. P. Gulati
PKI Enabled Bank Applications









Structured Financial Messaging System (SFMS)
Public Debit Office - Negotiated Dealing System
(PDO-NDS)
Electronic Fund Transfer (EFT)
Real Time Gross Settlement (RTGS)
Central Fund Management System (CFMS)
Secure E-mail
Secured Server
EnDeSign
Intra Bank Applications
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Registration Authority (RA)

Entities nominated by Banks / FIs and
trusted with IDRBT CA

Serving as a point of contact for
registration of users i.e., verification of
subscribers’ credentials before issuance
of certificates by IDRBT CA

Officials appointed by Banks / FIs
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Digital Certificates
Classified according to the level of
subscriber’s identity verification
 Class 1, Class 2, Class 3 Certificates
 Validity of one year
 Legally valid under IT Act 2000
 for digital signatures, encryption and
secure server

Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
IDRBT CA - PKI Hierarchy
CCA
IDRBT CA
IDRBT CA
Repository
RA
Subscriber
RA
Subscriber
Subscriber
Institute for Development and
Research in Banking Technology
RA
Subscriber
Subscriber
Subscriber
July 26, 2003
V. P. Gulati
SFMS Architecture
• Safe storage of inter-bank messages
• Direct Routing to destination Bank Gateway
• Access Validation
Central
HUB
• Safe storage
• Direct Routing to intra-bank sites
• Routing to ‘others’ Bank sites via Central HUB
INFINET IP Network (IIPN)
Gateway 1
Bank Site
Bank Site
Institute for Development and
Research in Banking Technology
• Common IIPN access point
• Safe storage
Bank Site
Bank Site
….
Gateway 2
Bank Site
July 26, 2003
Bank Site
Bank Site
Gateway N
Bank Site
Bank Site
V. P. Gulati
IDRBT Mail Messaging System
 Primary Role : Mail Gateway for the Banking System
 Entire Mail system of Reserve Bank of India and 20
odd Public Sector Banks depend on IDRBT Mail
gateway
 Bridge between the closed user group [INFINET] and
the outside world for seamless to and fro
transmission of mail
 Implemented with standard protocol - SMTP
 Ancillary services
– DNS services
– Domain Name Registration
– Web Based mail access from Internet
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
V-SAT Links





BSNL Link
STPI Link
MMS setup
Link Proof
PIX Firewall
Leased Line
Links
Layer 3 Switch
Mail Hub 5

Infinet MITHI
Mail Hub 4
Mail Hub 1
Mail Hub 2
Servers
Communicating
With Infinet
Servers
Servers
Communicating
With Internet
Servers

Internet MITHI
Mail Hub 3
De-Militarized Zone [ D M Z ]

IDRBT
Mail Sever
M
M
S
PDO-NDS system interfaces
Members
RBI as a Member
PDO-NDS
system (P1A)
Current PDO
(settlement
system)
PDO-NDS File
transfer facility
PDO
RBI Control user
Institute for Development and
Research in Banking Technology
DAD
System
administrator
CCIL
July 26, 2003
V. P. Gulati
RTGS - Payment by Bank-A to Bank-B through the
account maintained at Central Bank
Bank - A
Bank - B
Bank level
Server (BLS)
Bank level
Server (BLS)
4b. Payment
Notification
(credit)
4a. Payment
Notification
(debit)
Apex level
Server of RBI
2. Settlement
Request
3. Settlement
Advice
Deposit Account
Department, RBI
Reserve Bank of India
Security Features in Bank
Applications
Digital Signature of initiating entity – for
financial messages, transactions, e-mails,
office orders, memos, circulars, etc.
 Signature to be verified by entity acting on
the message
 Encryption
(if necessary) when the
message is on open channel
 Sending / Intermediate servers (acting as
post box) can sign and / or encrypt as per
the requirements of applications

Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Network Security Components
Firewall
Intrusion Detection System
(IDS)
Virtual Private Network (VPN)
Antivirus Solutions
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Security Solution Implementation for RBI
(INFINET)
Total Number of Locations: 38 Nos.
Product
Firewall
Make & Model
Qty in Nos.
CISCO 535 PIX
68
CISCO 525 PIX
08
Load Balancer
Radware Fireproof (Load Balancer)
74
Host IDS
Cisco Security Server Agent
146
Network IDS
CISCO 4235
76
VPN Concentrator
CISCO VPN 3030
01
Integrated Security
VPN Management System (VMS)
Management System
Institute for Development and
Research in Banking Technology
July 26, 2003
02
V. P. Gulati
Firewall
implementation with
Load Balancer
PIX Firewall
INFINET
Router
Load
Balancer
PIX Firewall
L2Switch
RBI Network
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Placement of IDS
Server
Sensor
INFINET
Network
Sensor
Mailserver
Firewall
DMZ
Network
Sensor
Webserver
Console
Institute for Development and
Research in Banking Technology
Database
Server
Server
Sensor
RBI Network
Server
Sensor
July 26, 2003
V. P. Gulati
VPN Infrastructure through
INFINET
Delhi
Kolkata
INFINET
VPN
Connections
Internet
Corporate
Customer
Secured Web
enabled
application
Chennai
Mumbai
Govt.
Departments
using connectivity
through INFINET
A Typical Secure Connectivity to
Banks and Financial Institutions
INTERNE
T
EXTERNAL
FW (S)
INFINET
FW (P)
DMZ-2
DMZ-1
INTERNAL
ISA
SERVER
Banks /
Financial
Institutions
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Enterprise Wide Automatic
Malicious Code Control System
Gateway Protection
Internet
Internet Server
or
Gateway
File Server
Protection
NetWare File Server
Desktop
PC
Windows NT Server
Groupware
Desktop Protection
(Exchange/Notes
/cc:Mail)
Deskto
p PC
Mail Server Protection
Multiprotocol Label Switching
(MPLS)
INFINET
E
Ingress
Router
A
Payload
Payload
IP
IP
2
9
D
Payload
IP
Payload
IP
5
B
Payload
C
IP
3
Bank 2
Label Switching Path
Bank 1
Packet Traversing a Label Switched Path
Ingress Router
IP
Addre
ss
Out
Label
192.4/16
9
Egress Router
In
Label
192.4.2.1
Assign Initial
Label
In
Label
Out
Label
9
5
9
Label swapping
A
B
5
In
Label
Out
Label
5
3
Label swapping
C
3
In Label
Out
Label
3
2
2
2
Next
Hop
212.1.1.1
Remove Label
Label swapping
D
E
A : Ingress Router- Using FEC,this router groups all the packets having the
destination address 192.4/16.And assigns a label(with a value 9) to the
packet and forwards it to the next hop(B) in the LSP
B: at this core LSR the in label gets swapped with the out label
i.e, 9 is swapped by 5
C: 5 is swapped by 3
D: 3 is swapped by 2
E: Egress Router- here the label is removed and the packet is Forwarded using
the conventional IP routing
Enterprise-wide Network
Infrastructure
Satellite Transponder
DP11
DP12
DP13
DP14
Local
Router
Zonal
Route
VSATs
N2
N1
DP21
Network Backbone
DPN22
DP24
N5
DP23
Leased
Line/
N4
N3
VSATs
VSATs
PSTN/ISDN/
Dial-up/
Radio
DP31
NSE
Microwave
DP32
DP53
DP52
DP50
DP51
Institute for Development and
Research in Banking Technology
DP43
DP42
DP41
July 26, 2003
DP33
Reuter
SWIFT
V. P. Gulati
Financial Networks
Reuters
Network
SWIFT
Network
NSE Gateways and Integration with
Network Other Financial Network Services
G1 G2 G3 G4 G5 G6 G7 -
G1
G1
G2
G2
G3
SWIFT Network
Reuters Network
Stock Exchange Network
Inter Banks/FIs
Shared ATMs
Clearing Operations Network
Internet
G3
Corporate Network
G1
G2
G3
G1
G2
G3
G1
G2
G3
Inter Banks/FIs Network
G4
Shared ATMs Network
G5
G5
G4
G4
Clearing Operations
Network
G6
G5
Internet
G7
Institute for Development and
Research in Banking Technology
July 26, 2003
V. P. Gulati
Security Targets
Application
Security
E-mail
Security
Logical
Security
Firewall
Security
Database
Security
Operating System
Security
Security against
Viruses
Institute for Development and
Research in Banking Technology
Physical
Security
Network
Security
Backup
Security
Remote
Access
Intranet
Security
Service
Providers
July 26, 2003
Password
Security
Internet
Security
Freeware
Security
Router
Security
V. P. Gulati