QuickStream Security Features Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 42

Download
Open PDF In Browser	View PDF

A division of Westpac Banking Corporation ABN 33 007 457 141

QuickStream
Security Features Guide

Document History

Date

Version

Description

Author

03-Feb-2003

7.1

Original Version

Qvalent

15-Sep-2003

7.1

Updated

Qvalent

7-Jul-2004

8.0

Updated for v8.0 software

Qvalent

14-Jul-2004

8.01

Updated

Qvalent

24-Jun-2005

8.1

Updated

Qvalent

8-May-2006

8.2

Updated

Qvalent

16-Aug-2006

8.3

Updated

Qvalent

27-Nov-2006

8.4

Updated

Qvalent

31-Dec-2007

9.0

Updated for v9.0

Qvalent

3-Jun-2008

10.0

Updated with LTM information

Qvalent

16-Jul-2008

10.1

Updated

Qvalent

4-Nov-2008

11.0

Updated

Qvalent

5-Nov-2008

11.1

Updated

Qvalent

22-Feb-2010

11.2

Updated

Qvalent

22-Feb-2010

11.3

Updated with FAQ

Qvalent

12-Mar-2010

11.4

Updated

Qvalent

3-May-2010

11.5

Updated

Qvalent

17-Mar-2011

11.6

Updated

Qvalent

7-Oct-2011

11.7

Updated

Qvalent

12-Oct-2011

11.8

Updated

Qvalent

Page 2

A division of Westpac Banking Corporation.
Copyright © 2011, Westpac Banking Corporation, ABN 33 007 457 141. All rights reserved.

QuickStream  Security Features Guide

-3-

Table of Contents
1

Introduction ..................................................................................................... 5

Security Features.............................................................................................. 6

2.1

Passwords / Authentication ................................................................................. 6

2.2

Accountability and Auditing ................................................................................. 7

2.3

Single Sign On................................................................................................... 7

2.4

Role Based Security ........................................................................................... 7

2.5

Intrusion Detection Controls ................................................................................ 7

2.6

Inactivity Controls .............................................................................................. 8

2.7

Encryption ........................................................................................................ 8

Web Based Application Development ................................................................ 9

3.1

Secure Coding Practices ...................................................................................... 9

3.2

Web Session Management ................................................................................ 10

Messaging Controls......................................................................................... 11

Credit Card Processing.................................................................................... 13

5.1

Overview ........................................................................................................ 13

5.2

How Does Qvalent Process Cards?...................................................................... 13

5.3

Credit Card Integration Security ........................................................................ 14

5.4

PCI-DSS Compliance ........................................................................................ 15

Banking File Transfer ...................................................................................... 22

Data Centre Facilities ...................................................................................... 24

7.1

WAN .............................................................................................................. 25
Page 3

A division of Westpac Banking Corporation.
Copyright © 2011, Westpac Banking Corporation, ABN 33 007 457 141. All rights reserved.

QuickStream  Security Features Guide

-4-

7.2

Internet .......................................................................................................... 26

7.3

Network Firewalls ............................................................................................ 26

7.4

BigIP Local Traffic Manager (LTM) ...................................................................... 28

7.5

BigIP Application Security Manger (ASM) ............................................................ 30

7.6

Servers........................................................................................................... 31

7.7

Monitoring and reporting................................................................................... 31

8
8.1
9

Disaster Recovery ........................................................................................... 33
What are Qvalent‟s disaster recovery plans? ........................................................ 34
Backups, Data Storage and Destruction .......................................................... 34

10 General FAQ’s ................................................................................................. 35
11 Glossary ......................................................................................................... 38

Page 4

QuickStream  Security Features Guide

-5-

Introduction
Qvalent is a 100% owned subsidiary of the Westpac Banking Corporation and
operations the QuickStream platform for Westpac.
Qvalent treats security as a prime concern. As Qvalent is a 100% wholly owned
subsidiary of the Westpac Banking Corporation, it must conform to all Westpac
security policies. This is to ensure that the Customer‟s and Westpac‟s data is secure,
no insecure network applications are used and all communications between Qvalent
applications themselves or external applications are carried out over secure links. In
addition all financial data transmitted between Qvalent (Westpac) must be encrypted
and digitally signed for both the customer and Westpac‟s protection. Some of the key
security measures used by Qvalent consist of:

















PCI-DSS Compliant (Level 1).
AS2805 Compliant.
Application firewalls to prevent data leakage.
Single sign on for all users;
All applications share same security code base;
Every page validates a user‟s security;
Users are only allowed to view data for companies that they are associated with;
Message encryption using SSL between both internal and external systems;
Basic authentication for all messages sent between Qvalent and external
systems;
Reverse IP lookup‟s to check to origin of received messages;
Full digital certificate (both client & server) support;
All critical user and financial information is stored encrypted using private keys in
the database;
Access to the database is only allowed through security data access objects;
Multiple firewall cells; and
All ports and IP addresses blocked by default, only specific addresses and ports
are open.
Qvalent‟s wide area network is managed by Optus and its data centre / internal
network by Hewlett Packard. Both of these companies use best of breed
practices.

Page 5

QuickStream  Security Features Guide

-6-

Security Features

2.1

Passwords / Authentication

The application authenticates users through X.509 certificates or by a user
name/password combination. The database cannot be read to reveal user passwords as
they are held in encrypted form. To this end when a user wishes to change their
password, the system will only transmit the keystrokes encrypted, thus the line cannot
be „sniffed‟ effectively. Once authenticated, the user has a session variable created and
kept as a server-side cookie, which is passed to every page accessed throughout the
user‟s session.
When a user is authenticated, they are assigned user rights within a company. These
security rights can be limited to an individual, group or company level. Access to
information is based on a user‟s security rights and the company administrator controls
this.
Some of Qvalent‟s password management capabilities include:





















Minimum of eight characters;
Must contain letters and numbers;
Can only be changed once in a 24 hour period;
Must be changed every 42 days;
Cannot reuse the last 5 password;
Ability to enforce password expiration;
Passwords stored as a hash;
Ability to require automatic password expirations when initially assigned or reset;
Ability to require re-authentication after 15 minutes of inactivity.
Ability to automatically disable accounts after a period of inactivity (120 days);
Ability to manually lock out a user account;
Ability to lock out an account automatically after a defined number of incorrect logins
(5 attempts);
Password suppression (masked) during entry at sign on dialogue;
Passwords are masked from all outputs (e.g. reports, logs, etc);
Passwords cannot be retrieved or viewed from password database;
Ability to permit user-initiated resetting of passwords;
Forced password re-entry verified (old pw, new pw, and new pw again);
Ability to deactivate or change passwords of vendor supplied Ids;
Ability to force password changes; and
Support for One Time Passwords (OTP).

Page 6

QuickStream  Security Features Guide

2.2

-7-

Accountability and Auditing

Qvalent products provide the following accountability and auditing functionality;











2.3

Audit logs can be secured from unauthorized access;
Ability to log activities performed by specific ID or time of day;
Ability of audit log to time and date stamp all actions for each ID;
Ability to filter the level of logging based on log masks;
Ability to identify and log all subsequent access points - accountability is maintained
throughout session;
Ability to log successful and unsuccessful single sign-on attempts;
Failed access attempts to specific domains, files, directories, URLs can be logged;
Administrative functions can be logged and are auditable;
Ability to maintain the user‟s identity for the duration of the session; and
Ability to prevent the display of passwords on audit logs.

Single Sign On

Qvalent applications allow external validation systems to be used to replace its standard
login processor. A custom “Authenticator” java class that implements a defined interface
can be created to meet specific customer requirements. Typical uses for this
“Authenticator” revolve around a company having a single sign-on system (SSO) that all
users must log on too. Through the use of an “Authenticator”, Qvalent Procurement can
be integrated with such a system. The creation and deletion of Procurement user
accounts can also be managed through Qvalent‟s iConnect technology. This allows users
to be added, updated or deleted automatically via iConnect integration packages. Once
again these packages can be integrated with SSO systems.

2.4

Role Based Security

All users require individual sign ons to the applications, no generic accounts are allowed.
All user id‟s are role based with particular rights assigned to those roles. Quick Stream
provides a flexible framework that allows organisations to be „self managing‟. This
means that within an organisation rights and roles can be assigned by personnel within
that organisation (Community Administrators).

2.5

Intrusion Detection Controls

The Qvalent suite offers a number of Intrusion Detection Controls. These include:


Ability to set an unsuccessful access attempt limit;
Page 7

QuickStream  Security Features Guide








2.6

-8-

Ability to suspend ID after reaching the unsuccessful access threshold;
Ability to display time/date of last successful logon;
Ability to display number of unsuccessful logon attempts since last successful log-in;
Ability to send alerts to administrators for unauthorized access attempts;
Ability to detect incoming messages from unauthorised sources; and
In addition to software control Hewlett Packard provides comprehensive network
event detection and notification management.

Inactivity Controls

Qvalent products provide the following inactivity controls:



2.7

Automatic logoff of ID after a 15 minute period of session inactivity; and
After lock-out, re-access require password authentication

Encryption

Externally, all inbound and outbound sensitive data is encrypted and digitally signed. For
file based transfers this is PGP with a 1024bit key. For stream based exchanges this is
over SSL with 128bit certificates.
Internally, Qvalent uses the triple DES algorithm in cipher-feedback mode and AES for
all two-way data encryption. The encrypted information can optionally be returned in a
base 64 encoded string.

Page 8

QuickStream  Security Features Guide

-9-

Web Based Application Development

3.1

Secure Coding Practices

Qvalent web software and applications development philosophy is based on secure
coding guidelines such as the Open Web Application Security Project guidelines. Review
custom application code to identify coding vulnerabilities. See www.owasp.org - “The Ten
Most Critical Web Application Security Vulnerabilities.” Cover prevention of common coding
vulnerabilities in software development processes, to include:


Unvalidated input - All data is validated by a common framework in the application,
where required fields are checked, along with input length and data format (for nonfree text fields).



Broken Access control – Qvalent applications automatically lock out accounts after a
set number of invalid login attempts to prevent „brute force‟ attacks. Broken
authentication and session management (use of account credentials and session
cookies) - Session IDs are generated using a 128-bit cryptographic pseudo-random
number generator, making guessing the next ID implausible. The session ID is 128bits long. The session ID is temporary in nature, and is not stored on the user‟s
disk. It is also only contained in the memory of the application server, and never
written to disk. Sessions are also automatically timed out after a period of inactivity.



Cross Site Scripting (XSS) attacks - Qvalent‟s architecture uses XSL to generate the
HTML displayed to users. The servlets on the application server generate XML which
is then transformed into what the user sees. The underlying technology prevents
this kind of attack, since any dangerous characters in the output (such as
“

QuickStream Security Features Guide

Navigation menu

Versions of this User Manual:

Views

Navigation