BSA V4.

0
TECHNICAL SPECIFICATIONS
 Confidencial Bank Supervision Application

INDICE
1 THE ARCHITECTURE OF THE BSA V4 ............................................................................................... II
1.1 Description of the Architectures ........................................................................................................ II
1.2 Authentication Process...................................................................................................................... III
1.2.1 Layout 1 .................................................................................................................................... III
1.2.2 Layout 2 .................................................................................................................................... III
1.2.3 At the Operating System Level ................................................................................................ IV
1.3 Server specifications (Minimum) ..................................................................................................... IV
2 APPLICATION THREATS AND COUNTERMEASURES ................................................................... V
2.1 Sniffing ............................................................................................................................................. V
2.1.1 BSA countermeasures ............................................................................................................... V
2.2 Spoofing ........................................................................................................................................... VI
2.2.1 BSA countermeasures .............................................................................................................. VI
2.3 Session hijacking ............................................................................................................................. VI
2.3.1 BSA Countermeasures ............................................................................................................. VI
2.4 Denial-of-Service ............................................................................................................................. VI
2.4.1 BSA Countermeasures ............................................................................................................ VII
2.5 Elevation of Privilege...................................................................................................................... VII
2.5.1 BSA Countermeasures ............................................................................................................ VII
2.6 Repudiation .................................................................................................................................... VIII
2.6.1 BSA Countermeasures ........................................................................................................... VIII
2.7 SQL Injection ................................................................................................................................. VIII
2.7.1 BSA Countermeasures ........................................................................................................... VIII
3 SERVER AND NETWORK PROTECTION ........................................................................................ VIII
3.1 Spoofing ............................................................................................................................................IX
3.2 Sniffing Countermeasures .................................................................................................................IX
3.3 Session Hijack Countermeasures ......................................................................................................IX
3.4 Denial of service Countermeasures...................................................................................................IX
4 ADDITIONAL SECURITY DETAILS .....................................................................................................X
5 REFERENCES .........................................................................................................................................XI

I
 Confidencial Bank Supervision Application

1 THE ARCHITECTURE OF THE BSA V4

The architecture of BSA follows one of the below layouts:

Figura 1- Architecture da BSA

1.1 Description of the Architectures

BSA V4 was conceived to adapt to either the Layout 1 (Without ISA Firewall) or the layout 2. On
the layout 1, the web server sits on DMZ zone and an Active Directory helper also sits on DMZ,
while the SQL server is hosted in the LAN, while in the second layout (with ISA firewall), the web
server and the SQL server are hosted inside the LAN, easing the connection between the web server
and the Active Directory, since both are inside the LAN, the connection is done directly without
having to pass through a “helper”. The choice between one layout and another depends on network
policies of the country hosting the application

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página II
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

1.2 Authentication Process

1.2.1 Layout 1

Users access the application from the browser over the internet. The request from the user goes
through the first firewall (perimeter firewall) that allows packets through http (80) or https (443)
port.

The login page is presented to the user who inserts the credentials. The web browser establishes a
connection with the Domain Controller (Active Directory) to verify if the credentials belong to an
internal user. If the Active Directory fails to authenticate a user is because it might be an external
user, so the web server tries to authenticate the user against the SQL server by making a connection
on the SQL port (which is allowed by the second firewall).

1.2.2 Layout 2

The Layout 2 suggests that the database and the web server will be in the LAN. The server on the
DMZ will be the ISA server. The request is received by the ISA server after passing the first
firewall.

Since ISA requires an authenticated user to allow the request to be redirected to the actual web
server, there are two approaches to allow external users to be authenticated (external users in this
particular case refer to users who are accessing the application from the internet and do not belong
to the central bank, thus are not registered on Active Directory):

1. Create one user on the ISA server and share the user and his credentials among all external
users, so that they will first input this created username and the credentials to have access to
the web server login page;

2. Avoid the use of the authentication page on ISA, by creating a default authenticated user to
communicate with ISA if the request is intended for the BSA application.

In case of an internal user who accesses the application from the internet, the same process will
occur on ISA:

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página III
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

1. If the solution adopted is ISA with authentication page, the user will have to authenticate in
ISA and authenticate again on the login page of BSA;

2. If the solution adopted is ISA without authentication page, the authentication will be done in
the BSA login page in connection with the Active Directory;

After the request is through ISA, if it is an internal user (Central Bank user), the BSA login page
will authenticate it on the active directory and if the user is external (not a Central Bank user) it will
be authenticated on the BSA database.

1.2.3 At the Operating System Level

In both layouts, the connection between the web server and the database to access, read and modify
folders is done with the SMB protocol.

At the level of the web server machine, ASP.NET pages are executed within a process, or Windows
program. All Windows programs run with a specific security identity. By default, the ASP.NET
process runs under a predefined Windows identity. BSA on the other hand, configured the
application to use impersonation, thus the application executes its commands as an operating
system authenticated user.

1.3 Server specifications (Minimum)

Requirement Web Server (APP Server) Database Server (DB Server)
CPU Intel(R) Xeon (TM) CPU 3.2GHz Dual Intel(R) Xeon (TM) CPU 3.2GHz Dual Core
Core or compatible processor. or compatible processor

RAM 16 GB 32 GB.

Hard disk space 500 GB 500 GB

Operating Microsoft Windows Server 2008 R2 Microsoft Windows Server 2008

System

Software § IIS 7.5 § .Net Framework 4.5

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página IV
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

§ .Net Framework 4.5 § Microsoft Excel 2007

§ Microsoft Excel 2007 § Microsoft SQL Server 2012

Enterprise Edition or Oracle 11G
§ Adobe Reader 7.0

§ SSL Certification

Network Outgoing Communication With Mail

Server: Port 25
Outgoing Communication With DB
Server: Port 1433, 1521 another
appropriate port
Incoming Communication With
Internet: Port 80/ 443 (For SSL)
Incoming communication with web
server: port 1433 (SQL Server), 1521
(Oracle) or another appropriate port.
Outgoing Communication With Web
Server

Table 1 – Servers Specifications (Minimum)

2 APPLICATION THREATS AND COUNTERMEASURES

Below are listed the most common threats that affect web applications and the countermeasures
adopted by the BSA V4 web application.

2.1 Sniffing
Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext
passwords or configuration information. With a simple packet sniffer, an attacker can easily read all
plain text traffic. Also, attackers can crack packets encrypted by lightweight hashing algorithms and
can decipher the payload that you considered to be safe. The sniffing of packets requires a packet
sniffer in the path of the server/client communication.

2.1.1 BSA countermeasures

 HTTP communication encryption with SSL certificate

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página V
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

2.2 Spoofing
Spoofing is a means to hide one's true identity on the network. To create a spoofed identity, an
attacker uses a fake source address that does not represent the actual address of the packet.
Spoofing may be used to hide the original source of an attack or to work around network access
control lists (ACLs) that are in place to limit host access based on source address rules.

2.2.1 BSA countermeasures

 Secure usage of cookies: only the required information is stored on cookies.

 The application blocks users after three time login failure.

2.3 Session hijacking

Also known as man in the middle attacks, session hijacking deceives a server or a client into
accepting the upstream host as the actual legitimate host. Instead the upstream host is an attacker's
host that is manipulating the network so the attacker's host appears to be the desired destination..

2.3.1 BSA Countermeasures

 The use of SSL, to encrypt the connection between the user and the web application;
 Modification of the name of the variable that keeps the session id on the client, so that even
if the request/response is tampered, session id will not be intuitive to find.
 Session expiry and redirection of users to the login page after a certain period of inactivity.

2.4 Denial-of-Service
Denial of service denies legitimate users access to a server or services. The SYN flood attack is a
common example of a network level denial of service attack. It is easy to launch and difficult to
track. The aim of the attack is to send more requests to a server than it can handle. The attack
exploits a potential vulnerability in the TCP/IP connection establishment mechanism and floods the
server's pending connection queue.

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página VI
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

2.4.1 BSA Countermeasures

 No action was taken to restrict the number of simultaneous requests since Windows Server
2008 and IIS7 manage the number of simultaneous requests together.
 Limit the queue length to 1000, so that above that, users will receive the information
“Service Unavailable”;
 To the IT staff will be provided training to deny specific IPs known to be malicious.

2.5 Elevation of Privilege

Occurs when a user with limited privileges assumes the identity of a privileged user to gain
privileged access to an application. For example, an attacker with limited privileges might elevate
his or her privilege level to compromise and take control of a highly privileged and trusted process
or account.

2.5.1 BSA Countermeasures

 Encryption of relevant information in configuration files;

 Encryption of the connection information between the database server and the web
application server;
 Custom Error messages: To avoid exposing application information to the user when an
error occurs;
 No usage of querystrings. QueryStrings can be modified and manipulated by an advanced
web user to obtain confidential information.
 Operations (transactions) are only assigned by authorized users, different from the user
affected;
 Menu hides unauthorized operations;
 Verification of level of authorization for all transactions: if a user accesses unauthorized
transactions by typing the unauthorized URL on the browser, the application will redirect
the user to the login page;

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página VII
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

 Strong password policy with the option of denying to save previous passwords (a predefined
number of passwords);

2.6 Repudiation
Is the ability of users (legitimate or otherwise) to deny that they performed specific actions or
transactions. Without adequate auditing, repudiation attacks are difficult to prove.

2.6.1 BSA Countermeasures

 As a countermeasure against repudiation, BSA V4 was developed with the Audit Log
transaction, helping to keep track of user’s activity;

2.7 SQL Injection

A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the
database. It can occur when your application uses input to construct dynamic SQL statements to
access the database.

2.7.1 BSA Countermeasures

 BSA V4 has implemented type safe SQL parameters along with stored procedures. Using
SQL parameters ensures that input data is subject to type and length checks and also that
injected code is treated as literal data, not as executable statements in the database.
 Filtering dangerous characters that can be used in this kind of attacks;

3 SERVER AND NETWORK PROTECTION

The server and network protection is in the responsibility of the country of installation of this
product. Below are some measures recommended by Microsoft to guarantee server protection:

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página VIII
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

3.1 Spoofing
Although carefully crafted spoofed packets may never be tracked to the original sender, a
combination of filtering rules prevents spoofed packets from originating from your network,
allowing you to block obviously spoofed packets.
Countermeasures to prevent spoofing include:
 Filter incoming packets that appear to come from an internal IP address at your perimeter.
 Filter outgoing packets that appear to originate from an invalid local IP address.

3.2 Sniffing Countermeasures

 Use strong physical security and proper segmenting of the network.

3.3 Session Hijack Countermeasures

 Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet
sequences.

3.4 Denial of service Countermeasures

 Apply the latest service packs.
 Harden the TCP/IP stack by applying the appropriate registry settings to increase the size of
the TCP connection queue, decrease the connection establishment period, and employ
dynamic backlog mechanisms to ensure that the connection queue is never exhausted.
 Use a network Intrusion Detection System (IDS) because these can automatically detect and
respond to SYN attacks.
 Install on your sever the latest patches and updates.

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página IX
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

4 ADDITIONAL SECURITY DETAILS

Apart from above security features, the following features were also implemented:
 Encrypted passwords and server details;
 Encrypted connection string;
 Submission of encrypted files (optional);
 Application monitoring using auditing features;
 Complex password (optional);
 User system profile;
 User institution profile;
 User return profile;

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página X
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361
 Confidencial Bank Supervision Application

5 REFERENCES

http://technet.microsoft.com/pt-br/library/dd569900.aspx#EKAA

http://plensconsultoria.blogspot.com/2010/05/5-identificacao-de-contra-medidas.html

http://msdn.microsoft.com/en-us/library/ff648664.aspx

http://msdn.microsoft.com/en-us/library/ee817643.aspx

http://www.red-database-security.com/whitepaper/oracle_default_ports.html

http://www.chebucto.ns.ca/~rakerman/oracle-port-table.html

http://www.rsastore.com/rsa-securid-tokens.html

http://www.tokenguard.com/RSA-SecurID-SD200.asp

http://msdn.microsoft.com/en-us/library/zdh19h94.aspx

http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx

http://msdn.microsoft.com/en-us/library/f13d73y6.aspx

http://msdn.microsoft.com/en-us/library/ms161953(SQL.105).aspx

http://msdn.microsoft.com/en-us/library/ff648339.aspx

http://msdn.microsoft.com/en-us/library/ff648635.aspx

http://msdn.microsoft.com/en-us/library/xa68twcb.aspx

http://technet.microsoft.com/en-us/library/cc268241.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=26137

http://www.microsoft.com/en-us/download/details.aspx?id=1330

Website: https://www.bsa.org.mz Av. 25 de Setembro nº 1695 T +258 1354600/700

Página XI
E-mail: bso_support@bancomoc.mz Maputo Caixa Postal 423 F +258 21421361