Documente Academic
Documente Profesional
Documente Cultură
Connectivity to SWIFT
26 June 2015
Connectivity to SWIFT
Table of Contents
.Preface .............................................................................................................................................................................3
1 Introduction ....................................................................................................................................................... 4
Preface
Purpose of this document
This document assists security officers, network administrators, and network designers to
design, configure, and manage the SWIFTNet Link-VPN and SWIFTNet Link-HSM connections
for their organisations. It also includes configuration guidelines for network protocols and
address management.
Audience
This document is for the following audience:
security officers who want to assess the compliance of the SWIFTNet service network access
requirements with their own security policies
network security administrators who configure network access control devices between their
own network and the SWIFT secure IP network
network designers or network administrators who design solutions that suit the requirements
of SWIFT and of their own organisations
Note During the SWIFTNet implementation process, SWIFT recommends that one of
the intended audience acts as the contact during installation of the
telecommunications equipment.
Significant changes
The table lists the significant changes to this document since the August 2013 edition. This
table does not include editorial changes that SWIFT may have made to improve the usability
and comprehension of the document.
Related documentation
The following documents relate to this guide:
26 June 2015 3
Connectivity to SWIFT
1 Introduction
SWIFTNet services
SWIFTNet provides secure communication between two parties that are connected to the
SWIFT secure IP network. SWIFTNet consists of InterAct and FileAct messaging services, and
also Browse, a browsing capability that complements the InterAct and FileAct services.
Security policies
Exceptionally, some security policies can impact the end-to-end performance of SWIFTNet. If
you have any questions about the possible performance impact of a SWIFT security policy
proposal, then please contact a SWIFT security representative.
SWIFT has implemented strict security measures, which it has designed to ensure that the
SWIFT network is protected and safe. A SWIFT customer's own security policy can recommend
or mandate the deployment of network access control devices between the customer's network
and SWIFT's network. SWIFT encourages customers to deploy such controls.
2 Configuration Requirements
Controlled by
Customer
HSM
network
Local
loops PoP
VPN Network
box Partner 1
HSM router
application secure
PoP
HSM VPN Network IP network
box Partner 2 Backbone
router Network
Customer
network Operating
Managed CPE Centers
application
Network
Partner n
D0650016
Customer premises
26 June 2015 5
Connectivity to SWIFT
Topology
The SWIFTNet Link-VPN connection area of the diagram is the principal consideration when
planning how the customer's network protects SWIFTNet-related traffic.
The equipment that enables access to the SWIFTNet services includes the following elements:
the host machine on which the customer has installed the SWIFTNet Link and Alliance
WebStation software (that is, the SWIFTNet Link host)
the SWIFT managed customer-premises equipment (including VPN boxes, routers, and
cables)
cables to connect the VPN box and the SWIFTNet Link host
cables to connect the HSM box and the SWIFTNet Link host
Note The term SWIFTNet Link host refers to a system that is directly connected to
SWIFTNet, and that runs SWIFTNet Link or Alliance WebStation software. The
SWIFTNet Link host category comprises hosts running Alliance Gateway software
on top of SWIFTNet Link. However, it excludes Alliance WebStations accessing
SWIFTNet indirectly by means of Alliance Gateway, that is, acting as
concentrators.
An unsecured network link (such as a public network) between the SWIFTNet Link host and the
VPN box may expose these systems to a wider community. Such unsecured links can be a
potential source of attack, which would defeat the purpose of the VPN box.
Potential risks
The following undesirable outcomes can occur if the customer does not protect the SWIFTNet
Link-VPN connection appropriately:
Denial of Service attacks on the customer's SWIFTNet Link host, or on the connection to
SWIFT
unauthorised access to the SWIFTNet Link host or the VPN box, with the intention of data
disclosure or modification
protect all traffic between the SWIFTNet Link host and the VPN box against packet insertion
or eavesdropping
physically protect the SWIFTNet Link host environment from unauthorised access
protect the SWIFTNet Link host from unauthorised access through the network
protect the VPN box from unauthorised access through the network
26 June 2015 7
Connectivity to SWIFT
Note To benefit from SWIFT's Distributed Denial of Service (DDoS) mitigation solution
available for Internet-facing services, additional firewall configuration is required.
This additional configuration limits the operational impact to your institution in case
SWIFT is subject to a DDoS attack. For additional information, see Knowledge
Base tip 5019964.
protect all traffic between the SWIFTNet Link host and the HSM box against packet insertion
or eavesdropping
protect the HSM box from unauthorised access through the network
The customer must ensure that only authorised personnel have physical and logical access to
HSM devices, whether they are actively used or not. HSM devices are HSM boxes, PIN Entry
Devices (PED), and PED keys. The customer must handle spare or backup HSM devices
according to the equivalent security practices that are applied to its live devices.
Clustered HSMs
The customer must adhere to the same security requirements as specified for the SWIFTNet
Link-HSM connection.
USB-based HSMs
USB-based HSMs must either be inserted directly into the USB port of the SWIFTNet Link host
(recommended), or connected to a USB port through a USB extender, USB hub, or USB
Ethernet hub. USB hubs and USB Ethernet hubs must be self-powered USB 2.0 hubs.
USB-based HSMs must not be connected to the SWIFTNet Link host over a wireless
connection. It is the customer's responsibility to protect physically the entire SWIFTNet Link-
HSM configuration. This includes the SWIFTNet Link host, the USB-based HSMs, and its
connection with the SWIFTNet Link host.
The customer must ensure that only authorised personnel have physical and logical access to
HSM tokens or HSM cards, whether they are actively used or not. For example, the customer
must safeguard HSM tokens or HSM cards, whether they are connected to a SWIFTNet Link or
not, when they are not in use, or serve as a backup. Therefore, after an application or a user
has logged off, the customer must remove the HSM token or HSM card and store it in a safe,
secure place. The customer must handle spare or back-up HSM tokens or HSM cards
according to the equivalent security practices that are applied to its live devices.
When using a USB Ethernet hub, the customer must do the following to secure the connection
between the SWIFTNet Link host and the USB Ethernet hub:
Protect all traffic between the SWIFTNet Link host and the USB Ethernet hub against packet
insertion or eavesdropping
Protect the USB-based HSM from unauthorised access through the network
Note Unauthorised access to a USB-based HSM can lead to HSM unavailability. For
example, it can lead to HSM lock-out due to multiple failed login attempts.
The customer must not use the following ranges for the local IP addresses of its SWIFTNet
systems. This includes SWIFTNet Link hosts, VPN boxes, or any network device that
supports secure IP network connectivity.
- 10.0.0.0 through 10.255.255.255
- 149.134.0.0 through 149.134.255.255
- 149.134.173.0 through 149.134.255.255
- 172.16.0.0 through 172.19.255.255
- 172.28.0.0 through 172.28.255.255
- 172.31.0.0 through 172.31.255.255
26 June 2015 9
Connectivity to SWIFT
Further guidelines
To enable secure message exchange with SWIFTNet, SWIFT strongly recommends that the
customer adhere to the following principles when planning its network and systems connections:
If the customer configures a filtering device between the SWIFTNet Link host and VPN box,
then the customer must ensure that where TCP session timeout values apply, it sets the
value to at least 60 minutes.
The customer can apply additional Network Address Translation (NAT) as described in
"Network Address Translation" on page 34.
The customer must ensure that SWIFTNet Link or Alliance WebStation always connect by
means of the same managed customer-premises equipment, or set of managed customer-
premises equipment in the case of SWIFTNet Link alternative routing. Alliance Gateway
connects to SWIFTNet using SWIFTNet Link.
The IP addresses assigned to the SWIFTNet Link hosts must be static and must not change
dynamically, for example by Dynamic Host Configuration Protocol (DHCP). These IP
addresses are linked to a specific SWIFTNet Link instance (SWIFTNet Link ID) or Alliance
WebStation instance (SWIFTNet Link-J ID). The IP addresses of the SWIFTNet Link hosts
must not coincide with the IP addresses that the customer has assigned to the VPN boxes or
the NetScreen Redundancy Protocol (NSRP) address (if they are on the same subnet). The
customer must provide these IP addresses to SWIFT, because only the provisioned IP
addresses can connect to SWIFTNet services.
The following information applies only to customers that want to install a SWIFTNet Link or
Alliance Gateway on a UNIX system.
During the GUI-based installation of SWIFTNet Link or Alliance Gateway and its patches, the
firewall must temporarily pass the X11 protocol from the SWIFTNet Link host to the PC (or
other terminal) to enable the Installation GUI to be invoked. This is the firewall between the
SWIFTNet Link host and the PC or terminal (running the X11 server) where the installation is
invoked, and not the firewall between the SWIFTNet Link host and the VPN box. The
customer requires the X11 port (usually limited to 6000/tcp) only when it is installing
SWIFTNet Link or Alliance Gateway. It must close the port after a successful installation.
Silent installation
SWIFT provides the ability to perform a command-line installation based on a 'response' file
prepared in advance for easy execution. This approach allows unattended installations of
multiple instances, avoids manual error, and provides the same tracing features of performed
actions as in the standard graphical installations. Silent installations do not use the X11
protocol, which eliminates the need to open firewall ports. However, silent installations, if not
launched locally on the target system, require a remote connection to the machine running the
installation script.
The IP addresses assigned to the HSM must be static and not change dynamically, for
example, as a result of DHCP. The IP addresses are linked to a specific HSM box and are
configured at the SWIFTNet Link. SWIFTNet Link uses the configured IP addresses and not
DNS to resolve the IP.
HSMs can be shared with multiple SWIFTNet Links. A maximum of five SWIFTNet Links can
be connected to an HSM (cluster or stand-alone box).
The customer may connect a maximum of two HSM clusters to a single SWIFTNet link. Each
of these clusters can have a maximum of four HSMs.
When configuring HSMs in a cluster to handle HSM failovers, the maximum number of HSMs
in each cluster is limited to four.
All HSMs in the cluster must be connected through the same LAN between SWIFTNet Links
with equivalent network performance.
The IP addresses assigned to the USB Ethernet hub must be static and must not change
dynamically - for example, as a result of DHCP.
NAT cannot be used between the SWIFTNet Link host and the USB Ethernet hub.
Network characteristics
The network characteristics on the path between the SWIFTNet Links and the HSM boxes, and
between clustered HSM boxes, must be those of a high-quality Ethernet Local Area Network.
26 June 2015 11
Connectivity to SWIFT
The performance and reliability of these network paths have a direct impact on the SWIFTNet
main message flow. These network paths must have the following characteristics:
Packet loss
The network paths must be reliable, with less than one packet lost per million. It is strongly
recommended to keep the number of network components on these network paths to a
minimum as they can impact network stability.
Network latency
The network round-trip latency between the SWIFTNet Link and each of its HSM boxes, and
between the HSM boxes in an HSM cluster, must be less than 2 milliseconds, and this
latency must be guaranteed under full load conditions.
For HSM clusters for WebAccess/Browse, round-trip latency between the SWIFTNet Link
and each of its HSM boxes, and between the HSM boxes and in an HSM cluster, may not
exceed 10 milliseconds (for customers with a high number of WebAccess/Browse users, that
is, with more than 250 WebAccess/Browse users) or 20 milliseconds (for customers with a
low number of WebAccess/Browse users, that is, with less than 250 WebAccess/Browse
users). For more information about HSM clusters for WebAccess/Browse, see the Resilience
Guide > SWIFTNet Link-HSM Box Connection.
Note Some firewall configurations between the SWIFTNet Link and the HSM box may
prevent the achievement of this latency target. Customers must design such
configurations carefully. Exceeding this latency target can have a negative
impact on the SWIFTNet Link startup time.
Note When determining the delay that an intervening store-and-forward device (router,
switch, firewall, or similar component) can introduce, the packet size is assumed to
be 1500 bytes.
How to measure this: Doing a ping is a practical, but only an approximate way to measure
round-trip network latency. The following caveats apply when pinging a network:
Ping overestimates the round-trip network latency for the following reasons. It does not
exclude the time to receive the entire ping request packet at the destination system, typically
it does not exclude the time to receive back the ping reply packet at the source system, and it
does not exclude some operating system overheads at both source and destination systems.
All of these must be excluded to get an accurate measurement of round-trip latency. The
amount of overestimating is largely dependent on the network bandwidth (port speed) at the
source and destination systems.
On operating systems supported by SWIFTNet Link (Windows, AIX, Solaris), you must
specify the ping data size as 1458 data bytes to issue a single ping request packet of 1500
bytes.
Ping rounds the measurement down to the lowest millisecond. For example, 2.7 milliseconds
are shown as 2 milliseconds.
With these caveats in mind, here are some rules of thumb to stay within the limit of 2
milliseconds round-trip latency:
If the SWIFTNet Link host's and the HSM box's Ethernet port operate at 10-Mbps port speed,
then a ping from the SWIFTNet Link host with a 1458 data length must return a Round Trip
Time (RTT) of less than or equal to 2 milliseconds.
If the SWIFTNet Link host's and the HSM box's Ethernet port operate at 100-Mbps port
speed, then a ping from the SWIFTNet Link host with a 1458 data length must return a
Round Trip Time (RTT) of less than or equal to 2 milliseconds.
26 June 2015 13
Connectivity to SWIFT
Controlled by
Application
D0650008
Customer premises
Alliance Gateway
Controlled by
Secure
remote
connection
Alliance Alliance
Web Platform WebStation Application Application
RA WebSphere MQ
Browse
D0430018
Customer premises
Both the SWIFTNet Link host that runs the Alliance Gateway and the VPN box are co-located,
and the customer can configure them according to one of the options described in "Co-located
Configurations" on page 13.
the customer renews keys associated with the authentication mechanism at least every two
years, and that the customer uses a symmetric key with RSA-based or authenticated Diffie-
Hellman key exchange for traffic encryption
the customer renews encryption keys frequently, typically every other day
26 June 2015 15
Connectivity to SWIFT
For authentication and encryption of the connection between an Alliance WebStation and a
VPN box, the customer does not require any additional configuration.
The customer must be pro-active with Support representatives in managing any problems
related to the connection. The Support representatives may not know of the existence of such a
remote connection or its specifics.
Controlled by
D0650009
Customer premises
Exceptions
Any customer that is unable to comply with the mandatory configuration requirements for non
co-located configurations must submit its proposed configuration to SWIFT. SWIFT considers
such a proposed configuration as an exception to the security requirements that apply to the
SWIFTNet Link-VPN connection.
For information about these security requirements, see "Security Requirements" on page 7.
no routers between the SWIFTNet Link host and the VPN box
using an IP router between the SWIFTNet Link host and the VPN box
No routers between the SWIFTNet Link host and the VPN box
Controlled by
D0650004
Customer premises
An Ethernet LAN connects the VPN box and the SWIFTNet Link host. The Ethernet LAN can
consist only of Ethernet cable or it can include hubs, switches, or repeaters.
If there are no routers between the VPN box and the customer SWIFTNet Link hosts, and only
an Ethernet connection (including any Ethernet cables, hubs, switches, or bridges), then the IP
address assigned to the VPN box and the IP addresses assigned to customer hosts must be on
the same subnet.
Two IP addresses are on the same subnet if they start with the same numbers at the bit level,
and share the same subnet mask. For example, IP addresses 192.168.1.25 and 192.168.1.96
both have subnet mask 255.255.255.0 and are therefore on the same subnet.
Important If there are no routers or firewalls between the SWIFTNet Link host and one or
more VPN boxes, then the VPN box requires that the MAC address of the
SWIFTNet Link host remains the same during a session. This means that if
SWIFTNet Link runs on hardware that allows the use of more than one Ethernet
network interface, for example, a cluster, then the MAC that the customer uses for
communication with SWIFTNet must not change while the SWIFTNet Link is
running. Otherwise the established TCP session or sessions can break.
26 June 2015 17
Connectivity to SWIFT
Using an IP router between the SWIFTNet Link host and the VPN box
Controlled by
D0650010
Customer premises
The VPN box and the SWIFTNet Link host connect through at least one IP router or firewall.
When ordering SWIFTNet, the customer must inform SWIFT of the IP address of the next-hop
routing device on the network. This is the device to which the VPN box routes packets sent to
the SWIFTNet Link hosts. The next-hop IP address and the IP address of the managed
customer-premises equipment (VPN box) must be on the same subnet.
If there are routers or similar devices, for example, firewalls or NATting devices, between the
VPN box and the SWIFTNet Link hosts, then the customer must ensure that the IP addresses of
the SWIFTNet Link hosts and the VPN box are on different subnets.
If the customer specifically needs a SWIFTNet Link IP address to be on the same subnet as the
VPN box IP address, while in reality there is at least one router or firewall between the
SWIFTNet Link host and the VPN box, then the customer must enable proxy ARP for the
SWIFTNet Link IP address on the next-hop router or firewall. In this situation, if the customer
does not enable proxy ARP, then communication between the VPN box and the SWIFTNet Link
host may not be possible.
It is possible to have more than one next-hop routing device, in which case each SWIFTNet Link
IP address must correspond to one, and only one, next-hop IP address. The VPN box contains
a static route for each SWIFTNet Link IP address, which points to the next-hop IP address.
If the customer wants a high-availability setup, in which another customer router or firewall takes
over if the designated next-hop router or firewall fails, then that other router must keep the same
IP address when the failover occurs. The customer must implement a clustering or high-
availability technique such as HSRP, VRRP, or NSRP. For an explanation of the dual firewall
configuration, see "Configuring Network Connectivity" on page 23.
Note Since the next-hop IP address is often a firewall, it is sometimes called the firewall
IP address.
Important The VPN box (or boxes) requires that the MAC address of the next-hop firewall or
the router remains the same during a TCP session. This means that if the customer
has clustered the firewall or router, or runs it in a high-availability mode, then the
MAC address must not change in the event of a failover. Otherwise the established
TCP session (or sessions) can break.
If an IP router or a firewall protects the SWIFTNet Link host, then the customer
must do one of the following:
Locate the SWIFTNet Link host on a different IP subnet to the VPN box, which
means that the IP router or the firewall is the next-hop IP address and must
respond to Address Resolution Protocol (ARP) requests.
Locate the SWIFTNet Link host on the same subnet as the VPN box. In this
case, the IP router or firewall must perform proxy ARP.
Controlled by
D0650005
Customer premises
26 June 2015 19
Connectivity to SWIFT
Controlled by Customer
Dedicated LAN
To VPN
D0650023
SWIFTNet Link host
Controlled by Customer
Dedicated LAN
To VPN
D0650020
Controlled by Customer
DMZ LAN
To VPN
D0650021
Back-office LAN configuration
A customer connects one or more HSM boxes to the customer network, away from the
Demilitarised Zone (DMZ) network. This configuration is acceptable as long as all the security
and network requirements specified in this document are met. It is very important, however, that
the access to the HSMs is restricted to SWIFTNet Link-HSM traffic only. If an optional filtering
device is placed on the SWIFTNet Link-Application network, then the configuration must allow
SWIFTNet Link-HSM connectivity.
Controlled by Customer
Back-office LAN
SWIFTNet Link host
To VPN
HSM box 1
HSM box 2
D0650022
26 June 2015 21
Connectivity to SWIFT
Connecting the Remote PED Workstation and the SWIFTNet Link host
In the diagram "Remote PED Workstation to SWIFTNet Link host connection" on page 22, the
SWIFTNet Link host connects to a Remote PIN Entry Device (PED) Workstation over the
customer network. The SWIFTNet Link host communicates with HSM boxes over the SWIFTNet
Link-HSM connection. For details about how to configure the SWIFTNet Link-HSM connection,
see "SWIFTNet Link-Hardware Security Module Connection Examples for LAN-based HSMs"
on page 20.
Controlled by Customer
Customer HSM
Remote PED network
Workstations
HSM
HSM
Customer
network
D0170017
Optional
filtering device
The customer can install an optional filtering device, such as a firewall, internal to the institution,
between the Remote PED Workstations and the SWIFTNet Link host, thereby restricting access
to the SWIFTNet Link host from the customer network.
For more information about how to configure this filtering device, see the Remote PED
Workstation and Firewalls section in the Network Configuration Tables Guide.
Network latency
The network round-trip latency between the SWIFTNet Link host and the Remote PIN Entry
Device (PED) Workstation should not exceed 500 milliseconds. Exceeding this latency target
could negatively impact the operation of the Remote PED.
Note Inappropriate use of certain network components such as routers, hubs, switches,
and firewalls can add significantly to network latency.
Route to the NetScreen Redundancy Protocol (NSRP) IP address (the virtual IP address
shared by the two devices). The active VPN box claims the NSRP IP address as its own.
Limit to seven the network connectivity configurations on a single Ethernet LAN or VLAN.
The VPN boxes are NetScreen devices. If a customer intends to use other NetScreen devices
with NetScreen's NSRP protocol on the customer Ethernet network to which it has connected
the VPN boxes, then the following information is relevant.
Each Alliance Connect solution has a virtual Ethernet (MAC) address from the following list:
00:10:db:ff:20:d1
00:10:db:ff:40:d1
00:10:db:ff:60:d1
00:10:db:ff:80:d1
00:10:db:ff:a0:d1
00:10:db:ff:c0:d1
00:10:db:ff:e0:d1
Customers must ensure that no other NetScreen or Juniper equipment, which is connected to
the Ethernet network to which a network connectivity configuration is also connected, uses a
MAC address from the preceding list. This is to avoid a potential conflict with the virtual MAC
address of the connectivity configuration.
26 June 2015 23
Connectivity to SWIFT
that traffic from a particular SWIFTNet Link host IP address to SWIFTNet is always routed to
the same secure IP network access configuration as selected by the customer during the
SWIFTNet Ordering process
that traffic to a particular SWIFTNet Link host IP address from SWIFTNet is routed from this
secure IP network access configuration to the correct SWIFTNet Link host
Controlled by
Customer SWIFT
SWIFTNet Link-VPN
connection
192.168.1.1/24
VPN
1 2.1.2.1/24 2.1.2.200/24 192.168.1.200/24 box
Filtering
device A
192.168.2.1/24 VPN
2 box
2.2.2.1/24 2.2.2.200/24 192.168.2.200/24
Filtering
device B
D0650013
Customer premises
SNL1
Destination 149.134.0.0 netmask 255.255.0.0 gateway 2.1.2.200
SNL2
Destination 149.134.0.0 netmask 255.255.0.0 gateway 2.2.2.200
Filtering device A
Destination 149.134.0.0 netmask 255.255.0.0 gateway 192.168.1.1
Filtering device B
Destination 149.134.0.0 netmask 255.255.0.0 gateway 192.168.2.1
26 June 2015 25
Connectivity to SWIFT
Controlled by
Customer SWIFT
SWIFTNet Link-VPN
connection
3.3.3.200/24
192.168.3.200/24
Filtering Next-hop VPN
device router box
2 3.3.1.2/24 3.3.3.2/24
D00650012
Customer premises
SNL1
Destination 149.134.0.0 netmask 255.255.0.0 gateway 3.3.1.201
SNL2
Destination 149.134.0.0 netmask 255.255.0.0 gateway 3.3.1.201
Filtering device
Destination 149.134.0.0 netmask 255.255.0.0 gateway 192.168.3.200
Next-hop router
Source 3.3.1.1-Destination 149.134.0.0 netmask 255.255.0.0 gateway 3.3.3.1
Source 3.3.1.2-Destination 149.134.0.0 netmask 255.255.0.0 gateway 3.3.3.2
route traffic destined for multi-vendor secure IP network to the VPN boxes
Segregated environments
Customers should use segregated environments where possible. An environment using
multi-vendor secure IP network (for example, a SWIFTNet Link and all network equipment
leading up to the VPN pack) should route all traffic to destination network 149.134.0.0/16 to
the VPN pack. An environment using swift.com (for example, network equipment supporting
an end-user's workstation) should allow all traffic to destination network 149.134.0.0/16 to be
routed to their internet gateway.
Mixed environments
Customers may use a mixed environment where network equipment supports traffic destined
for both multi-vendor secure IP network and swift.com (for example, the local network
supports SWIFTNet Link hosts and end-user workstations).
Customers using a mixed environment must:
decide which host uses which environment (multi-vendor secure IP network or internet)
add more specific routes to the following networks for SWIFT services reachable over the
internet:
149.134.144.0/24
149.134.145.0/24
149.134.146.0/24
149.134.148.0/24
149.134.152.0/24
149.134.156.0/24
149.134.157.0/24
149.134.158.0/24
149.134.168.0/24
149.134.169.0/24
149.134.170.0/24
149.134.176.0/24
26 June 2015 27
Connectivity to SWIFT
149.134.177.0/24
3 Configuration Guidelines
IIOP(2) Internet Inter ORB - an Object Transport used for core message
Management Group (OMG) exchange from Alliance
industry standard WebStations by means of
SWIFTNet
Security certificates
26 June 2015 29
Connectivity to SWIFT
(1) Customers need use the Tuxedo protocol only for SWIFTNet Link. Alliance WebStation does not require it.
(2) Customers need use the IIOP protocol only to connect Alliance WebStation directly to SWIFTNet. It is not
necessary to use it for SWIFTNet Link or for an Alliance WebStation connected to an Alliance Gateway.
The customer only permits return traffic on ports greater than 1023, and only when part of an
established TCP connection.
UDP-based DNS traffic must be inspected, in order that return traffic into the customer
network is permitted only as a response to a previous outgoing request.
A stateful firewall that has a firewall filter policy aligned with the information in the Network
Configuration Tables Guide meets the requirements of such a policy.
Controlled by
Alliance
Web Platform
SWIFT
WebAccess
Alliance
WebStation
SWIFTNet Link-VPN
connection Managed CPE
Application
VPN permanent Network
RA box connection
router PoP Partner 1
Alliance
Gateway
Application Customer
network
WebSphere MQ
FW2 FW1 VPN permanent Network
connection Partner 1
box or 2
router PoP
One-time DMZ
password LDAP
Authentication
Server
Simple Network
Management
Protocol Manager
D0430004
Customer premises
The customer installs a SWIFTNet Link-to-secure IP network firewall, FW1 in the diagram,
between the SWIFTNet Link and the secure IP network. It installs another concentrator firewall,
internal to the Institution, FW2 in the diagram, between the applications and the Alliance
Gateway. This makes it possible for the customer to place the Alliance Gateway in a DMZ.
For more information about how to configure the firewall installation, see the Alliance Gateway
and Firewalls section in the Network Configuration Tables Guide.
Note The diagram "Installation with two firewalls" illustrates firewalls in a logical way.
The customer can achieve the configuration by using a single firewall with at least
three Ethernet interfaces.
Note Customers must open all ports that relate to Alliance Gateway on the firewall, FW2
in the diagram "Installation with two firewalls". The Network Configuration Tables
Guide provides more information about these ports.
26 June 2015 31
Connectivity to SWIFT
Browse configuration
When Alliance WebStation or Alliance Web Platform is used with Alliance Gateway, the HTTPS
traffic optionally goes through an HTTP proxy. Alternatively, NAT devices can be used to route
the HTTPS traffic to SWIFTNet. For more details, see the Browse Configuration Guide. If an
HTTP proxy is used, then this proxy can reside either on the Alliance Gateway host machine or
on another host machine. Considering the various integration perspectives and security
guidelines that may be applicable to your environment, it is generally advisable to run the HTTP
proxy on a host machine that is different from the host machine on which Alliance Gateway is
running. This is described in the Browse Configuration Guide.
The diagram, provides an overview of the configuration.
Alliance WebStation or
Alliance Web Platform
FW2 Typically,
Port 48002, 48003 port 80 or 8080
FW1 IP3
D0650017
InterAct/FileAct
permitted, typically 80/tcp or 8080, depends on the configuration of the HTTP proxy. For more
information about configuring the HTTP proxy, see the Browse Configuration Guide.
Note For more information about ports 48002 and 48003, see the Network Configuration
Tables Guide.
Important In this setup, the DNS server may become a single point of failure if it is not as
resilient as the various SWIFTNet Link hosts.
26 June 2015 33
Connectivity to SWIFT
Note Web Server and SWIFTNet Link cannot be defined with the same IP address on
SWIFTNet. If the institution builds multiple Web servers, then each one must have
its own IP address.
Customer-defined NAT
A customer's internal security policy may call for an additional NAT if the organisation wants to
hide the following information:
Controlled by
SNL-VPN
connection
NAT
w.x.y.z 149.134.x.y
D0170012
Customer premises
In this example, the NAT device maps the source address of the IP packet sent to SWIFT from
a.b.c.d (true address) to w.x.y.z (dummy address), and conversely for the destination address of
packets received from SWIFT.
Controlled by
SWIFTNet Link-VPN
connection
NAT device Managed CPE
Customer
VPN
network
box router
Source Destination
SWIFTNet Link e.f.g.h
NAT
SWIFTNet Link 149.134.x.y
D0170013
Customer premises
In this example, the NAT device maps the destination address of the IP packet sent to SWIFT
from e.f.g.h to 149.134.x.y, and conversely for the source address of packets received from
SWIFT.
The SWIFT IP address that is used during SWIFTNet Link installation, such as the SWIFTNet
DNS address, is replaced by an internal address that the customer has selected.
26 June 2015 35
Connectivity to SWIFT
The customer can use an additional NAT device to impact firewall configuration. If the customer
locates the NAT device on the internal side of the firewall, then the device filters on the basis of
the addresses known to SWIFT.
These addresses include the following:
the SWIFTNet Link host IP address that the customer has communicated to SWIFT
SWIFT server addresses as specified in this document and identified in the Network
Configuration Tables Guide
If the customer locates the NAT device on the external side of the firewall, then the device filters
on the basis of the addresses that the customer has resolved using the NAT.
However, in this case the NAT device must also translate the addresses in the DNS replies that
SWIFT returns. When the SWIFTNet DNS returns an address, it must be converted to the
corresponding address used on the customer network, see the diagram "Translating addresses
in DNS responses using a NAT device" on page 35.
Supported configurations
The following configurations are supported:
Browse traffic on the primary line and InterAct/FileAct traffic on the secondary line for all
instances of SWIFTNet Link.
Browse traffic on the primary line and InterAct/FileAct traffic on the secondary line for a
subset of SWIFTNet Link instances.
If some SWIFTNet Link instances are reserved for InterAct traffic only, then this
configuration can be used to redirect InterAct traffic to the secondary line, while the traffic
from other SWIFTNet Link instances and Browse traffic are routed through the primary
line.
With SWIFTNet 7.0, SWIFT provides additional segregation capability to channel InterAct traffic
and FileAct traffic separately over the lines of an Alliance Connect connectivity product. This will
allow customers to channel for example Browse and InterAct traffic over one line, and FileAct
traffic over the other. Alternatively, it allows to channel Browse and FileAct over one line, and
InterAct over the other. Customers can configure this setup by a new SWIFTNet Link command.
Note In this context, FIN traffic follows the same path as InterAct traffic. For more
information, see the SWIFTNet Link Operations Guide.
Practical configuration
The customer sends InterAct and FileAct traffic to SWIFT IP addresses. To refer to these IP
addresses, see the Network Configuration Tables Guide. Customers that want to send the
InterAct and FileAct traffic through the secondary line must establish a rule in their firewall that
offsets destination ports according to the following table.
TCP ports without load sharing Offset value TCP ports offset for load
sharing
Limitations
Browse traffic cannot be shared over the secondary line, and is always sent over the primary
VPN box (box A) and leased line. Upon failure of the primary line, Browse traffic uses the
secondary VPN box and leased line.
26 June 2015 37
Connectivity to SWIFT
Legal Notices
Copyright
SWIFT 2015. All rights reserved.
Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order expressly grants
you that right, in which case ensure you comply with any other applicable conditions.
Disclaimer
The information in this publication may change from time to time. You must always refer to the latest
available version.
Translations
The English version of SWIFT documentation is the only official and binding version.
Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: the SWIFT
logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo, MyStandards, and
SWIFT Institute. Other product, service, or company names in this publication are trade names, trademarks,
or registered trademarks of their respective owners.