Encrypted Securely Managed and Reliable Technology (SMART)
and the required Backup Connections
What is SMART Backup?
DTCC’s encrypted Securely Managed and Reliable Technology (SMART) is a MPLS routed network operating exclusively with Internet protocol (IP). DTCC offers three flavors of SMART connectivity. There is the SMART Basic, SMART Basic Plus and SMART Premium. Each Participant site requires a Backup circuit connection. This connection will provide a diverse high speed (bandwidth) back up circuit solution for SMART Participants connections. The new levels of market activity and the use of browser based user interfaces are requiring that our Participants increase the speed of their SMART connections. As we increase the speed required for their primary connection we are required to provide backup connections with comparable capacity and performance to insure that the business transactions complete within their desired service delivery windows. DTCC will be installing a Broadband connection that allows for a cost effective secure and simple back up solution of any IP-based data and applications from the depository’s clearing and settlement services as well as applications and services offered by ECCP and Omgeo.
SMART solutions?
Smart Basic – SMART configurations comprised of a router, DSU/CSU, dedicated and back up connections. Smart Plus – SMART configurations comprised of a router, 2 -DSU/CSU, and 2 dedicated connections (dual
circuits).
Smart Premium – SMART configurations comprised of dual routers each configured with a DSU/CSU, and a
dedicated connection (dual circuits).
All SMART connectivity solutions require that the Participant also subscribe to an equal configuration at their back up facility (data center). As always all in house wiring or extensions of circuits beyond the
carrier/providers demarcation point is the responsibility of the Participant.
Broadband Backup?
Since in inception of SMART DTCC has mandated the use of a backup carrier connection. For SMART low speed (< or = to 128K) connections ISDN was the previous connectivity model of choice. For higher speed
connections (>128K) a secondary dedicated connection was the required solution. A second dedicated connection proved to be an expensive option for our Participants requiring an economic alternative solution. In order to control the operational cost DTCC determined a single back up infrastructure was the best approach. To deliver a cost effective networking solution for the DTCC Participant community SMART has decided to use Broadband technology when and where the bandwidth requirement can be met. Extensive testing of the security controls has been satisfactorily conducted and we have determined that with the controls employed in SMART that Broadband (Cable, DSL) is a viable backup solution.
Broadband Architecture and Controls?
The architecture and controls employed allow DTCC to offer this solution. Broadband is comprised of cable providers, traditional telephone companies that provide services utilizing a different networking infrastructure
than the dedicated SMART connections. Securing these connections is of paramount importance to ensure that Smart connections remain isolated and purpose built. By utilizing fixed IP addressing, ISAKMPi techniques
(RFC2048), limited TCP interaction and routing isolation techniques it is possible to create a secure and viable virtual private network for Smart backup using Internet broadband connections. Utilizing the certificate authority employed in the MPLS dedicated connections will authenticate each DTCC router and only permit traffic from that device into the Smart backup distribution layer. Add to this these controls: all general Internet traffic may be filtered at the ingress/egress since it is not from a known IP address or an accepted TCP port. All data payload is via encrypted tunnels. No port 80 traffic is permitted via these interfaces. Scrubbing techniques and other carrier based filtering options will be used at SMART head ends. Furthermore Participants secure their ingress and egress points with SMART (LAN interface on the SMART router) with much of the same security techniques thereby creating a secure extranet demilitarized zone.
Summary of SMART Broadband network hardening
SMART head end perimeter & remote router
• All IP based traffic is using IPSEC AES 256K bits encryption and authentication with SMART CA server.
• For IP ports, the firewall at the SMART head end central router will only have the following rule set: UDP
port 500 for ISAKMP, ESP (encapsulated payload) IP protocol 50 for encryption. The same also applies to
the SMART edge (Participant site) remote router and the remote broadband LAN interface on the remote router. Therefore, by allowing only IPSEC traffic between the remote and central site, it will drop all other traffic. All other TCP/UDP/ICMP traffic will be dropped. This interface operates in a stealth mode.
• For routing – “use static route for tunnel establishment”. The SMART head end central routers will
exchange BGP routes with ISP routers for only the desired inbound broadband network routes. The remote broadband router will only be using a static route to access the encrypted head end tunnel router network. Therefore, a static route at the broadband end will eliminate all the rest of the IP based networks attacks.
• One IP number shared tunnels access multiple hub end – This hides the SMART internal and participant
remote networks from being attacked.
• Enable IOS based firewall feature set – The SMART edge router will utilize Cisco’s platform for secure
network access policies to reduce the threat profile of Internet and Participant demarcation connectivity points. An ICSA (International Computer Security Association) certified Stateful Firewall.
• Application Firewalling for other traffic using CBAC (Context-Based Access Control) for traffic filtering,
deep packet inspection, alerts and audit trails, and intrusion detection. See URL for additional
explanation.
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a 00800ca7c5.html#wp1000970
• Zone based policy framework for intuitive policy management - provide innovative control capabilities for
Instant Messaging and Peer-to-Peer applications, and granular application-level control for HTTP traffic, as well as firewall policy bandwidth-shaping and session limits.
• Additional router based security enhancements both head end and remote, enable:
• Reflective access-list interface command to filter both inbound and outbound encrypted packets state
fully in order to prevent any malformed packets attacks.
• IP verify unicast reverse-path interface command to drop any packets that are not in the routing table
• No IP redirects interface command to disable IP network broadcasts.
• No IP unreachables interface command to prevent the generation of Internet Control Message Protocol
(ICMP) unreachable messages.
• No ip proxy-arp interface command to prevent internal addresses from being revealed.
• No cdp enable interface command to prevent disclosure of router/network information to outside
sources.
Participant Security and Controls
DTCC has always recommended that Participants employ firewalls, segmentation and other controls at the demarcation point between SMART and the Participants network. SMART will employ all security measures to ensure SMART is secured. It is the responsibility of the Participant to secure the ingress and egress points of their network where the SMART routers attach.
Is the capacity of Broadband acceptable?
The service and speeds available depend on several external factors provider coverage and distance from the cable head-ends and central offices. Preliminary availability and bandwidth estimations will be performed and the correct coverage will be provisioned. Actual availability and bandwidth will be determined on a case-by-case basis once the order is placed by DTCC. It is because of this the SMART back-up solution will be a hybrid of Cable, DSL and in rare circumstances ISDN circuits at a minimum. Additional back-up technologies may also be required if none of the preceding solutions provides the capacity and bandwidth sought. Solutions such as secondary dedicated (MPLS) lines and /or other hardware solutions installed at each location in addition to the current SMART equipment footprint.
Who must deploy a SMART Backup solution?
Entities that require a SMART backup network connection include the following:
• New and existing DTCC SMART (encrypted) connected Participant’s.
• All existing sites with a single SMART wide area network (WAN) MPLS connection.
Who may optionally choose a SMART Backup solution?
• New and existing DTCC SMART (encrypted) connected Participant’s with:
1. Two SMART wide area network (WAN) MPLS connections at the same site in either: a. The fully redundant site (dual router) configuration or:
b. The standard configuration (single router) with 2 WAN connections.
What protocols and features does a SMART Backup connection support?
SMART supports a wide range of standard protocols and features, including• TCP/IP (transmission control protocol/Internet protocol)
• Within the ESP payload (after successful tunnel negotiations)
• FTP (file transfer protocol)
• Websphere MQ® (formerly MQSeries®)
• Connect:Direct™ (formerly Network DataMover™)
• SNA(IBM System Network Architecture)
What are the benefits of using SMART?
Reliability
• Uses multiple sites to ensure business continuity
• Uses standard connections to allow engineers to timely troubleshoot and resolve problems
• Uses standard TCP/IP protocols
• The backup network is based on separate underlying network infrastructures
Security
• Access control lists regulate the access of individual users to specific areas of the network
• Access control lists regulate the access of individual users to specific applications
• Uses stateful firewall technologies within the router, at the SMART backup and dedicated distribution layers
• Participants maintain their own security (Firewall, ACL) infrastructure at the demarcation point between the SMART router and the Participants internal networks
• Operates on a virtual private networks using trusted carriers
• Supports intrusion detection, which detects malicious activity originating outside the network
• Strong (AES) Encryption in employed
Flexibility
• Uses carrier-based networks, which provide economical, ubiquitous coverage globally
• Supports a wide range of protocols, especially legacy architectures such as SNA
• Uses pure-IP topology, allowing network to react dynamically to changes
Managed
• DTCC employs the disciplines of ITIL throughout the IT organization
• DTCC GNOC manages the systems, applications and networks, representing the ECCP, DTCC and Omgeo services, to the highest reliability and security standards
• Sophisticated management systems and tools deployed
• Effective process, people and tools to deliver availability; Deploy changes without impact; Meet stringent incident timers; Keep environment secure; Test our readiness; Ensure the right skills
What are the main features of SMART?
• System is built with high-end Cisco hardware.
• The routed network operates with pure Internet protocol (IP). DTCC supports many participants and clients that maintain legacy architectures, namely, SNA, as well as pure-IP infrastructures.
• DTCC encapsulates SNA PU2 traffic into TCP/IP traffic streams using the SNA switching.
• Provides full support for Enterprise Extender (an IBM APPN technology)
• Bandwidth is delivered into DTCC-owned and -managed network devices at client locations as well as DTCC processing centers.
• All data are distributed via IP.
• SMART network uses carrier-based MPLS (multiprotocol label switching) as wide-area-network (WAN) services protocols.
• SMART backup connections are securely managed by DTCC
• Participants and clients maintain two connections into SMART: a primary connection and an alternative connection to two active network locations interconnected by the client’s network.
• Participants and clients maintain a backup circuit connection (i.e. Broadband) into SMART capable of supporting traffic at the same throughput rate as the primary link at that location.
• DTCC maintains route diversity for all participant SMART network connections
• DTCC subscribes to the trusted services from its network providers
• Simple Routing demark using Routing Information Protocol (RIP) version 2 to address network failover at the SMART edge for participants and clients.
• Maintains that the Participants are responsible for their own security beyond the SMART router handoff.
Simple Diagram of SMART connectivity
SMART
TCP/IP - SNA - (PU2(PTS) or PU4 via EE)
(MQ, NDM, FTP, PBS, Omgeo CTM, Tradesuite, GCA, FundSpeed, Deviv Serv etc.) Depository and Clearing & Settlement Applications
EuroCCP Clearing Applications
TITLE DTCC SMARTnetTCP/IPAccess NET PROJ# CDD PROJ# AUTHOR: CREATED: Revised: Diagram #
Logical Diagram - This diagram shall not be disclosed to third parties without our consent, and shall not be duplicated, used or disclosed - in whole or in part - for any purpose.
MPLS(PP
P/FR) Port DSU/CSU
Participant/Customer Screening Router/firewalls etc.
MPLS (PPP/FR) Port DSU/CSU DTCC - Boundary Router MPLS Po rt Participant/Customer Screening Router/firewalls etc.
Primary Path Secondary Path Participant HUB/Switch DTCC - Boundary Router a.b.c.d m.m.m.m ISDN / Broadband* Backup Access
MP LS C a rrie r B DEMARCATION POINT DEMARCATION POINT Customer Participants Client Networks DTCC Screening Routers 37X5 a.b.c.d m.m.m.m DTCC Screening Routers 37X5 Se rial C able SDLC (PU2) DEVICE Token Rin g Enet SDLC (PU2) DEVICE Token Ring Enet 3745 DSU/CSU MPLS Port ADC RDC DTCC Net DSU/CSU 3745 DTCC Omgeo Appl.
Clients with multiple circuits into SMARTnet are encouraged to use RIP2 routing protocol on the
IP Extranet connections. Figure 2 Figure 2 Figure 2 Figure 2 MP LS C a rrie r A DTCC Omgeo Appl.
ISDN / Broadband* Backup Access C
abl e/ DS L Mod e m Cable/DSL Modem Firewall Firewall
How do I get started?
Interested users must fill out two forms:
• DTCC Participant Service Connection Request
• DTCC Router Exchange Form
After submitting these forms, DTCC will contact you for a follow-up planning session and conference call. Applicants may be required to fill out additional forms after this consultation.
For more information about SMART contact the DTCC Participant Interface Planning (PIP) area, at (212) 855-8989 or email [email protected]
i ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the
information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism
This publication may contain proprietary and/or confidential information of DTCC and/or its suppliers. The recipient should not disclose this publication to third parties without the prior written permission of DTCC.
Although DTCC has used reasonable effort to ensure the accuracy of its contents, DTCC assumes no liability for any inadvertent error or omission that may appear in this publication. The information in this publication is the latest available at the date of its production, and may change from time to time. All other product or company names that may be mentioned in this publication are the trademarks or registered trademarks of their respective owners.
