[ISN] Swiss bank battens down Web hatches

From: mea culpa (jerichot_private)
Date: Mon Oct 19 1998 - 02:04:34 PDT

  • Next message: mea culpa: "[ISN] ISS's new Internet Scanner 5.4"

    Forwarded From: rio <riot_private>
    
    http://www.nwfusion.com/news/1019ubs.html
    Swiss bank battens down Web hatches
    By Ellen Messmer
    Network World, 10/19/98
    
    Zurich, Switzerland - Mindful of hackers determined to break into Web
    servers, Union Bank of Switzerland (UBS) took a long, hard look at how to
    securely offer its wide array of financial services on the Internet when
    the Swiss banking giant entered online banking earlier this year. 
    
    Aware of the critical nature of banking transactions, UBS opted for a
    customized Web server built according to the U.S. military's B1 operating
    system security rating, which calls for mandatory access controls and
    compartmentalized services. UBS not only ordered a Web server built to
    military security specifications, but it also integrated a home-grown Web
    authentication application, Benutzbewachtigungssysteme, into the system. 
    
    The Web became an issue when UBS business units began clamoring to offer
    banking services globally via the 'Net and demanded that the UBS IT
    division find a way to do it," says Silvano Caliaro, executive director of
    UBS IT services. Caliaro oversees a staff of 4,000 supporting the UBS
    TCP/IP network and applications worldwide. 
    
    "The pressure from the business managers was very high," he notes. "Our
    experts asked questions of the business managers, and we felt we needed to
    develop this secure server." 
    
    After a review of proposals, UBS last year picked Champaign, Ill., company
    Argus Systems Group to build the Web server. Argus, which has sold a
    B1-accredited trusted operating system for four years, spent several
    months building the Web server for UBS. 
    
    "Our Gibraltar operating system and Web server module is installed on a
    standard off-the-shelf Solaris system," explains Argus President Randy
    Sandone. The advantage of the B1 architecture is it diminishes the
    hacker's ability to exploit buffer overflows to gain root access.
    
    Gibraltar, which encrypts data between the user and the UBS back-end
    systems, provides isolated compartments for running multiple applications
    to access this legacy data. On the Web server, UBS is running four
    applications - consumer banking, private banking, commercial banking and
    asset management - in the server's separate compartments.
    
    The compartments allow each application to be authenticated differently,
    using anything from simple passwords to complex public-key certificate
    systems. The different approaches are based on the data's sensitivity.
    
    For UBS, Argus developed custom modules that attach software labels to
    every packet passing through the Web server. The labels designate the Web
    visitor's security level and privileges. A visitor's IP address is
    internally changed to represent a UBS-assigned ID, which lessens a
    hacker's ability to break in by exploiting IP spoofing mechanisms or
    hijacking the IP session. 
    
    The home-grown authentication software UBS wrote for the Gibraltar server
    provides user authentication through the UBS firewall to the Gibraltar Web
    server.
    
    "We built this access mechanism because we have public users seeking
    access to internal systems. This controls the whole authorization,"
    Caliaro says.  "We now have about 3,000 outside customers who get their
    authorizations this way."
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:19 PDT