Having encrypted the data and verified that the sender and receiver can be appropriately identified by each other, the web server and the information stored on it are protected in the following ways.
Bank of the Ozarks' Online Banking operates off a server that is physically separate from the Bank's mainframe. The Bank has an internal network for the uploading of Internet requests and the downloading of daily bank data. This connection is safeguarded by virtue of an FTP session that is tied between two static, non-routable IP addresses.
The web server itself is split by two network cards; one handles external traffic coming in from the Internet and routes that traffic to specified directories that contain such files as the website HTML pages. The other card, the internal network card, handles the uploading and downloading of data between the backside of the web server and the mainframe. As part of our minimum configuration requirements, IP routing is disabled between the two network cards, which means there is no bridge between the two cards.
In addition, a router and firewall are installed and sit on the teleconnection between the Internet public and the external card. This router, loaded with a firewall as well as an additional firewall, is configured to only allow HTTP traffic and FTP traffic. All HTTP traffic is routed directly to the web root which holds the website. FTP is kept turned off except for maintenance. This configuration limits all incoming traffic to HTTP sessions that are further confined to the external network card of the web server.
Further, FTP is set to only reach a staging area on the web server. No files can be uploaded or downloaded to sensitive directories without direct bank intervention, essentially by running a copy program provided or by manually copying files over in NT Explorer. This staging error renders an FTP password compromise useless without internal cooperation.
Emailing is not a secure process: generally data is not encrypted as it travels over the Internet, and it can be intercepted by third parties. Please be careful not to provide information in a single message that would allow one to log on to your account. Your name and return email address are usually sufficient to identify you to any Bank of the Ozarks' Online Banking employee. We prefer that you not send your account number. In any case, for your own security, you should never send any password (for any system) to anyone by electronic mail.