- Количество слайдов: 37
Secure Network for Banking and Financial Sector - INdian FInancial NETwork By Dr. V. P Gulati IDRBT
Agenda § Genesis of INFINET & Architecture § Banking Applications - Intra Bank Applications - Inter Bank Applications § Network Security Components § Enterprise-wide Network Infrastructure § Financial Networks § Security Targets Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Genesis of INFINET § In the year 1994, the Reserve Bank of India formed a committee on "Technology Up gradation in the Payment Systems". The committee recommended a variety of payment applications which can be implemented with appropriate technology up gradation and development of a reliable communication network. § As recommended by the Committee, the Institute for Development & Research in Banking Technology [IDRBT] was established by the Reserve Bank of India in 1996 as an Autonomous Centre for Development and Research in Banking Technology. Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Genesis of INFINET Contd. . § In July 1996, in a meeting of the Chiefs of Public Sector Banks, chaired by the Governor of Reserve Bank of India, it was decided that a reliable nationwide communication backbone for the Banks and Financial Institutions be established. RBI entrusted the task of setting up this backbone to IDRBT. Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Genesis of INFINET Contd. . § IDRBT established the VSAT based INFINET Network at the IDRBT Campus, Hyderabad. § The Network inaugurated on June 19, 1999. § The Hub site is owned, managed and operated by IDRBT. § Remote VSATs, installed across the country over 300 locations are owned by respective member banks. Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Genesis of INFINET Contd. . § Terrestrial Network (Leased Line) connecting 21 cities commissioned and made operational in the year 2001. § The terrestrial network seamlessly integrated with VSAT Network. § The entire Network managed through Integrated Network Management System (Uni. Centre TNG and CISCO Works) § 24 X 7 Network management from two locations namely at IDRBT, Hyderabad and RBI, Mumbai. Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
INFINET (VSAT Network) Network Online Inroute Backup Inroute Outroutes #1 20 7 512 Kbps #2 20 7 512 Kbps #3 8 3 512 Kbps #4 Total Read for shifting of new VSATs 48 2 Mbps* 17 * 2 Mbps Broadband outroute can be availed on every network § 2003 Remote TDM/TDMA VSATs § 17 PAMA VSATs § Full transponder – Transponder no. 8 on INSAT 3 B § 17 nos. of super links § IINSAT 3 B INSAT 3 A § Full Transponder + 1/8 th Additional Transponder Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
INFINET (LEASED LINE) BACKBONE NETWORK JAMMU CHANDIGARH LUCKNOW JAIPUR DELHI KANPUR CALCUTTA BHOPAL AHMEDABAD GUWAHATI MUMBAI PATNA NAGPUR GOA BHUBANESHWAR PUNE BANGALORE HYDERABAD KOCHI THIRUVANANTHAPURAM CHENNAI 4 X 2 Mbps with ISDN Backup Institute for Development and Research in Banking Technology Links of Banks getting NMS at Hyderabad Connected to Back up NMS at Mumbai INFINET Network Integration of VSAT network with Terrestrial network July 26, 2003 V. P. Gulati
Banking Application 1. Intra Bank F The transaction taking place within the Bank such as Funds Transfer, E-Mail, HR, Personnel and Administrator etc. , F Branches Head Quarter / Regional Office/Zonal Office / Specialized Branches 2. Inter-Bank F The transaction taking place between the Banks, between the Bank and Central Bank (RBI) such as Clearing and Settlement, Electronic Fund Transfers (EFTs) etc. , Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Intra-Bank Applications v v v v Funds transfer and payment message (Intra-bank) Inter Branch Reconciliation (IBR) Quick disposal of loan / investment proposal Forex information from branches to the office dealing in Forex Fund information from clearing centers to the fund management office for optimal allocation of funds Cash Management Product Treasury Management (TM) Any Branch Banking Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Intra-Bank Applications Contd. . v v v Asset Liability Management (ALM) General Communication Software distribution in the bank Human Resources Development and Personnel Administration Organizational / Customers data base may include: - Statutory returns - Control returns Standardized returns Adhoc reports v Management Information Systems - Borrower’s profile - Branch profile Employees analysis Products / services profile Business profile of branches Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Inter-Bank Applications v Electronic Funds Transfer (EFT) v v v v v Clearing and settlement systems Exchange of Defaulting Borrowers’ list among RBI and banks Shared ATMs Network EDI services to the extent they pertain to payment cycle of EDI Currency chest accounting Reporting of government account transactions (Central and State Governments) Reporting of BSR, R-Returns etc. , to RBI Asset Liability Management (for reporting to RBI) Returns to be submitted by the banks to Department of Banking Supervision (DBS) for off-site supervision and monitoring Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Inter Banking Applications Contd. . § Public Key Infrastructure (PKI) § Structured Financial Messaging System (SFMS) § Mail Messaging System (MMS) § Public Debit Office - Negotiated Dealing System (PDO-NDS) § Real Time Gross Settlement System (RTGS) Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
IDRBT Certifying Authority Fulfilling the need of trusted third party services in ecommerce l Licensed CA by CCA, government of India l Issues and manages digital certificates having legal sanctity under IT act 2000 for banking and financial sector l Institute for Development and Research in Banking Technology Attained excellent standards complying with information technology act, 2000 l Certificate policies and practices of high standards supporting certification services of IDRBT CA l July 26, 2003 V. P. Gulati
PKI Enabled Bank Applications l l l l l Structured Financial Messaging System (SFMS) Public Debit Office - Negotiated Dealing System (PDO-NDS) Electronic Fund Transfer (EFT) Real Time Gross Settlement (RTGS) Central Fund Management System (CFMS) Secure E-mail Secured Server En. De. Sign Intra Bank Applications Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Registration Authority (RA) l Entities nominated by Banks / FIs and trusted with IDRBT CA l Serving as a point of contact for registration of users i. e. , verification of subscribers’ credentials before issuance of certificates by IDRBT CA l Officials appointed by Banks / FIs Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Digital Certificates Classified according to the level of subscriber’s identity verification l Class 1, Class 2, Class 3 Certificates l Validity of one year l Legally valid under IT Act 2000 l for digital signatures, encryption and secure server l Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
IDRBT CA - PKI Hierarchy CCA IDRBT CA Repository RA Subscriber Institute for Development and Research in Banking Technology RA Subscriber July 26, 2003 V. P. Gulati
SFMS Architecture • Safe storage of inter-bank messages • Direct Routing to destination Bank Gateway • Access Validation Central HUB • Safe storage • Direct Routing to intra-bank sites • Routing to ‘others’ Bank sites via Central HUB INFINET IP Network (IIPN) Gateway 1 Bank Site Institute for Development and Research in Banking Technology • Common IIPN access point • Safe storage Bank Site …. Gateway 2 Bank Site July 26, 2003 Bank Site Gateway N Bank Site V. P. Gulati
IDRBT Mail Messaging System l l l Primary Role : Mail Gateway for the Banking System Entire Mail system of Reserve Bank of India and 20 odd Public Sector Banks depend on IDRBT Mail gateway Bridge between the closed user group [INFINET] and the outside world for seamless to and fro transmission of mail Implemented with standard protocol - SMTP Ancillary services – DNS services – Domain Name Registration – Web Based mail access from Internet Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
V-SAT Links STPI Link BSNL Link Internet MMS setup Link Proof PIX Firewall Leased Line Links Layer 3 Switch Mail Hub 5 Infinet MITHI Mail Hub 4 Mail Hub 1 Mail Hub 2 Servers Communicating With Infinet Servers Communicating With Internet Servers Internet MITHI Mail Hub 3 De-Militarized Zone [ D M Z ] IDRBT Mail Sever M M S
PDO-NDS system interfaces Members RBI as a Member PDO-NDS system (P 1 A) Current PDO (settlement system) PDO-NDS File transfer facility PDO RBI Control user Institute for Development and Research in Banking Technology DAD System administrator CCIL July 26, 2003 V. P. Gulati
RTGS - Payment by Bank-A to Bank-B through the account maintained at Central Bank - A Bank - B Bank level Server (BLS) 1. P a yme n tm essa 4 b. Payment Notification (credit) ge 4 a. Payment Notification (debit) Apex level Server of RBI 2. Settlement Request 3. Settlement Advice Deposit Account Department, RBI Reserve Bank of India
Security Features in Bank Applications Digital Signature of initiating entity – for financial messages, transactions, e-mails, office orders, memos, circulars, etc. l Signature to be verified by entity acting on the message l Encryption (if necessary) when the message is on open channel l Sending / Intermediate servers (acting as post box) can sign and / or encrypt as per the requirements of applications l Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Network Security Components § Firewall § Intrusion Detection System (IDS) § Virtual Private Network (VPN) § Antivirus Solutions Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Security Solution Implementation for RBI (INFINET) Total Number of Locations: 38 Nos. Product Firewall Make & Model Qty in Nos. CISCO 535 PIX 68 CISCO 525 PIX 08 Load Balancer Radware Fireproof (Load Balancer) 74 Host IDS Cisco Security Server Agent 146 Network IDS CISCO 4235 76 VPN Concentrator CISCO VPN 3030 01 Integrated Security VPN Management System (VMS) Management System Institute for Development and Research in Banking Technology July 26, 2003 02 V. P. Gulati
Firewall implementation with Load Balancer PIX Firewall INFINET Router Load Balancer PIX Firewall L 2 Switch RBI Network Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Placement of IDS Server Sensor INFINET Network Sensor Firewall Mailserver DMZ Network Sensor Webserver Console Institute for Development and Research in Banking Technology Database Server Sensor RBI Network Server Sensor July 26, 2003 V. P. Gulati
VPN Infrastructure through INFINET Delhi Kolkata INFINET VPN Connections Inter net Corporate Customer Secured Web enabled application Chennai Mumbai Govt. Departments using connectivity through INFINET
A Typical Secure Connectivity to Banks and Financial Institutions INTERNET EXTERNAL FW (S) INFINET FW (P) DMZ-2 DMZ-1 INTERNAL ISA SERVER Banks / Financial Institutions Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Enterprise Wide Automatic Malicious Code Control System Gateway Protection Internet Server or Gateway File Server Protection Net. Ware File Server Desktop PC Windows NT Server Groupware Desktop Protection (Exchange/Notes /cc: Mail) Deskto p PC Mail Server Protection
Multiprotocol Label Switching (MPLS) INFINET E Ingress Router A Payload IP IP 2 9 D Payload IP 5 B Payload C IP 3 Bank 2 Label Switching Path Bank 1
Packet Traversing a Label Switched Path Ingress Router IP Addre ss Out Label 192. 4/16 Egress Router In Label 9 192. 4. 2. 1 Assign Initial Label Out Label 5 9 Label swapping A B In Label 5 Out Label 5 3 Label swapping C In Label 3 Out Label 3 2 2 2 Next Hop 212. 1. 1. 1 Remove Label swapping D E A : Ingress Router- Using FEC, this router groups all the packets having the destination address 192. 4/16. And assigns a label(with a value 9) to the packet and forwards it to the next hop(B) in the LSP B: at this core LSR the in label gets swapped with the out label i. e, 9 is swapped by 5 C: 5 is swapped by 3 D: 3 is swapped by 2 E: Egress Router- here the label is removed and the packet is Forwarded using the conventional IP routing
Enterprise-wide Network Infrastructure Satellite Transponder DP 11 DP 12 DP 13 DP 14 Local Router Zonal Route VSATs N 1 N 2 DP 21 Network Backbone DPN 22 DP 24 N 5 DP 23 Leased Line/ N 4 VSATs N 3 VSATs PSTN/ISDN/ Dial-up/ Radio DP 31 NSE Microwave DP 32 DP 53 DP 52 DP 50 DP 51 Institute for Development and Research in Banking Technology DP 43 DP 42 DP 41 July 26, 2003 DP 33 Reuter SWIFT V. P. Gulati
Financial Networks Reuters Network SWIFT Network NSE Gateways and Integration with Network Other Financial Network Services G 1 G 2 G 3 G 4 G 5 G 6 G 7 - G 1 G 2 G 3 SWIFT Network Reuters Network Stock Exchange Network Inter Banks/FIs Shared ATMs Clearing Operations Network Internet G 3 Corporate Network G 1 G 2 G 3 Inter Banks/FIs Network G 4 Shared ATMs Network G 5 G 4 Clearing Operations Network G 6 G 5 Internet G 7 Institute for Development and Research in Banking Technology July 26, 2003 V. P. Gulati
Security Targets Application Security E-mail Security Logical Security Firewall Security Database Security Operating System Security against Viruses Institute for Development and Research in Banking Technology Physical Security Network Security Backup Security Remote Access Intranet Security Service Providers July 26, 2003 Password Security Internet Security Freeware Security Router Security V. P. Gulati