Forwarded From: rio <rio@dimensional.com>
http://www.nwfusion.com/news/1019ubs.html
Swiss bank battens down Web hatches
By Ellen Messmer
Network World, 10/19/98
Zurich, Switzerland - Mindful of hackers determined to break into Web
servers, Union Bank of Switzerland (UBS) took a long, hard look at how to
securely offer its wide array of financial services on the Internet when
the Swiss banking giant entered online banking earlier this year.
Aware of the critical nature of banking transactions, UBS opted for a
customized Web server built according to the U.S. military's B1 operating
system security rating, which calls for mandatory access controls and
compartmentalized services. UBS not only ordered a Web server built to
military security specifications, but it also integrated a home-grown Web
authentication application, Benutzbewachtigungssysteme, into the system.
The Web became an issue when UBS business units began clamoring to offer
banking services globally via the 'Net and demanded that the UBS IT
division find a way to do it," says Silvano Caliaro, executive director of
UBS IT services. Caliaro oversees a staff of 4,000 supporting the UBS
TCP/IP network and applications worldwide.
"The pressure from the business managers was very high," he notes. "Our
experts asked questions of the business managers, and we felt we needed to
develop this secure server."
After a review of proposals, UBS last year picked Champaign, Ill., company
Argus Systems Group to build the Web server. Argus, which has sold a
B1-accredited trusted operating system for four years, spent several
months building the Web server for UBS.
"Our Gibraltar operating system and Web server module is installed on a
standard off-the-shelf Solaris system," explains Argus President Randy
Sandone. The advantage of the B1 architecture is it diminishes the
hacker's ability to exploit buffer overflows to gain root access.
Gibraltar, which encrypts data between the user and the UBS back-end
systems, provides isolated compartments for running multiple applications
to access this legacy data. On the Web server, UBS is running four
applications - consumer banking, private banking, commercial banking and
asset management - in the server's separate compartments.
The compartments allow each application to be authenticated differently,
using anything from simple passwords to complex public-key certificate
systems. The different approaches are based on the data's sensitivity.
For UBS, Argus developed custom modules that attach software labels to
every packet passing through the Web server. The labels designate the Web
visitor's security level and privileges. A visitor's IP address is
internally changed to represent a UBS-assigned ID, which lessens a
hacker's ability to break in by exploiting IP spoofing mechanisms or
hijacking the IP session.
The home-grown authentication software UBS wrote for the Gibraltar server
provides user authentication through the UBS firewall to the Gibraltar Web
server.
"We built this access mechanism because we have public users seeking
access to internal systems. This controls the whole authorization,"
Caliaro says. "We now have about 3,000 outside customers who get their
authorizations this way."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Oct 19 09:20:43 1998