Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB

Security First Network Bank (SFNB) (http://www.sfnb.com) went on-line in October 1995 as the world’s first on-line bank. The paper discusses how the security architecture was designed and implemented using the most currently available security technologies. The encryption technologies used to transport information across the Internet are widely known. Less widely known is how to protect the systems that are directly connected to the Internet, but must interact with customers and protect sensitive information. This paper discusses the measures that were taken to ensure that SFNB is as safe as possible against hackers. Not only did the entire system have to be safe against attacks but the systems also needed to have the security and assurance needed to meet the Office of Thrift and Supervision approval. Design Process The design of the security architecture began in early 1995. A security architecture paper was written and reviewed by security experts. The design goals were to use sufficient security technology to protect all parts of the bank operations, but at the same time to create a system that could be easily administered by competent system administrators. The main difference between protecting an on-line bank, and providing a firewall for a commercial company, is that the bank database must be accessible to outside users and therefore has to be protected by a much stronger machine than a conventional firewall. A large part of the architecture discussed how to protect this machine, what type of machine it should be, and the administrative controls that would be needed. After thorough reviews, the architecture was approved and a security policy was written based upon the security architecture. The time taken to correctly design both the security architecture and the security policy was well spent as it has not been necessary to substantially change either. Machine Architecture The security of the entire system rests upon the security of every machine in that system. If a single machine is vulnerable, then potentially the whole network is vulnerable. One of the first stages of the overall design was understanding the data that would flow through the system. Careful consideration was then placed on what machines were needed, and how the machines would be connected. Except for the Bank Server, this is a fairly typical commercial firewall implementation. Filtering Router The filtering router prevents IP-spoofing attacks by ensuring that no incoming packets have an “inside” address. The filtering router also implements filtering rules for each machine to ensure that only authorized traffic is sent to this machine. For example, the WWW server should only receive packets destined for TCP port 80 (http port), the Bank Server should only receive packets for TCP port 443 (https port). The filtering router logs all errors. These error logs have been an invaluable source of information. WWW Server The WWW server provides information on the bank to potential customers. The only port that is open on this machine is TCP port 80 (http port). All other network services are deconfigured from this machine. Firewall The firewall is a dual-homed bastion host running a mail application proxy. Mail is the only traffic allowed to pass through the firewall to the internal network. The firewall also CSR Filtering router Firewall Bank Server WWW Server Bank Database CSR CSR Mail Server CSR Internet acts as the Domain Name Server (DNS) for the machines in the DMZ. The firewall selected was Interceptor, a firewall product from Technologic (http://www.tlogic.com). Customer Service Representative (CSR) Network The CSR machines are on a dedicated network. Each CSR has a machine that can be used for receiving and sending mail (stored on a central mail server, external mail sent through the firewall). Each CSR also has read-only access to portions of the bank database to handle bank customer telephone queries. All database actions are audited and can be traced to an individual CSR if necessary. Bank Database The Bank Database is the heart of the bank’s data center. The machine is dual-homed, with one network card connected to the CSR network to allow CSR read-only access to the database and the other network card connected to the Bank Server. Although all machines need to have a high availability, this machine also needs very high data integrity and so RAID disks are used. Bank Server The Bank Server is the machine that protects the bank database. Whereas most firewalls protect internal clients, this machine protects an internal server and therefore needs to be more secure than a firewall and have very strong assurances that it cannot be compromised. Because of these requirements, this machine uses the multilevel secure HP/UX CMW. All features of a trusted system are used -least privilege, discretionary access control (DAC), mandatory access control (MAC), system integrity and audit. The Bank Server is dual-homed. One network is connected to the “outside” and runs the Netscape Commerce Server to provide encrypted web traffic through the Secure Socket Layer (SSL). The other network card connects to the “inside” and the Bank Database. Because the “outside” and the “inside” need to be kept totally separate, this machine uses the multilevel capabilities of the HP/UX CMW and assigns a different category for each network. A small trusted program connects the Netscape Commerce Server (running at the “outside” level) with the actual bank applications that run at the “inside” level. Trusted Gateway Agent Outside Inside To Internet Bank Database