This article from: http://www.iii-soft.com/forum.php? MoD = viewthread & tid = 1626 & extra = Page % 3d1
Introduction
The online banking system is a system in which banks provide various financial services and value-added information services to customers over the Internet. In order to securely carry out online banking services, different security technical specifications must be adopted in the following aspects to ensure the security of the system, such as security policies, physical security, system resource security, application system security, data communication security, operation security, personnel security, and security assessment and inspection.
1. Security Policy
The security policy requires the Bank's senior management to attach great importance to the technical risk management of the online banking business and to address the characteristics of the online banking business, formulate comprehensive, comprehensive, and highlighted systems, that is, information security rules and regulations and operating procedures, and classify and hierarchical protection of systems based on importance, complexity, and sensitivity, to ensure that banks can focus on managing key parts.
2 physical security
Physical security refers to tangible security measures. Security Defense Measures for key devices and information such as computer systems, network devices, and communication lines. For example, an electronic portal control system should be installed in the computer room, a security monitor should be installed in key locations, key devices should be isolated from each other, and multiple persons should be controlled when entering the key-keeping room.
3. system resource security
System resource security mainly refers to the security factor that constitutes the hardware and software of the system. Such as whether the hardware and software configurations have reached the advanced level and whether they comply with security standards.
4. Application System Security
Application System Security mainly involves user identity authentication and transaction confirmation, which is a key part of online banking operations. The online banking business breaks through the concept of traditional banking business operations. Customers can operate without having to go to the bank counter, and there is no face-to-face contact between banking staff and customers, this requires the bank to have a valid system to confirm the qualification of the customer and ensure that the customer and the bank cannot deny the transactions that have occurred.
5 Data Communication Security
Data Communication Security is the core part of online banking business and technical risk management. Banks should properly design and configure different servers and firewalls, adopt appropriate encryption technologies, and ensure the confidentiality and integrity of data transmission on the basis of ensuring the stable operation of online banking services. Servers include network servers, application servers, and database servers. The firewall includes an External Firewall and an internal firewall. To ensure that the system is not infiltrated by hackers, banks should set up an external firewall between the network server and the Internet, and set an internal firewall between the network server and the computer system inside the bank. Jiayin technology consists of two parts: cryptographic algorithm and key length, it can effectively prevent the information transmitted by the system and the information stored by the system from being decrypted, thus ensuring the security of online banking information.
6. Operation Security
Operational security mainly refers to the internal control system for the banking computer system operation, including the banking business operation emergency plan and business continuity plan, management personnel and business personnel authorization, and confidential word management.
7. Personnel Security
Personnel security refers to whether the professional and management capabilities of business and technical personnel meet the requirements of risk control and business development, including personnel review, security awareness training, and personnel training.
8. security evaluation and inspection
Security Assessment and inspection are an important part of online banking risk control. It includes three aspects: one is the security evaluation of computer systems by recognized social evaluation institutions; the other is the security testing of computer systems by bank management; third, the internal audit department of the bank checks the online banking business and system operation.
From the perspective of the system layer, the entire online banking system structure is divided into three layers: The first part is the Internet access area; the second part is the web server that provides external services, and the CA server is also placed; the third part is the Intranet region, including the application server and database server.
Gateway devices are used to isolate different security-level areas. This feature can implement both firewall functions and security protection products related to IPs and virus filtering to achieve isolation at the network layer, the attack and virus isolation at the application layer forms a real three-dimensional comprehensive multi-bit integrated detection and defense system.
At the entrance to the Internet access of the online banking system, in order to ensure the availability of the link, the dual-link access mode is generally adopted to provide Internet access through two different ISPs, when one of the links fails, online banking transactions can still be provided. At the same time, as a CA center that provides certification services, it also provides connections over the Internet. As an independent third-party organization, the CA certification center does not belong to the network category of the online banking system. However, both the customer's online banking verification and the online banking verification are achieved by connecting to the CA center over the Internet.
Deploy security gateways (or firewalls), Server Load balancer devices, and web servers after the Internet Access Router of the online banking system. The security gateway can also perform dual-host hot backup as needed. Server Load balancer is deployed to dynamically allocate traffic to the online banking system. Another important application of the Server Load balancer device is SSL decryption, because SSL occupies a large amount of resources in the system to remove asymmetric encryption. Therefore, in the design of the online banking system, SSL decryption is generally performed on the server Load balancer device. The Server Load balancer device optimizes the hardware for the SSL decryption process, so the efficiency can be guaranteed. After the Server Load balancer device is used, user requests will be sent to the Web server. The web server will deploy static content of the online banking portal website, for example, the online banking system logon portal, user manual download, driver download, tool software download, marketing information, and other online banking-related content. In addition, another important role of the Web server is to forward communication requests to the application server, dynamic information that requires interaction with the application server, such as online banking login, transfer, real-time query, and other transaction requests will be forwarded to the application server through the plug-in deployed on the Web server.
After the Web server is used, the main application part of the online banking system is entered. This part divides the application of the website of the online banking system into three layers: The application server and the database. Both the application server and the database server use dual-host hot backup. The database server also has storage devices to store the business data of the online banking system. The online banking system only accepts and stores business data. The real business processing needs to be sent to the core business processing network or business processing center of the bank for specific business operations. Therefore, the back-end of the online banking system is connected to the comprehensive business network of the bank. In this section, firewall and communication encryption system are configured. The firewall limits the access of the Bank's internal network to the online banking system and the access of the online banking system to the internal banking business system. The data sent by the online banking system to the business system must be encrypted by the encryption devices before the online banking system can be sent to the integrated banking network.
Policy control can be enabled for Firewall Products deployed in different regions throughout the system, and only permitted access ports are opened externally. For example, the firewall products deployed on external web servers and the Internet only open the inbound and outbound HTTP ports, and the firewall setting policies deployed between the Web server and the Intranet only allow the Web server to access the Intranet, disable other services and devices from passing through the firewall. Enable the gateway-level virus Filtering module on the firewall to filter files transmitted over HTTP, FTP, IMAP, POP3, SMTP, Im, and other protocols, the filtering system can effectively detect transmitted files and block them when viruses are detected. The deployment of the virus gateway enables the management of viruses in different regions. When a virus outbreak occurs in one region, it is effectively isolated from the local environment and will not infect other regions, in this way, virus outbreaks in all regions are avoided; IPS feature value blocking is enabled on the firewall. Enable the corresponding intrusion detection and defense functions based on the server to be protected and the services it provides. For example, for an Apache server, we recommend that you enable the web-related Apache attack feature value for intrusion detection. In addition, the DOS defense capability of the firewall can effectively reduce SYN blocking.
Flood, UDP flood, and other DoS attacks can maintain normal access to the online banking server against the entire network in the context of high attacks, enable the Virus File gateway filtering system to defend against worms, and use intrusion detection and defense devices (IDS) to defend against system vulnerabilities; set audit logging devices to record all data communication through the firewall, which is used for legal evidence of online banking litigation. For example, if a person connects to an online banking server and does not comply with the laws and regulations, the original data packets recorded on the audit log device can be used as legal evidence. In addition, the audit log device can effectively restore the communication content of HTTP, FTP, SMTP, IMAP, POP3, and other protocols to understand the actual operation process, it is of great significance for tracking attacks and remedies afterwards.