Beruflich Dokumente
Kultur Dokumente
1. Introduction
CBIC has a plan for international data exchange with various countries e.g. Russia, Nepal,
Korea, BENELUX (Belgium, Netherlands and Luxembourg) etc.
This document provides the process flow of data exchange with Russia and other
countries as proposed by application team (ICEGATE) and Infrastructure required for
carrying out the Data Exchange.
There are two ways in which the data exchange is expected to happen - either through
SFTP or through API. However, in both the case the security controls will as be below:
2. Security controls
Separate IME (International Message Exchange) zone will be created and SFTP and
Endpoint API server will be placed in this zone.
IME zone will be placed behind IPS and Firewall
Sandboxing will be enabled to scan the International messages
Antivirus will be installed on all servers and real time scanning will be enabled to
scan data
Restricted access will be given on the servers and auditing will be enabled
Read only access will be given on SFTP servers to Russia Custom
Logs will be forwarded to SIEM solution, which will be monitored 24*7 by SoC
team
Both the methods of the data exchange are described below:
Site-to-Site IPsec VPN Tunnels will be used to allow the secure transmission of data
between Russia Customs and CBIC. The VPN tunnel will be created over the Internet
public network and encrypted using a number of advanced encryption algorithms to
provide confidentiality of the data transmitted between the two countries. This
communication channel will be followed with all other countries who will exchange data
through SFTP.
a. Connectivity for Data exchange between Russia Customs and India customs will be
established through site-to-site VPN tunnel.
b. Russian Customs shall share data of the exports from Russia to India, in the agreed XML
format. Each file shall contain 130 fields. Files shall be shared on the SFTP path
Internal
Central Board of Indirect Taxes and Customs
c. Russia Customs will be allowed to upload xml files only with max size of 10kb (to be
verified by application team)
d. Sandboxing will be performed before passing data to application.
e. All data fields from validated files shall be first inserted in a Unicode supported database
and further passed on to ICES database for processing through an internal SFTP channel
f. First level of validations pertaining to field level checks and compliances shall be done by
ICEGATE. Corresponding error codes and acknowledgement files shall be accordingly
generated and intimated to Russian Customs
g. This data shall be further consumed by RMCC application to conduct business level
validation checks with the documents filed by Indian EXIM
h. RMCC application shall process only those records that contain a Unique Consignment
Reference (UCR) number
i. Same process flow will be followed for exports to Russia from India
It was proposed that separate infrastructure – servers and chassis will be provisioned for
data exchange of this nature. The proposed flow for the requisite data exchange between
India and Russia is depicted in the diagram below.
Figure-1
Internal
Central Board of Indirect Taxes and Customs
Figure 2
Internal
Central Board of Indirect Taxes and Customs
Figure-3
Internal
Central Board of Indirect Taxes and Customs
a. Nepal, Korea, BENELUX (Belgium, Netherlands and Luxembourg) etc. shall share export
data with India Customs, in the agreed XML format.
b. International countries will send messages in the xml format to ICEGATE. Data exchange
will be done through API’s.
c. Sandboxing will be done before sending data to ICEGATE.
d. ICEGATE will consume API’s exposed by the respective countries to pull the data in xml
format from the identified application server. API gateway will not be used during this
communication.
e. First level of validations pertaining to field level checks and compliances shall be done by
ICEGATE. Corresponding error codes and acknowledgement messages shall be
accordingly generated and intimated to international countries.
f. All data fields from validated files shall be first inserted in a respective application
database.
g. This data shall be further consumed by RMCC application to conduct business level
validation checks.
CBIC will consume International countries API’s for exchanging data with them. Request for
data exchange will be land on their endpoint API’s.
Figure 4
Internal
Central Board of Indirect Taxes and Customs
Other countries will land on CBIC API gateway for getting message data from CBIC.
International message exchange will happen as per the diagram given in Figure 5.
Figure 5
Internal
Central Board of Indirect Taxes and Customs
Figure-6
5. Following table provides mandatory requirements towards enabling data exchange with
CBIC:
Internal
Central Board of Indirect Taxes and Customs
Internal
Central Board of Indirect Taxes and Customs
3 Network Port Only specified ports shall be opened for Only specified ports shall be opened
for incoming communication for communication
data
5 Encryption ISAKMP (Internet Security Association and Communication through API’s will be
Key Management Protocol); AES encrypted through SSL
(Minimum 256 Bits); AS2; SHA2 for Digital
Signatures.
7 File Backup For integrity check, the backup of XML file the backup of XML file will be
must be maintained. maintained
8 Max File Size Only one file shall be accepted for each Only one file shall be accepted for
transaction. One transaction shall each transaction. One transaction
comprise one transmission complete shall comprise one transmission
with its header and footer; a file may complete with its header and
contain single or multiple footer; a file may contain single or
entries/records multiple entries/records
Internal
Central Board of Indirect Taxes and Customs
12 Audit Logs In the event of an incident, it may be In the event of an incident, it may
necessary for system logs to be shared be necessary for system logs to be
by both the parties shared by both the parties
Both the parties shall agree on a Both the parties shall agree on a
universally accepted format for universally accepted format for
maintenance of such logs and their maintenance of such logs and
duration without compromising their their duration without
evidentiary value compromising their evidentiary
In audit Logs IP (source & value
destination), Destination port, Time In audit Logs IP (source &
stamp must be recorded destination), Destination port,
The system clock shall be synched to a Time stamp must be recorded
common time source so that its The system clock shall be synched
timestamp will match those generated to a common time source so that
by other systems its timestamp will match those
A globally acceptable forensics generated by other systems
investigator / auditor, mutually An acceptable forensics
agreeable to both parties may be investigator / auditor, mutually
allowed to examine the logs in the agreeable to both parties may be
event of any incident. allowed to examine the logs in the
event of any incident.
13 Other Tools that do not support logging or Tools that do not support logging or
establishing forensic trails (including but establishing forensic trails (including
not limited to Winscp) shall not be used by but not limited to Winscp) shall not be
either party. used by either party.
Internal