Support Sign in

Jack Henry Traffic Control

With Jack Henry Traffic Control, now you can have the highest degree of visibility and control over who can attempt to access your digital front door.

Jack Henry Traffic Control provides highly security-conscious financial institutions with increased control and visibility over their digital traffic by allowing them to front Banno Online with their own Web Application Firewall (WAF), utilizing Cloudflare. Traffic Control is a powerful tool that enables specialized security teams to define custom blocking rules, such as denying traffic from specific countries or IP addresses. Until this point, blocking rules could only be enforced platform-wide.

How do I know if Traffic Control is a good fit for my financial institution?

Jack Henry Traffic Control is ideal for a smaller number of highly sophisticated financial institutions that have an understanding of the technical benefit of using their own WAF. They also might have these needs or characteristics:

  • A specialized security team
  • A requirement for higher degrees of technical control and more visibility into all Banno and/or Treasury Management login traffic
  • A need for the capability to completely block traffic from given IP addresses or countries
  • Are driven by compliance requirements for this type of perimeter blocking control

Financial institutions that don’t fit these parameters might be better suited for Jack Henry Intercept and can reach out to their sales representatives for more information and guidance.

Important Information and Usage

Traffic Control isn’t a replacement for Jack Henry’s standard security measures. A financial institution’s WAF works on top of all of Jack Henry’s standard security, including Jack Henry’s own WAF. Financial institutions are responsible for configuring their own WAF to filter out bad traffic, since Jack Henry’s WAF will not be able to block this traffic when it originates from a financial institution’s WAF.

Additionally, financial institutions will take on the responsibility of troubleshooting and resolving connectivity issues that may arise from their WAF configuration. In the event of connectivity issues, the WAF configuration should be consulted first.

It’s recommended that financial institutions do not enable content-based protection rules, such as OWASP or SQL Injection, since this is Jack Henry’s responsibility. The primary purpose of this tool is to allow financial institutions to implement their own IP or geolocation blocking rules.

These potential risks and best practices are also important to be aware of:

  • Potential Issues: Incorrectly configured WAF settings can cause issues such as pages failing to load, unauthorized responses, or redirect loops. Examples of misconfigurations include aggressive rate limiting, blocking certain HTTP methods, inconsistent security rules, or extra caching.
  • Required Headers: A financial institution’s custom WAF must pass necessary custom headers, including x-jh-real-client-ip and correct location headers. Otherwise, services will return 404 errors.
  • Security Responsibilities: While Banno’s WAF handles core content-based protections, it’s the financial institution’s responsibility to configure their WAF for blocking malicious IPs and geolocations.

FAQ

What WAF providers work with Traffic Control? How can I have my preferred WAF provider incorporated?
The only WAF provider supported at the moment is Cloudflare. However, the solution is built to be as agnostic as possible, so financial institutions should let their sales executive know if they have another WAF provider they’d like Jack Henry product teams to consider. Additional integrations can be incorporated in the future!
Does this work for Banno Business and Treasury Management?
Yes, this works for Banno Business and Treasury Management. When Unified Identity Service is in play, all logins are protected.