370 likes | 401 Views
Cyber Security for financial services. Submitted by S. Deepalakshmi Assistant Professor in Computer Science Rajapalayam Rajus’ College Rajapalayam. Business has been aggregating data and risk at an unprecedented rate…. 5. Fully Integrated information based Business.
E N D
Cyber Security for financial services Submitted by S. Deepalakshmi Assistant Professor in Computer Science Rajapalayam Rajus’ College Rajapalayam
Business has been aggregating data and risk at an unprecedented rate… 5. Fully Integrated information based Business 4. Technology Integration 3. Transactional systems Degree of Data Digitization 2. Storing Information • Messaging Spectrum of Risk
And our physical infrastructure has become intertwined and reliant on our cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
We have developed the myth that technology can be an effective fortress – we can have security Traditional focus on: • Better Firewalls • Boundary Intrusion Detection • Critical Offsite Capacity • Compliance Certification False myths: • IT staff = security staff • Compliance failure is the main source of risk • Being compliant = being safe
Some types of Cyber Threats Source: analysis, Dr Irv Lachov
Drivers: fear and impact Attacks are increasingly easy to conduct Email propagation of malicious code DDoS attacks “Stealth”/advanced scanning techniques Increase in worms Sophisticated command and control Widespread attacks using NNTP to distribute attack Skill level needed by attackers 2008 Widespread attacks on DNS infrastructure Attack sophistication Executable code attacks (against browsers) Anti-forensic techniques Automated widespread attacks Home users targeted GUI intruder tools Distributed attack tools Hijacking sessions Increase in wide-scale Trojan horse distribution Internet social engineering attacks Widespread denial-of-service attacks Windows-based remote controllable Trojans (Back Orifice) 1990 Techniques to analyze code for vulnerabilities without source code Automated probes/scans Packet spoofing Source: SE/CERT CC
The proliferation of capability into the hacker/criminal world has enabled a blurring of actors and motivations – a major challenge for any future international regime for controlling national state cyber competition
Agenda • Genesis of INFINET & Architecture • Banking Applications - Intra Bank Applications - Inter Bank Applications • Network Security Components • Enterprise-wide Network Infrastructure • Financial Networks • Security Targets
Genesis of INFINET & Architecture In the year 1994, the Reserve Bank of Indiaformed a committee on "Technology Up gradation in the Payment Systems". The committee recommended a variety of payment applications which can be implemented with appropriate technology up gradation and development of a reliable communication network. As recommended by the Committee, the Institute for Development & Research in Banking Technology [IDRBT] was established by the Reserve Bank of Indiain 1996 as an Autonomous Centre for Development and Research in Banking Technology.
Genesis of INFINET & Architecture In July 1996, in a meeting of the Chiefs of Public Sector Banks, chaired by the Governor of Reserve Bank of India, it was decided that a reliable nationwide communication backbone for the Banks and Financial Institutions be established. RBI entrusted the task of setting up this backbone to IDRBT. IDRBT established the VSAT based INFINET Network at the IDRBT Campus, Hyderabad. The Network inaugurated on June 19, 1999. The Hub site is owned, managed and operated by IDRBT. Remote VSATs, installed across the country over 300 locations are owned by respective member banks.
Genesis of INFINET & Architecture Terrestrial Network (Leased Line) connecting 21 cities commissioned and made operational in the year 2001. The terrestrial network seamlessly integrated with VSAT Network. The entire Network managed through Integrated Network Management System (UniCentre TNG and CISCO Works) 24 X 7 Network management from two locations namely at IDRBT, Hyderabad and RBI, Mumbai.
INFINET (LEASED LINE) BACKBONE NETWORK CHANDIGARH JAMMU LUCKNOW JAIPUR DELHI KANPUR CALCUTTA BHOPAL AHMEDABAD GUWAHATI MUMBAI PATNA NAGPUR GOA BHUBANESHWAR PUNE BANGALORE HYDERABAD CHENNAI KOCHI 4 X 2 Mbps NMS at Hyderabad Links of Banks getting Connected to INFINET Network 2 X 2 Mbps Back up NMS at Mumbai
Banking Application Intra Bank The transaction taking place within the Bank such as Funds Transfer, E-Mail, HR, Personnel and Administrator etc., Branches Head Quarter / Regional Office/Zonal Office / Specialized Branches Inter-Bank The transaction taking place between the Banks, between the Bank and Central Bank (RBI) such as Clearing and Settlement, Electronic Fund Transfers (EFTs) etc.,
IDRBT Certifying Authority Fulfilling the need of trusted third party services in e-commerce Licensed CA by CCA, government of India Issues and manages digital certificates having legal sanctity under IT act 2000 for banking and financial sector Attained excellent standards complying with information technology act, 2000 Certificate policies and practices of high standards supporting certification services of IDRBT CA
Banking Applications Structured Financial Messaging System (SFMS) Public Debit Office - Negotiated Dealing System (PDO-NDS) Electronic Fund Transfer (EFT) Real Time Gross Settlement (RTGS) Central Fund Management System (CFMS) Secure E-mail Secured Server EnDeSign Intra Bank Applications
Registration Authority (RA) Entities nominated by Banks / FIs and trusted with IDRBT CA Serving as a point of contact for registration of users i.e., verification of subscribers’ credentials before issuance of certificates by IDRBT CA Officials appointed by Banks / FIs
Digital Certificates • Classified according to the level of subscriber’s identity verification • Class 1, Class 2, Class 3 Certificates • Validity of one year • Legally valid under IT Act 2000 • for digital signatures, encryption and secure server
CCA IDRBT CA IDRBT CA Repository RA RA RA Subscriber Subscriber Subscriber Subscriber Subscriber Subscriber IDRBT CA - PKI Hierarchy
Safe storage of inter-bank messages • Direct Routing to destination Bank Gateway • Access Validation Central HUB INFINET IP Network (IIPN) • Safe storage • Direct Routing to intra-bank sites • Routing to ‘others’ Bank sites via Central HUB Gateway N Gateway 1 Gateway 2 • Common IIPN access point • Safe storage …. Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site Bank Site SFMS Architecture
IDRBT Mail Messaging System Primary Role : Mail Gateway for the Banking System Entire Mail system of Reserve Bank of India and 20 odd Public Sector Banks depend on IDRBT Mail gateway Bridge between the closed user group [INFINET] and the outside world for seamless to and fro transmission of mail Implemented with standard protocol - SMTP Ancillary services DNS services Domain Name Registration Web Based mail access from Internet
Layer 3 Switch Leased Line Links V-SAT Links MMS MMS setup Mail Hub 5 Infinet MITHI Servers Communicating With Infinet Servers Mail Hub 4 Servers Communicating With Internet Servers Mail Hub 1 STPI Link Mail Hub 2 BSNL Link Internet MITHI Mail Hub 3 De-Militarized Zone [ D M Z ] Link Proof PIX Firewall
PDO-NDS system interfaces Members PDO-NDS system (P1A) Current PDO (settlement system) RBI as a Member PDO-NDS File transfer facility PDO DAD System administrator RBI Control user CCIL
RTGS - Payment by Bank-A to Bank-B through the account maintained at Central Bank Bank - A Bank - B Bank level Server (BLS) Bank level Server (BLS) 1. Payment message 4b. Payment Notification (credit) 4a. Payment Notification (debit) Apex level Server of RBI 2. Settlement Request 3. Settlement Advice Deposit Account Department, RBI Reserve Bank of India
Security Features in Bank Applications Digital Signature of initiating entity – for financial messages, transactions, e-mails, office orders, memos, circulars, etc. Signature to be verified by entity acting on the message Encryption (if necessary) when the message is on open channel Sending / Intermediate servers (acting as post box) can sign and / or encrypt as per the requirements of applications
Network Security Components Firewall Intrusion Detection System (IDS) Virtual Private Network (VPN) Antivirus Solutions
Security Solution Implementation for RBI (INFINET) Total Number of Locations: 38 Nos.
INFINET Firewall implementation with Load Balancer Router PIX Firewall Load Balancer PIX Firewall L2Switch RBI Network
Placement of IDS INFINET Server Sensor Network Sensor Mailserver Firewall DMZ Network Sensor Server Sensor Webserver Console RBI Network Database Server Server Sensor
VPN Infrastructure through INFINET Delhi INFINET VPN Connections Internet Corporate Customer Secured Web enabled application Govt. Departments using connectivity through INFINET Chennai
A Typical Secure Connectivity to Banks and Financial Institutions INTERNET EXTERNAL FW (S) INFINET FW (P) DMZ-2 DMZ-1 INTERNAL ISA SERVER Banks / Financial Institutions
Gateway Protection Internet Internet Server or Gateway File Server Protection NetWare File Server Desktop PC Windows NT Server Desktop PC (Exchange/Notes /cc:Mail) Groupware Desktop Protection Mail Server Protection Enterprise Wide AutomaticMalicious Code Control System
Multiprotocol Label Switching (MPLS) INFINET E A Ingress Router Payload IP 2 Payload IP 9 D Payload IP Payload IP 5 B Payload IP 3 C Bank 2 Label Switching Path
In Label Out Label 9 5 9 Label swapping IP Address Out Label 192.4/16 9 192.4.2.1 Assign Initial Label Packet Traversing a Label Switched Path Ingress Router In Label Next Hop 212.1.1.1 2 In Label Out Label In Label Out Label 5 3 3 2 5 2 3 Remove Label Label swapping Label swapping E A C D B A : Ingress Router- Using FEC,this router groups all the packets having the destination address 192.4/16.And assigns a label(with a value 9) to the packet and forwards it to the next hop(B) in the LSP B: at this core LSR the in label gets swapped with the out label i.e, 9 is swapped by 5 C: 5 is swapped by 3 D: 3 is swapped by 2 E: Egress Router- here the label is removed and the packet is Forwarded using the conventional IP routing
Satellite Transponder Enterprise-wide Network Infrastructure DP11 DP12 DP13 DP14 Local Router Zonal Route VSATs DP21 N2 N1 Network Backbone DPN22 DP24 DP23 Leased Line/ PSTN/ISDN/ Dial-up/ Radio Microwave N4 N5 VSATs VSATs N3 DP31 NSE Reuter DP32 SWIFT DP50 DP53 DP33 DP52 DP43 DP41 DP51 DP42
Reuters Network SWIFT Network NSE Network Gateways and Integration with Other Financial Network Services G1 - SWIFT Network G2 - Reuters Network G3 - Stock Exchange Network G4 - Inter Banks/FIs G5 - Shared ATMs G6 - Clearing Operations Network G7 - Internet G2 G3 G3 G2 G1 G1 Corporate Network G2 G2 G2 G1 G1 G3 G3 G1 G3 Inter Banks/FIs Network G4 Shared ATMs Network G5 G4 G4 Clearing Operations Network G5 G6 G5 Internet G7 Financial Networks
Application Security Password Security Physical Security E-mail Security Logical Security Internet Security Network Security Firewall Security Database Security Freeware Security Backup Security Intranet Security Operating System Security Router Security Service Providers Remote Access Security against Viruses Security Targets