secure network for banking and financial sector by dr. v.p gulati idrbt - indian financial network
Post on 18-Dec-2015
215 Views
Preview:
TRANSCRIPT
Secure Network for Banking Secure Network for Banking and Financial Sectorand Financial Sector
ByDr. V.P Gulati
IDRBT
- INdian FInancial NETwork
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
AgendaAgenda Genesis of INFINET & Architecture Banking Applications - Intra Bank Applications
- Inter Bank Applications Network Security Components Enterprise-wide Network Infrastructure Financial Networks Security Targets
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Genesis of INFINETGenesis of INFINET
In the year 1994, the Reserve Bank of India formed a committee on "Technology Up gradation in the Payment Systems". The committee recommended a variety of payment applications which can be implemented with appropriate technology up gradation and development of a reliable communication network.
As recommended by the Committee, the Institute for Development & Research in Banking Technology [IDRBT] was established by the Reserve Bank of India in 1996 as an Autonomous Centre for Development and Research in Banking Technology.
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Genesis of INFINET Genesis of INFINET Contd..Contd..
In July 1996, in a meeting of the Chiefs of Public Sector Banks, chaired by the Governor of Reserve Bank of India, it was decided that a reliable nationwide communication backbone for the Banks and Financial Institutions be established. RBI entrusted the task of setting up this backbone to IDRBT.
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Genesis of INFINETGenesis of INFINET ContdContd....
IDRBT established the VSAT based INFINET Network at the IDRBT Campus, Hyderabad.
The Network inaugurated on June 19, 1999. The Hub site is owned, managed and
operated by IDRBT. Remote VSATs, installed across the country
over 300 locations are owned by respective member banks.
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
GenesisGenesis ofof INFINETINFINET ContdContd....
Terrestrial Network (Leased Line) connecting 21 cities commissioned and made operational in the year 2001.
The terrestrial network seamlessly integrated with VSAT Network.
The entire Network managed through Integrated Network Management System (UniCentre TNG and CISCO Works)
24 X 7 Network management from two locations namely at IDRBT, Hyderabad and RBI, Mumbai.
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
2003 Remote TDM/TDMA VSATs 17 PAMA VSATs Full transponder – Transponder no. 8 on INSAT 3 B 17 nos. of super links IINSAT 3B INSAT 3A Full Transponder + 1/8th Additional Transponder
Network Online Inroute Backup Inroute
Outroutes
#1 20 7 512 Kbps
#2 20 7 512 Kbps
#3 8 3 512 Kbps
#4 Read for shifting of new VSATs
2 Mbps*
Total 48 17
INFINET (VSAT INFINET (VSAT Network)Network)
* 2 Mbps Broadband outroute can be availed on every network
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
THIRUVANANTHAPURAM
BHUBANESHWAR
GUWAHATI
INFINET (LEASED LINE) BACKBONE INFINET (LEASED LINE) BACKBONE NETWORKNETWORK
2 Mbps with ISDN Backup
JAMMU CHANDIGARH
DELHIJAIPUR
AHMEDABAD
MUMBAI
PUNE BANGALORE
CHENNAI
HYDERABAD
CALCUTTA
PATNA
KANPUR
BHOPAL
NAGPUR
KOCHI
GOA
LUCKNOW
4 X 2 Mbps2 X 2 Mbps
NMS at HyderabadBack up NMS at Mumbai
Integration of VSAT network with Terrestrial network
Links of Banks getting Connected to INFINET Network
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Banking ApplicationBanking Application1. Intra Bank
The transaction taking place within the Bank such as Funds Transfer, E-Mail, HR, Personnel and Administrator etc.,
Branches Head Quarter / Regional Office/Zonal Office / Specialized Branches
2. Inter-Bank
The transaction taking place between the Banks, between the Bank and Central Bank (RBI) such as Clearing and Settlement, Electronic Fund Transfers (EFTs) etc.,
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Intra-Bank ApplicationsIntra-Bank Applications
Funds transfer and payment message (Intra-bank)
Inter Branch Reconciliation (IBR) Quick disposal of loan / investment proposal Forex information from branches to the
office dealing in Forex Fund information from clearing centers to
the fund management office for optimal allocation of funds
Cash Management Product Treasury Management (TM) Any Branch Banking
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Intra-BankIntra-Bank Applications Applications Contd..Contd..
Asset Liability Management (ALM) General Communication Software distribution in the bank Human Resources Development and Personnel
Administration Organizational / Customers data base may include:
- Statutory returns- Control returns- Standardized returns- Adhoc reports
Management Information Systems- Borrower’s profile- Branch profile- Employees analysis- Products / services profile- Business profile of branches
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Inter-Bank ApplicationsInter-Bank Applications Electronic Funds Transfer (EFT)
Clearing and settlement systems Exchange of Defaulting Borrowers’ list among RBI
and banks Shared ATMs Network EDI services to the extent they pertain to payment
cycle of EDI Currency chest accounting Reporting of government account transactions
(Central and State Governments) Reporting of BSR, R-Returns etc., to RBI Asset Liability Management (for reporting to RBI) Returns to be submitted by the banks to
Department of Banking Supervision (DBS) for off-site supervision and monitoring
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Inter Banking Applications Inter Banking Applications Contd..Contd..
Public Key Infrastructure (PKI) Structured Financial Messaging
System (SFMS) Mail Messaging System (MMS) Public Debit Office - Negotiated
Dealing System (PDO-NDS) Real Time Gross Settlement
System (RTGS)
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
IDRBT Certifying AuthorityIDRBT Certifying Authority
Fulfilling the need of trusted third party services in e-commerce
Licensed CA by CCA, government of India
Issues and manages digital certificates having legal sanctity under IT act 2000 for banking and financial sector
Attained excellent standards complying with information technology act, 2000
Certificate policies and practices of high standards supporting certification services of IDRBT CA
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
PKI Enabled Bank ApplicationsPKI Enabled Bank Applications
Structured Financial Messaging System (SFMS)
Public Debit Office - Negotiated Dealing System (PDO-NDS)
Electronic Fund Transfer (EFT) Real Time Gross Settlement (RTGS) Central Fund Management System (CFMS) Secure E-mail Secured Server EnDeSign Intra Bank Applications
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Registration Authority Registration Authority (RA)(RA)
Entities nominated by Banks / FIs and trusted with IDRBT CA
Serving as a point of contact for registration of users i.e., verification of subscribers’ credentials before issuance of certificates by IDRBT CA
Officials appointed by Banks / FIs
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Digital CertificatesDigital Certificates
Classified according to the level of subscriber’s identity verification
Class 1, Class 2, Class 3 Certificates
Validity of one yearLegally valid under IT Act 2000for digital signatures, encryption
and secure server
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
IDRBT CA - PKI IDRBT CA - PKI HierarchyHierarchy
CCA
IDRBT CA
RA
Subscriber
IDRBT CA
Repository
RA RA
Subscriber
Subscriber
Subscriber
Subscriber
Subscriber
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
SFMS ArchitectureSFMS Architecture
INFINET IP Network (IIPN)
Gateway 1
Bank SiteBank Site Bank Site
Gateway 2
Bank SiteBank Site Bank Site
Gateway N
Bank SiteBank Site Bank Site
….
Central HUB•Safe storage
•Direct Routing to intra-bank sites•Routing to ‘others’ Bank sites via Central HUB
•Safe storage of inter-bank messages•Direct Routing to destination Bank Gateway•Access Validation
•Common IIPN access point•Safe storage
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
IDRBT Mail Messaging IDRBT Mail Messaging SystemSystem
Primary Role : Mail Gateway for the Banking System
Entire Mail system of Reserve Bank of India and 20 odd Public Sector Banks depend on IDRBT Mail gateway
Bridge between the closed user group [INFINET] and the outside world for seamless to and fro transmission of mail
Implemented with standard protocol - SMTP Ancillary services
– DNS services– Domain Name Registration– Web Based mail access from Internet
Inte
rnet
Link Proof
BS
NL
Lin
kS
TP
I L
ink
Mail Hub 3
Servers Communicating
With Infinet Servers
De-Militarized Zone [ D M Z ]
Servers Communicating
With Internet Servers
Mail Hub 2
Mail Hub 1
Mail Hub 4
Mail Hub 5
IDRBT Mail Sever
Internet MITHI
Infinet MITHI
V-SAT Links Layer 3 SwitchLeased Line
Links
PIX Firewall
MMS setup
MMS
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
PDO-NDS system PDO-NDS system interfacesinterfaces
PDO-NDS system (P1A)
Current PDO (settlement system)
Members
PDO
RBI Control user
System administrator
RBI as a Member
CCIL
DAD
PDO-NDS File transfer facility
RTGS - Payment by Bank-A to Bank-B through the account maintained at Central Bank
Bank levelServer (BLS)
Bank level Server (BLS)
Bank - A Bank - B
Apex levelServer of RBI
Deposit AccountDepartment, RBI
Reserve Bank of India
1. Payment message
2. Settlement Request
3. Settlement Advice
4a. PaymentNotification(debit)
4b. Payment Notification (credit)
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Security Features in Bank Security Features in Bank ApplicationsApplications
Digital Signature of initiating entity – for financial messages, transactions, e-mails, office orders, memos, circulars, etc.
Signature to be verified by entity acting on the message
Encryption (if necessary) when the message is on open channel
Sending / Intermediate servers (acting as post box) can sign and / or encrypt as per the requirements of applications
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Network Security Network Security ComponentsComponents
FirewallIntrusion Detection System (IDS)
Virtual Private Network (VPN)
Antivirus Solutions
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Security Solution Implementation for Security Solution Implementation for RBI (INFINET)RBI (INFINET)
Product Make & Model Qty in Nos.
Firewall CISCO 535 PIX 68
CISCO 525 PIX 08
Load Balancer Radware Fireproof (Load Balancer) 74
Host IDS Cisco Security Server Agent 146
Network IDS CISCO 4235 76
VPN Concentrator CISCO VPN 3030 01
Integrated Security Management System
VPN Management System (VMS) 02
Total Number of Locations: 38 Nos.
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Firewall Firewall implementation implementation with Load Balancerwith Load Balancer
RBI Network
L2Switch
Load Balancer
PIX FirewallPIX Firewall
Router
INFINET
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Placement of IDSPlacement of IDS
INFINET INFINET
FirewallMailserver
Webserver
RBI Network
Network Sensor
Console
DMZNetwork Sensor
Server Sensor
Server Sensor
Database Server
Server Sensor
VPN Infrastructure through VPN Infrastructure through INFINETINFINET
Delhi
Corporate Customer
Chennai
Kolkata
INFINETINFINET
Mumbai
Govt. Departments using connectivity through INFINET
InternetInternet
InternetInternet
Secured Web enabled
application
VPN Connections
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
A Typical Secure A Typical Secure Connectivity to Banks and Connectivity to Banks and Financial InstitutionsFinancial Institutions
FW (S)
ISA SERVER
EXTERNAL
INTERNETINTERNET
INTERNAL
DMZ-1DMZ-2
FW (P)
INFINETINFINET
Banks / Financial
Institutions
Banks / Financial
Institutions
Enterprise Wide AutomaticEnterprise Wide AutomaticMalicious Code Control SystemMalicious Code Control System
InternetInternet
NetWare File Server
Internet Server or
Gateway
Gateway Protection
Windows NT Server
File ServerFile ServerProtectionProtection
Desktop ProtectionDesktop Protection
Desktop PC
Mail Server ProtectionMail Server Protection
Desktop PC
Groupware(Exchange/Notes(Exchange/Notes/cc:Mail)/cc:Mail)
Multiprotocol Label Multiprotocol Label Switching (MPLS)Switching (MPLS)
Bank 1
Bank 2
INFINET
Payload IP
Payload IP 9
Payload IP 5
Payload IP 3
Payload IP 2
Ingress Router
A
B
C
D
E
Label Switching Path
Packet Traversing a Label Switched Packet Traversing a Label Switched PathPath
3Assign Initial Label
192.4/16 9
IP Address
Out Label
192.4.2.1
Label swapping
9 5
In Label
Out Label
9 Label swapping
5 3
In Label
Out Label
5
Label swapping
3 2
In Label Out Label
Remove Label
2 212.1.1.1
In Label
Next Hop
2
Ingress Router Egress Router
A B C D E
A : Ingress Router- Using FEC,this router groups all the packets having the destination address 192.4/16.And assigns a label(with a value 9) to the packet and forwards it to the next hop(B) in the LSP
B: at this core LSR the in label gets swapped with the out label
i.e, 9 is swapped by 5
C: 5 is swapped by 3
D: 3 is swapped by 2
E: Egress Router- here the label is removed and the packet is Forwarded using the conventional IP routing
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
N1 N2
N4N3
N5
Satellite Transponder
VSATsVSATs
VSATs
DP11 DP12 DP13DP14
DP21
DPN22
DP23DP24
DP31
DP32
DP33DP41DP42
DP43DP50
DP51
DP52
DP53
NSE
ReuterSWIFT
Leased Line/
PSTN/ISDN/
Dial-up/
Radio Microwave
Local Router
Zonal Route
Enterprise-wide Network Enterprise-wide Network InfrastructureInfrastructure
Network Backbone
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Gateways and Integration withOther Financial Network ServicesG1- SWIFT NetworkG2- Reuters NetworkG3- Stock Exchange NetworkG4- Inter Banks/FIsG5- Shared ATMsG6- Clearing Operations NetworkG7- Internet
Corporate Network
Inter Banks/FIs Network
Shared ATMs Network
Clearing Operations Network
SWIFTNetwork
ReutersNetwork
NSENetwork
G1 G1 G2 G2 G3 G3
G1G2
G3 G1G2
G3 G1G2
G3
G4
G4 G4 G5
G5 G5 G6
G7Internet
Financial NetworksFinancial Networks
Institute for Development and Research in Banking Technology
July 26, 2003 V. P. Gulati
Security TargetsSecurity Targets
Physical Security
Password Security
Network Security
E-mail Security
Application Security
Internet Security
Intranet Security
RemoteAccess
Logical Security
Operating System Security
DatabaseSecurity
Security against Viruses
Backup Security
Service Providers
Freeware Security
Firewall Security
Router Security
top related