Title | Conn s nw conf tbl guid - Lecture notes 14 |
---|---|
Author | Elshaday Gelaye |
Course | Sustainable design |
Institution | Addis Ababa University |
Pages | 36 |
File Size | 980.5 KB |
File Type | |
Total Downloads | 28 |
Total Views | 149 |
this is swift configuration guide for ssl encryption....
Connectivity to SWIFT
Network Configuration Tables Guide
This network guide details the network protocols for the SWIFTNet environment and the connectivity requirements of the production and integration environments. This document is for security officers, network administrators, and designers that design and configure secure network solutions for an organisation.
31 March 2021
Link to this document: https://www2.swift.com/go/book/book37438
Connectivity to SWIFT Network Configuration Tables Guide
Table of Contents
Table of Contents Preface............................................................................................................................................................... 4 1
Introduction..............................................................................................................................................5
2
SWIFTNet Servers................................................................................................................................... 6 2.1
SWIFTNet Connections...........................................................................................................................6
2.2
Port Mapping......................................................................................................................................... 13
2.3
DNS Forwarding.................................................................................................................................... 14
3
SWIFTNet Link Network Configuration............................................................................................... 16
4
NTP Configuration................................................................................................................................. 17
5
Remote PED Workstation and Firewalls..............................................................................................18
6
Alliance Cloud Specific Settings..........................................................................................................19
7
8
6.1
User to Application: Alliance Cloud GUI................................................................................................ 19
6.2
Application to Application: SWIFT Integration Layer (SIL) Customer Footprint.....................................19
Alliance Gateway and Firewalls........................................................................................................... 22 7.1
Alliance Web Platform, and Remote APIs (Remote Applications).........................................................23
7.2
Remote file transfer............................................................................................................................... 23
7.3
IBM MQ applications..............................................................................................................................24
7.4
One-time Password Authentication Servers..........................................................................................24
7.5
Alliance Gateway SNMP logging...........................................................................................................25
7.6
Lightweight Directory Access Protocol (LDAP)......................................................................................25
Alliance Connect Specific Settings..................................................................................................... 26 8.1
9
Alliance Lifeline Specific Settings....................................................................................................... 28 9.1
10
Firewall Settings.................................................................................................................................... 26
Firewall Settings.................................................................................................................................... 28
Alliance Lite2 Specific Settings........................................................................................................... 30 10.1 Firewall Settings.................................................................................................................................... 30
11
Alliance Remote Gateway Specific Settings....................................................................................... 32 11.1 Firewall Settings.................................................................................................................................... 32
31 March 2021
2
Connectivity to SWIFT Network Configuration Tables Guide
12
Table of Contents
SWIFT WebAccess................................................................................................................................ 34 12.1 Global Approach to SWIFT WebAccess................................................................................................34 12.2 SWIFT WebAccess Service Providers.................................................................................................. 34 12.3 SWIFT WebAccess Members................................................................................................................35
Legal Notices................................................................................................................................................... 36
31 March 2021
3
Connectivity to SWIFT Network Configuration Tables Guide
Preface
Preface Purpose of the document This document assists security officers, network administrators, and designers to design and configure secure network solutions for their organisations. Audience This document is for the following audience: •
security officers who want to assess the compliance of the SWIFTNet service network access requirements with their own security policies
•
network security administrators who configure network access control devices between their own networks and the SWIFT secure IP network
•
network designers or network administrators who design solutions that suit the requirements of SWIFT and of their own organisations Note
SWIFT recommends that during the SWIFTNet implementation process, one of the individuals acts as the contact during installation of the telecommunications equipment.
For solutions using the SWIFTNet Instant messaging service with AGI software, the network configuration requirements can be found in a separate document: SWIFTNet Instant System and Network Requirements. Significant changes These tables list the significant changes to the document since the previous release on July 2020. The tables do not include editorial changes that SWIFT may have made to improve the usability and comprehension of the document. New information
Location
Updated network information for Alliance Cloud
Alliance Cloud Specific Settings on page 19
Updated network information for SWIFTNet
SWIFTNet Connections on page 6
Related documentation The following documents relate to this guide:
31 March 2021
•
Alliance Connect Bronze Service Description
•
Alliance Connect Bronze Implementation Guide - SSG VPN Boxes
•
Alliance Connect Silver Service Description - SSG VPN Boxes
•
Alliance Connect Silver Implementation Guide - SSG VPN Boxes
•
Alliance Connect Silver Plus Implementation Guide - SSG VPN Boxes
•
Alliance Connect Gold Service Description - SSG VPN Boxes
•
Alliance Connect Gold Implementation Guide - SSG VPN Boxes
•
SWIFT WebAccess Configuration and Troubleshooting Guide
•
Network Access Control Guide
•
SWIFTNet Instant System and Network Requirements
4
Connectivity to SWIFT Network Configuration Tables Guide
1
Introduction
Introduction SWIFTNet services SWIFTNet provides secure communication between two parties that are connected to the SWIFT secure IP network. Based on Internet Protocol technologies, the secure IP network provides robust transport services that SWIFTNet services and products require. Security policies Exceptionally, some security policies can impact the end-to-end performance of SWIFTNet. If you have any questions about the possible performance impact of a SWIFT security policy proposal, then please contact a SWIFT security representative. SWIFT has implemented strict security measures that it has designed to ensure that the SWIFT network is protected and safe. A SWIFT customer's own security policy can recommend or mandate the deployment of network access control devices between the customer's network and SWIFT's network. SWIFT encourages customers to deploy such controls. The customer must bring the network (firewall) in line with the Network Configuration Tables Guide. Only then can releases of SWIFTNet Link and Alliance Gateway be installed and used. The address information described in the Network Configuration Tables Guide is confidential. The customer must maintain its confidentiality. Alliance Connect products overview SWIFT's Alliance Connect products (Bronze, Silver, Silver Plus, Gold) offer the possibility to connect through the internet. You can also connect through one or more Network Partners who provide and install managed customer premises equipment and local loops at your premises. The following portfolio options are available: •
•
SSG5 VPN boxes - all options include 2 VPN boxes -
Gold with 2 leased lines
-
Silver and Silver Plus with 1 leased line and 1 internet connection
-
Bronze with 1 or 2 internet connections
SRX VPN boxes (replacement to SSG5 VPN boxes) -
AC Gold with 2 VPN boxes and 2,3 or 4 leased lines
-
AC Silver and Silver Plus with 2 VPN boxes, 1 leased line and 1 internet connection
-
AC Silver with 1 VPN and 1 leased line
-
AC Bronze with 2 VPN and 2 internet connections
-
AC Bronze with 1 VPN and 1 internet connection
For more information about the Alliance Connect products, see the Alliance Connect product page on www.swift.com.
31 March 2021
5
Connectivity to SWIFT Network Configuration Tables Guide
2
SWIFTNet Servers
SWIFTNet Servers The tables in this document list the SWIFT central servers that are visible from customer sites (SWIFTNet Link) in the production and integration testbed networks. Scope •
The sections Client Connections to SWIFT on page 7 and Client Connections to SWIFT (ITB) on page 10 list the connections to the central servers that are opened on the initiative of the SWIFTNet Link.
•
The section Restrict the Switch Port Range on page 13 shows the mapping for the SWIFTNet Link identification codes (SNL IDs) to Switch port ranges.
In this document, the term SWIFTNet Link host refers to a system that is directly connected to SWIFTNet, and that runs SWIFTNet Link software. The SWIFTNet Link host category includes hosts running Alliance Gateway software on top of SWIFTNet Link. Table structure The structure of the tables in sections Client Connections to SWIFT on page 7 and Client Connections to SWIFT (ITB) on page 10 is as follows:
2.1
•
From System column: indicates the initiating system of the connection.
•
The table does not list the source IP address. It is the user-defined SWIFTNet Link host IP address that the customer provides to SWIFT during the SWIFTNet ordering process.
•
The table does not list the source ports. Source ports higher than 1023/tcp initiate all TCP-listed sessions. Source ports of 53/udp or higher than 1023/udp send DNS queries.
•
The Destination columns list the SWIFT central servers, and the associated IP addresses and ports.
SWIFTNet Connections The following sections provide information about connections from clients to the SWIFT production network. Related information Client Connections to SWIFT on page 7 Client Connections to SWIFT (ITB) on page 10 Port Mapping on page 13 DNS Forwarding on page 14
31 March 2021
6
Connectivity to SWIFT Network Configuration Tables Guide
2.1.1
SWIFTNet Servers
Client Connections to SWIFT MV-SIPN Destination
System Type
MV-SIPN IP Address
Alliance 149.134.255.252 Connect Bronze/ Silver/Silver Plus SSG5 VPN box
Protocol
Usage
Port 443/tcp
Alliance 169.254.0.250 8010/tcp Connect Bronze/ Subnet: 255.255.255.0 Silver/Silver Plus SRX VPN box
Source From System
HTTPS
SWIFTNet Link Allows to reach the VPN GUI with this default IP in order to configure IP or PPPoE settings related to the ISP.
HTTP
Allows the VPN box to fetch XML configuration file produced by the VPN Interface Configuration tool. This tool is used to configure speed/duplex mode for LAN or Leased Line/Internet connections, and to configure IP settings (DHCP, nonDHCP, PPPoE) for Internet connections.
SRX Alliance Connect Bronze, Silver, Silver Plus, Gold: ethernet port 0/7 using fixed IP 169.254.0.1 with subnet 255.255.255.0
VPN Interface Configuration tool
Alliance Managed Operations
149.134.252.3
443/tcp
HTTPS
HTTP Secure Web Access for Alliance Managed Operations
SWIFTNet Link or any other host, see(1)
CA/RA
149.134.244.131
709/tcp
PKIX
Public Key Infrastructure Certificate Management Protocol
SWIFTNet Link
149.134.244.129
389/tcp 1100-1109/tcp
LDAP
SWIFTNet Link
149.134.244.130
1200-1209/tcp
Retrieve security certificates
149.134.252.4
1300-1309/tcp
149.134.252.6
1400-1409/tcp
DNS
Name resolution
SWIFTNet Link
149.134.252.2 Directory
1500-1509/tcp 1600-1609/tcp 24389/tcp 25100-25109/tcp 25200-25209/tcp 25300-25309/tcp 25400-25409/tcp 25500-25509/tcp 25600-25609/tcp(2) DNS
149.134.244.133
53/udp
149.134.252.7
31 March 2021
7
Connectivity to SWIFT Network Configuration Tables Guide
SWIFTNet Servers
Destination System Type
MV-SIPN IP Address
Protocol
Usage
Port
Source From System
49171/tcp
HTTPS
HTTP Secure - Web access
149.134.127.49
443/tcp
HTTPS
FileAct flows
SWIFTNet Link
149.134.126.40
10443/tcp
149.134.127.247
443/tcp
HTTPS
HTTP Secure Access for MI Channel
SWIFTNet Link
Entrust Authority 149.134.244.134 Enrolment wbcl02.swiftnet.sipn.s Server for Web wift.com
SWIFTNet Link/ SWIFT WebAccess(1)
149.134.252.8 wbcl01.swiftnet.sipn.s wift.com FileAct
MI Channel
10443/tcp Sanctions SAF pilot web services
149.134.127.43
443/tcp
HTTPS
Sanctions SAF pilot web services
SWIFTNet Link or any other host, see(1)
Sanctions SAF web services
149.134.127.42
443/tcp
HTTPS
Sanctions SAF web services
SWIFTNet Link or any other host, see(1)
Secrets web server
149.134.244.134
49172/tcp
HTTPS
Retrieve SWIFTNet Link initialisation secrets
SWIFTNet Link
443/tcp
HTTPS
HTTP Secure Web Access for Secure Channel Collect Response
SWIFTNet Link or any other host, see(1)
SWIFTNet Link or any other host, see(1)
149.134.252.8
Secure Channel 149.134.126.252 web server 149.134.127.252
SWIFT Certificate Centre
149.134.63.252
443/tcp
HTTPS
Create and renew certificates
SWIFT Identity Service (IdP)
149.134.63.2
443/tcp
HTTPS
SWIFTNet Link HTTP Secure Web Access for SWIFT Identity or any other Service host, see(1)
SWIFT WebAccess
See Global Approach to SWIFT WebAccess on page 34
443/tcp
HTTPS
Use to access the SWIFT SWIFT WebAccess application WebAccess
SWIFT WebAccess Revocation Service
149.134.63.242
443/tcp
HTTPS
crlcheck.swiftnet.sipn. swift.com
80/tcp
HTTP
Check the Certificate Revocation List
CA Certificates Download
149.134.63.242
443/tcp
31 March 2021
SWIFT WebAccess Browser
HTTPS
Download CA certificates
Browser
cacertificates.swiftnet. sipn.swift.com
8
Connectivity to SWIFT Network Configuration Tables Guide
SWIFTNet Servers
Destination
Protocol
Usage
Source
System Type
MV-SIPN IP Address
Port
From System
SWIFTNet Online Operations Manager (classic Browse service(3))
149.134.127.33
443/tcp
HTTPS
HTTP Secure Web Access for SWIFTNet Online Operations Manager, see(3)
SWIFTNet Link or any other host, see(2)
WebAccessEnabled SWIFTNet Online Operations Manager
149.134.1.75
443/tcp
HTTPS
HTTP Secure Web Access for SWIFTNet Online Operations Manager
SWIFTNet Link or any other host, see(1)
Switch
149.134.244.129
50153-50190/tcp
Tuxedo
SWIFTNet Link
149.134.244.130
50200-50806/tcp
149.134.252.4
52100-52399/tcp(4)
149.134.252.6
20153-20190/tcp
BEA Systems Tuxedo - a proprietary middleware transport - used for core message exchange over SWIFTNet
149.134.242.1
20200-20806/tcp
149.134.242.2
22100-22399/tcp(5) 20153 - 27190/tcp 27200 - 27806/tcp 29100 - 29399/tcp(6) 34153-34190/tcp 34200-34806/tcp 36100-36399/tcp(7) 50181-50190/tcp(8)
(1) (2) (3) (4) (5)
(6) (7) (8)
Can also be a separate HTTP proxy host with an IP address on which the customer has translated the network address to a SWIFTNet Link host IP. See SWIFT WebAccess Members on page 35. These port ranges...