Enhance your web-banking security with Secure Gate and Luxtrust

Protect Customer Confidentiality
Your Customers depends on you to manage their financial well-being and safeguard their confidential information.
Meanwhile, Internet-based attacks against financial institutions are increasing in frequency and sophistication, and regulatory requirements
are placing additional demands on your staff. Make sure your networks are up to the challenge.

• Granular filtering to segregate endusers ( private vs professionals) and add new filters
• Flexible authentication with Luxtrust , RSA SecureID, standard tokens, custom login and possibly mix them if needed
• Open architecture to add specific languages and adapt to the Bank’s corporate identity
• Encrypt active content with a specific JAVA applet replacing standard calls by secured/ random calls through an AES tunnel

Secure Gate
Secure Gate is a solution developed and maintained by SkillTeam. It offers a high level of security for online banking applications.
It is a J2EE application that should preferably be deployed on an IBM WebSphere server. Secure Gate offers the following three
functionalities:

• Requests/responses filtering
• User authentication
• Encryption between a client browser and the server.

Requests/Responses filtering
Secure Gate includes a filtering option that allows the filtering of end user browser requests as well as the filtering of responses sent from the online banking application.
It is used with a reverse proxy tool such as Neoteris or R-Web and allows specific and granular filtering rules for various end users or  contexts.

It is possible to use Secure Gate without activating the Requests/Responses filter. However, some standard f i l ter s such as the
performance measurement can be very useful.

With Secure Gate’s open architecture it’s very easy to develop new filters in JAVA and deploy them in the application. It is for example, possible to initiate security filters that are only applicable to private and not to professional users.

As default, Secure Gate includes the following filters:

• performance measurement
• dump of input on the console
• dump of output on the console
• control HTTP headers integrity
• custom headers management

These filters are delivered with their respective
source files in order to be used as templates for
defining new filters.

Authentication
It is possible to have Secure Gate authenticate anonymous requests.

In addition to various standard authentication methods, Secure Gate uses a JAVA applet on the end user PC to execute the entire login process in a more secured context than a standard HTML page.
This applet (signed by the Bank in order to guaranty its origin) establishes a secured communication channel with the Secure Gate server by using an encrypted tunnel.

The authentication module includes the following authentication options:

• LuxTrust: Secure Gate supports the four authentication products proposed by LuxTrust (chip card, signing stick, token, mobile phone).
• This option verifies the certificates via the LuxTrust “certificate revocation list” (CRL) and automatically generates the audit files that have to be delivered on a daily basis by the Bank to LuxTrust. Secure Gate integrates version 2 of the LuxTrust “common layer”.
• RSA SecureID: Secure Gate enables the authentication through SecureID tokens. This function uses an access to an ACE server (not part of
• Secure Gate) based on the RADIUS protocol.
• Vasco Digipas s: On request.
• Classic: The classic authentication consists of asking to an end user to provide his identification, his password and two randomly chosen positions of a unique security code specific to each user.

Flexibility
In addition to the authentication process, Secure Gate allows the connection of several components in order to carry out a complete login.
There is no limitation to the number of components that can be sequentially chained during a login process.
Secure Gate offers the possibility to mix authentication methods to ensure the migration of a user from one authentication method to another. As the authentication applet is executed in an HTML page, Secure Gate includes an html template model that can be customized by the Bank according to its corporate identity.
The applet includes in standard the French and English languages, but it is possible for the Bank to add any other language.

Advanced security
Secure Gate offers the option to protect user requests and forms integrity. When the request protection is enabled, Secure Gate
automatically adds to any request a random token with a short lifetime, making difficult to replay a scenario.

When the form integrity is enabled, Secure Gate signs all the forms included in the HTML pages of your application and adds an integrity component to the page. When the page is displayed to the user, the integrity component checks that no dynamic component has
been added after the page has left the bank servers and raise an alert if something unknown is detected.

Encryption
Secure Gate offers the option to encrypt the “active” content exchanged between the end user and the Bank’s server (HTML pages and
JavaScript code).
When the encryption tunnel is activated, the applet remains active on the end user side after authentication and uses the AES encryption tunnel to transmit the requests to the Bank’s server. For a maximum of security, the applet remains in the application main page and is only accessible via this page (no opened TCP port).
All “GET” requests are automatically replaced by Secure Gate random calls. The Bank’s side component of Secure Gate parses the pages sent by the online banking application and replaces all the calls by secured ones.

The behavior of the “POST” requests are left to the the online banking application by using simple keywords. The Secure Gate applet allows the end user to submit forms but can also get a confirmation from the end user before sending a request to the server.

As soon as LuxTrust will deliver its signing library, Secure Gate will be adapted to enable the end user to sign his transactions. Server pre requisites Secure Gate is a J2EE application developed in JDK 1.6. An application server compatible with this version of Java is necessary and we recommend the use of IBM Websphere 7.X on a Windows or Unix/Linux platform with at least 2Gb RAM. No external resources are needed by Secure Gate and the disk space must be sufficient enough to receive log files.

User workstation pre requisites
As Secure Gate uses an applet on the end user side, the end user has to run JDK 1.5 on his workstation.Please check the compatibility matrix below in order to know the supported Operating Systems and browsers: