Secure Network for Banking and Financial Sector By Dr. V.P Gulati IDRBT - INdian FInancial NETwork

Secure Network for Banking Secure Network for Banking and Financial Sectorand Financial Sector

ByDr. V.P Gulati

IDRBT

- INdian FInancial NETwork

Institute for Development and Research in Banking Technology

July 26, 2003 V. P. Gulati

AgendaAgenda Genesis of INFINET & Architecture Banking Applications - Intra Bank Applications

- Inter Bank Applications Network Security Components Enterprise-wide Network Infrastructure Financial Networks Security Targets



Genesis of INFINETGenesis of INFINET

In the year 1994, the Reserve Bank of India formed a committee on "Technology Up gradation in the Payment Systems". The committee recommended a variety of payment applications which can be implemented with appropriate technology up gradation and development of a reliable communication network.

As recommended by the Committee, the Institute for Development & Research in Banking Technology [IDRBT] was established by the Reserve Bank of India in 1996 as an Autonomous Centre for Development and Research in Banking Technology.



Genesis of INFINET Genesis of INFINET Contd..Contd..

In July 1996, in a meeting of the Chiefs of Public Sector Banks, chaired by the Governor of Reserve Bank of India, it was decided that a reliable nationwide communication backbone for the Banks and Financial Institutions be established. RBI entrusted the task of setting up this backbone to IDRBT.



Genesis of INFINETGenesis of INFINET ContdContd....

IDRBT established the VSAT based INFINET Network at the IDRBT Campus, Hyderabad.

The Network inaugurated on June 19, 1999. The Hub site is owned, managed and

operated by IDRBT. Remote VSATs, installed across the country

over 300 locations are owned by respective member banks.



GenesisGenesis ofof INFINETINFINET ContdContd....

Terrestrial Network (Leased Line) connecting 21 cities commissioned and made operational in the year 2001.

The terrestrial network seamlessly integrated with VSAT Network.

The entire Network managed through Integrated Network Management System (UniCentre TNG and CISCO Works)

24 X 7 Network management from two locations namely at IDRBT, Hyderabad and RBI, Mumbai.



2003 Remote TDM/TDMA VSATs 17 PAMA VSATs Full transponder – Transponder no. 8 on INSAT 3 B 17 nos. of super links IINSAT 3B INSAT 3A Full Transponder + 1/8th Additional Transponder

Network Online Inroute Backup Inroute

Outroutes

#1 20 7 512 Kbps

#2 20 7 512 Kbps

#3 8 3 512 Kbps

#4 Read for shifting of new VSATs

2 Mbps*

Total 48 17

INFINET (VSAT INFINET (VSAT Network)Network)

* 2 Mbps Broadband outroute can be availed on every network



THIRUVANANTHAPURAM

BHUBANESHWAR

GUWAHATI

INFINET (LEASED LINE) BACKBONE INFINET (LEASED LINE) BACKBONE NETWORKNETWORK

2 Mbps with ISDN Backup

JAMMU CHANDIGARH

DELHIJAIPUR

AHMEDABAD

MUMBAI

PUNE BANGALORE

CHENNAI

HYDERABAD

CALCUTTA

PATNA

KANPUR

BHOPAL

NAGPUR

KOCHI

GOA

LUCKNOW

4 X 2 Mbps2 X 2 Mbps

NMS at HyderabadBack up NMS at Mumbai

Integration of VSAT network with Terrestrial network

Links of Banks getting Connected to INFINET Network



Banking ApplicationBanking Application1. Intra Bank

The transaction taking place within the Bank such as Funds Transfer, E-Mail, HR, Personnel and Administrator etc.,

Branches Head Quarter / Regional Office/Zonal Office / Specialized Branches

2. Inter-Bank

The transaction taking place between the Banks, between the Bank and Central Bank (RBI) such as Clearing and Settlement, Electronic Fund Transfers (EFTs) etc.,



Intra-Bank ApplicationsIntra-Bank Applications

Funds transfer and payment message (Intra-bank)

Inter Branch Reconciliation (IBR) Quick disposal of loan / investment proposal Forex information from branches to the

office dealing in Forex Fund information from clearing centers to

the fund management office for optimal allocation of funds

Cash Management Product Treasury Management (TM) Any Branch Banking



Intra-BankIntra-Bank Applications Applications Contd..Contd..

Asset Liability Management (ALM) General Communication Software distribution in the bank Human Resources Development and Personnel

Administration Organizational / Customers data base may include:

- Statutory returns- Control returns- Standardized returns- Adhoc reports

Management Information Systems- Borrower’s profile- Branch profile- Employees analysis- Products / services profile- Business profile of branches



Inter-Bank ApplicationsInter-Bank Applications Electronic Funds Transfer (EFT)

Clearing and settlement systems Exchange of Defaulting Borrowers’ list among RBI

and banks Shared ATMs Network EDI services to the extent they pertain to payment

cycle of EDI Currency chest accounting Reporting of government account transactions

(Central and State Governments) Reporting of BSR, R-Returns etc., to RBI Asset Liability Management (for reporting to RBI) Returns to be submitted by the banks to

Department of Banking Supervision (DBS) for off-site supervision and monitoring



Inter Banking Applications Inter Banking Applications Contd..Contd..

Public Key Infrastructure (PKI) Structured Financial Messaging

System (SFMS) Mail Messaging System (MMS) Public Debit Office - Negotiated

Dealing System (PDO-NDS) Real Time Gross Settlement

System (RTGS)



IDRBT Certifying AuthorityIDRBT Certifying Authority

Fulfilling the need of trusted third party services in e-commerce

Licensed CA by CCA, government of India

Issues and manages digital certificates having legal sanctity under IT act 2000 for banking and financial sector

Attained excellent standards complying with information technology act, 2000

Certificate policies and practices of high standards supporting certification services of IDRBT CA



PKI Enabled Bank ApplicationsPKI Enabled Bank Applications

Structured Financial Messaging System (SFMS)

Public Debit Office - Negotiated Dealing System (PDO-NDS)

Electronic Fund Transfer (EFT) Real Time Gross Settlement (RTGS) Central Fund Management System (CFMS) Secure E-mail Secured Server EnDeSign Intra Bank Applications



Registration Authority Registration Authority (RA)(RA)

Entities nominated by Banks / FIs and trusted with IDRBT CA

Serving as a point of contact for registration of users i.e., verification of subscribers’ credentials before issuance of certificates by IDRBT CA

Officials appointed by Banks / FIs



Digital CertificatesDigital Certificates

Classified according to the level of subscriber’s identity verification

Class 1, Class 2, Class 3 Certificates

Validity of one yearLegally valid under IT Act 2000for digital signatures, encryption

and secure server



IDRBT CA - PKI IDRBT CA - PKI HierarchyHierarchy

CCA

IDRBT CA

RA

Subscriber

IDRBT CA

Repository

RA RA

Subscriber

Subscriber

Subscriber

Subscriber

Subscriber



SFMS ArchitectureSFMS Architecture

INFINET IP Network (IIPN)

Gateway 1

Bank SiteBank Site Bank Site

Gateway 2


Gateway N


….

Central HUB•Safe storage

•Direct Routing to intra-bank sites•Routing to ‘others’ Bank sites via Central HUB

•Safe storage of inter-bank messages•Direct Routing to destination Bank Gateway•Access Validation

•Common IIPN access point•Safe storage



IDRBT Mail Messaging IDRBT Mail Messaging SystemSystem

Primary Role : Mail Gateway for the Banking System

Entire Mail system of Reserve Bank of India and 20 odd Public Sector Banks depend on IDRBT Mail gateway

Bridge between the closed user group [INFINET] and the outside world for seamless to and fro transmission of mail

Implemented with standard protocol - SMTP Ancillary services

– DNS services– Domain Name Registration– Web Based mail access from Internet

Inte

rnet

Link Proof

BS

NL

Lin

kS

TP

I L

ink

Mail Hub 3

Servers Communicating

With Infinet Servers

De-Militarized Zone [ D M Z ]

Servers Communicating

With Internet Servers

Mail Hub 2

Mail Hub 1

Mail Hub 4

Mail Hub 5

IDRBT Mail Sever

Internet MITHI

Infinet MITHI

V-SAT Links Layer 3 SwitchLeased Line

Links

PIX Firewall

MMS setup

MMS



PDO-NDS system PDO-NDS system interfacesinterfaces

PDO-NDS system (P1A)

Current PDO (settlement system)

Members

PDO

RBI Control user

System administrator

RBI as a Member

CCIL

DAD

PDO-NDS File transfer facility

RTGS - Payment by Bank-A to Bank-B through the account maintained at Central Bank

Bank levelServer (BLS)

Bank level Server (BLS)

Bank - A Bank - B

Apex levelServer of RBI

Deposit AccountDepartment, RBI

Reserve Bank of India

1. Payment message

2. Settlement Request

3. Settlement Advice

4a. PaymentNotification(debit)

4b. Payment Notification (credit)



Security Features in Bank Security Features in Bank ApplicationsApplications

Digital Signature of initiating entity – for financial messages, transactions, e-mails, office orders, memos, circulars, etc.

Signature to be verified by entity acting on the message

Encryption (if necessary) when the message is on open channel

Sending / Intermediate servers (acting as post box) can sign and / or encrypt as per the requirements of applications



Network Security Network Security ComponentsComponents

FirewallIntrusion Detection System (IDS)

Virtual Private Network (VPN)

Antivirus Solutions



Security Solution Implementation for Security Solution Implementation for RBI (INFINET)RBI (INFINET)

Product Make & Model Qty in Nos.

Firewall CISCO 535 PIX 68

CISCO 525 PIX 08

Load Balancer Radware Fireproof (Load Balancer) 74

Host IDS Cisco Security Server Agent 146

Network IDS CISCO 4235 76

VPN Concentrator CISCO VPN 3030 01

Integrated Security Management System

VPN Management System (VMS) 02

Total Number of Locations: 38 Nos.



Firewall Firewall implementation implementation with Load Balancerwith Load Balancer

RBI Network

L2Switch

Load Balancer

PIX FirewallPIX Firewall

Router

INFINET



Placement of IDSPlacement of IDS

INFINET INFINET

FirewallMailserver

Webserver

RBI Network

Network Sensor

Console

DMZNetwork Sensor

Server Sensor

Server Sensor

Database Server

Server Sensor

VPN Infrastructure through VPN Infrastructure through INFINETINFINET

Delhi

Corporate Customer

Chennai

Kolkata

INFINETINFINET

Mumbai

Govt. Departments using connectivity through INFINET

InternetInternet

InternetInternet

Secured Web enabled

application

VPN Connections



A Typical Secure A Typical Secure Connectivity to Banks and Connectivity to Banks and Financial InstitutionsFinancial Institutions

FW (S)

ISA SERVER

EXTERNAL

INTERNETINTERNET

INTERNAL

DMZ-1DMZ-2

FW (P)

INFINETINFINET

Banks / Financial

Institutions

Banks / Financial

Institutions

Enterprise Wide AutomaticEnterprise Wide AutomaticMalicious Code Control SystemMalicious Code Control System

InternetInternet

NetWare File Server

Internet Server or

Gateway

Gateway Protection

Windows NT Server

File ServerFile ServerProtectionProtection

Desktop ProtectionDesktop Protection

Desktop PC

Mail Server ProtectionMail Server Protection

Desktop PC

Groupware(Exchange/Notes(Exchange/Notes/cc:Mail)/cc:Mail)

Multiprotocol Label Multiprotocol Label Switching (MPLS)Switching (MPLS)

Bank 1

Bank 2

INFINET

Payload IP

Payload IP 9

Payload IP 5

Payload IP 3

Payload IP 2

Ingress Router

A

B

C

D

E

Label Switching Path

Packet Traversing a Label Switched Packet Traversing a Label Switched PathPath

3Assign Initial Label

192.4/16 9

IP Address

Out Label

192.4.2.1

Label swapping

9 5

In Label

Out Label

9 Label swapping

5 3

In Label

Out Label

5

Label swapping

3 2

In Label Out Label

Remove Label

2 212.1.1.1

In Label

Next Hop

2

Ingress Router Egress Router

A B C D E

A : Ingress Router- Using FEC,this router groups all the packets having the destination address 192.4/16.And assigns a label(with a value 9) to the packet and forwards it to the next hop(B) in the LSP

B: at this core LSR the in label gets swapped with the out label

i.e, 9 is swapped by 5

C: 5 is swapped by 3

D: 3 is swapped by 2

E: Egress Router- here the label is removed and the packet is Forwarded using the conventional IP routing



N1 N2

N4N3

N5

Satellite Transponder

VSATsVSATs

VSATs

DP11 DP12 DP13DP14

DP21

DPN22

DP23DP24

DP31

DP32

DP33DP41DP42

DP43DP50

DP51

DP52

DP53

NSE

ReuterSWIFT

Leased Line/

PSTN/ISDN/

Dial-up/

Radio Microwave

Local Router

Zonal Route

Enterprise-wide Network Enterprise-wide Network InfrastructureInfrastructure

Network Backbone



Gateways and Integration withOther Financial Network ServicesG1- SWIFT NetworkG2- Reuters NetworkG3- Stock Exchange NetworkG4- Inter Banks/FIsG5- Shared ATMsG6- Clearing Operations NetworkG7- Internet

Corporate Network

Inter Banks/FIs Network

Shared ATMs Network

Clearing Operations Network

SWIFTNetwork

ReutersNetwork

NSENetwork

G1 G1 G2 G2 G3 G3

G1G2

G3 G1G2

G3 G1G2

G3

G4

G4 G4 G5

G5 G5 G6

G7Internet

Financial NetworksFinancial Networks



Security TargetsSecurity Targets

Physical Security

Password Security

Network Security

E-mail Security

Application Security

Internet Security

Intranet Security

RemoteAccess

Logical Security

Operating System Security

DatabaseSecurity

Security against Viruses

Backup Security

Service Providers

Freeware Security

Firewall Security

Router Security

Documents

Secure Network for Banking and Financial Sector By Dr. V.P Gulati IDRBT - INdian FInancial NETwork