Secure implementation guide

Hi guys, I am new in this forum and looking for advisories and guides, how to setup a secure T24 environment.

Do you guys have any documentation, which guide me for secure implementations for T24?

Cheers,
Reza

by secure do you mean ssl based communication browser and webserver?

If yes then they have a listener to implement ssl to secure communication between browser and the web server.

Hi thx for reply, I am looking for how to setup aboth secure web based and client/server based environments. For Web based, you can terminate ssl communication oj the proxy, so that all credentials will be visible within the proxy logs. This is not a secure way in my eyes.

actually t24 does not give out anything special then to setup standard SSL techniques that all the internet is using. And that also is for web based interface. the webserver ends socket setup is done by the system administrators and the application end SSL implementation is done via a simple plugin that t24 provides with TCServer. Moreover you need to get digital signatures from a verfied source like Verisign and Thawte etc.
I am not able to understand the proxy part of your message. But if you are saying that there is a loophole in SSL standards then you must report to the INTERNET authorities because the whole world is using SSL encryption to make Credit card transactions.

Really there is nothing else into securing t24.

Hi, I am not sure, what you understand about security.
The Security within T24 must be separated in 3 areas:

1. Web Server
2. Web Application
3. Date base

Within each section there should be a guide for hardening or at least some secure vendor’s recommendations.
If we talk about web Access there are so many threats coming with web 2.0 technology (like Cross Over Scripting,…,…..,), which enable baypassing web Access authentication in order to access Data base,…..,…….

Please do not mention any thing about security, if you are not aware of.

Thx.

Dear Reza

Please dont be angry.
During my 5yrs of implementing and tuning T24 with a bank live with about 352 branches all over Pakistan the only security part on the T24 end is the one I told you about.

All other things that you are talking about are handled by our Firewall and network security infrastructure(VPN, IPS and stuff like that etc). On top of that our bank has its own INFORMATION SECURITY department where CISA certified people/hackers are always checking/testing for such breaches. Having said all that I repeat these things DO NOT RELATE TO T24 in ANY WAY.

SO AS THIS IS A FORUM FOR T24, YOU SHOULD POST SUCH QUESTIONS TO SOME OTHER FORUM.

Is there a way to secure the authentication by 2 factor authentication and use my OTP (one time password) token to prevent password stealing