IS7040 - Network Security
Section: INFORMATION SOLUTIONS PROCEDURES
SubSection: Information Security
Master List Section: Information Solutions
Protecting the network infrastructure against all kinds of threats originating from external and internal networks is of prime importance to DMACC. Absence of adequate protection mechanism can lead to attacks that include unauthorized access from the Internet; spread of virus, worms, malware etc. Traffic can be sniffed in transit on the network that can lead to unauthorized access to critical and sensitive information.
The purpose of this procedure is to ensure authorized and secure access to DMACC network infrastructure internally and from external networks and establish effective management.
This procedure applies to:
LAN and WAN network infrastructure at Primary and DR site deployed and maintained by DMACC
Relevant third-party personnel responsible for administering and maintaining DMACC’ s IT infrastructure
All Network & System administrators, administering and maintaining the network infrastructure via LAN and WAN
All IT assets used to build the network viz. network devices, communication links and assets that use the network viz. servers, desktops, smart devices owned by DMACC
DMACC network infrastructure shall be adequately designed, managed, and controlled to protect security of company information. All connections to external networks including Internet, outsourced vendors and partners will be authorized and provided in a secure and controlled manner. Any kind of remote access to DMACC network must be first approved based on valid business justification and initial risk assessment done by the IT Security Team (IST). Network shall be designed and maintained for high availability to meet the business continuity requirements.
All user accesses to the network resources shall be approved and authenticated.
Administrative access and privileges on servers, network devices and other IT systems shall be granted only after necessary approvals from the DMACC IST.
Before porting a new application on DMACC’s network, the Systems Integration team shall study the network usage of application, it is impact to existing infrastructure and provide the report which shall minimum contain the following details:
Whether the existing network infrastructure can accommodate the new application without affecting the existing applications
Whether there is need to modify the existing network infrastructure to accommodate the new application.
If there is need for modification, provide the estimated expense involved and the estimated time required for implementing the modification
Segregating Server and User Segments
A list of critical servers shall be periodically reviewed and updated by the Systems Integration team.
Systems continuously monitored by the DMACC IST for any malicious or abnormal traffic.
In addition to firewall rules, all critical servers shall have restrictive access control policies configured on them which provide access to users on “Need to know” and “Need to Access” basis only.
Utility servers like AV, Active Directory, Proxy, etc. shall be protected and accessible to authorized users only.
Application and database servers shall be protected and accessible to authorized users only.
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) shall be strategically installed at network segments to monitor the traffic flowing, to and from critical servers.
Any approval for Remote access via Internet to DMACC information systems shall be granted by the DMACC IST.
Remote access to network resources must be done using the SSL / IPsec VPN infrastructure provided by DMACC. SSL must always be used for remote desktop protocol or SSH.
Secure remote access must be strictly controlled via strong authentication.
Information Security shall conduct quarterly audit of the VPN users.
The use of remote access to information systems is prohibited without a reasonable and documented business reason illustrating the necessity to complete job responsibilities.
Laptops or desktops must be DMACC owned and manged and comply with host integrity checks before access is provided. All hosts that are connected to DMACC internal networks via remote are updated on a regular basis.
Remote access for vendors shall be enabled to the test and development environment upon receiving a written request, with adequate business justification and approved by the DMACC IST.
Network Services (Mail, File and Print Services)
A detailed inventory with s/w and h/w configuration details shall be maintained by the respective administrators.
The network services, application or other utility software getting installed in a server, shall be identified, approved, and documented.
Hardware redundancy mechanisms shall be adopted for all major application and network servers.
Disk Mirroring (writing data to two separate hard drives simultaneously), Disk duplexing (installing two hard drives and two disk drive control cards) or redundant drive arrays (RAID) shall be used for all the servers which have requirement for high availability.
The DMACC Systems Integration team shall take necessary action to protect information contained in a server that has reached its end of life e.g. erase or reformat disks etc.
Following issues shall be considered while deploying network server:
- The categories or classification of information that shall be stored in the server
- The security requirements for that information
- The network services that shall be provided by the network server
- The security requirements for the network services
Installing Network Operating Systems
A documented procedure for installing a network operating system shall be developed and followed.
All critical parameter settings, scripts and configuration files used during installation of a network operating system shall be documented.
Default passwords shall be immediately changed as part of the installation process.
Updating the Network Operating System
The respective administrators (Network, Security and System) shall be responsible for installing necessary security-related software updates in a timely manner.
The installation of updates shall consider the following security issues:
- Any temporary vulnerable state that may arise during the update process
- Unavailability of services due to inappropriate scheduling of update
- Impact on other dependent services due to untested update
- Unauthorized change due to inadequate change management process
Authorized sources of security advisory feeds e.g. mailing lists, vendor publications, vendor web sites, etc. for information about security problems and software updates shall be maintained and regularly monitored by the Information Security.
Procedures shall be implemented to control the installation of software on operational systems.
Network Devices Routers & Switches
Network devices like routers; switches; etc. shall be configured securely as per the industry standard security procedures.
Routers & other Layer -3 devices (Core & Distribution Switches) shall be placed physically inside the data centre and layer-2 switches providing connectivity to LAN users in DMACC shall be stored on floors inside locked rooms.
Network Devices - Firewall
Access to the Firewall
- The firewall shall be hardened and secured as per the industry standard security procedures.
- The firewall shall not have any additional services that can be accessed remotely
- The firewall shall be placed in a controlled environment with access only to authorized personnel
- Any unused physical interface shall be disabled/de-activated on the firewall
- Firewalls shall segment the network based on the accepted risk levels
- Every connection between DMACC’s network and external (partner’s or vendors) network shall be controlled by the firewall rules
- The IT Management shall be responsible for determining the number of segments and the servers that would be hosted in each segment
Firewall Rule Base
- The DMACC IST is responsible for designing and testing the firewall rule base before deployment
- Firewall rule-base shall only allow access to required ports and services on the target machine. Documented list for all the opened ports and services with valid business justification shall be maintained
- The rule base shall be approved by the DMACC IST prior to deployment
- Use of proxy software shall be taken in consideration while writing rule base for firewall, if any new services is requested that service shall not be made available until a proxy is available from the firewall vendor and tested by the firewall administrator. A custom proxy can be developed in - house or by other vendors only when recommended and approved by the DMACC IST
- All connections from the internal network to external networks shall be approved by the DMACC IST. Connections shall be allowed only with external networks that have been reviewed and found to have acceptable security controls and procedures. All connections to approved external networks shall pass through firewalls
- The rule base shall have a ‘default deny’ design ensuring that traffic not matching a rule is denied by default.
- Firewall rule base shall deny all the IP spoofing by enforcing egress filtering
- Wherever possible, remarks or purpose of including a firewall rule shall be explicitly maintained
Firewall Rule Base Change
- All changes to the firewall rule base shall be done after proper authorization, to ensure that the security level is maintained. This shall be performed as per the Change Management Process
- All new user access requests shall be accompanied with business requirement and access details such as the IP address and the corresponding port numbers
- The DMACC IST is responsible for authorization of the request
- Firewall rule base reviews needs to be done on periodic intervals (once every 6 months). The reports for rule base review shall be documented and submitted to DMACC IST for review
- Default device password of the firewall shall be changed before deploying the device into the production and follow the Password Security procedure.
- Unique usernames shall be used by each firewall administrator
- Firewalls shall follow the Patch Management Procedure
- After any upgrade, firewall shall be tested to verify all functionalities are working as desired
- Redundant firewall in HA (High availability) mode shall be configured so that in case of a firewall failure, the backup firewall shall be switched to maintain the security level
All wireless infrastructure devices which includes access points, smart phones, and laptops that comprise DMACC wireless network resources must adhere to the following:
- Only WPA compliant protocols shall be used for wireless communication. WEP based protocols will not be allowed
- Access Points shall always be connected in infrastructure mode and never in ad hoc mode.
Information transfer may occur using several different types of communication facilities, including electronic mail, voice, facsimile and video.
Software transfer may occur through several different mediums, including downloading from the Internet and acquisition from vendors selling off-the-shelf products
The business, legal and security implications associated with electronic data interchange, electronic commerce and electronic communications and the requirements for controls shall be considered.
Information transfer services shall comply with any relevant legal requirements.
Clocks of all the systems throughout DMACC shall be synchronized with an accurate and reliable time source.
Network Time Protocol (NTP) shall be used to ensure synchronization.
Access to time data shall be restricted to only personnel with a business need to access time data.
Adequate levels of information to be logged shall be clearly defined and configured.
Type of log category and log information shall include the following:
- Users - Login/logout information: location and time of failed attempts, attempted logins to privileged accounts; changes in authentication status such as different privileges etc.
- Networks - Service initiation requests: name of the user/host requesting the service; network traffic; new connections.
- Applications - Applications and services specific information: mail logs, ftp logs, web server logs, firewall logs, router logs.
- File Systems - Changes to access control lists and file protections; file accesses (opening, creating, executing, deleting).
Only authorized users shall have access to reconfigure logging mechanisms.
The log files shall be protected from being accessed, modified, or deleted by unauthorized users and shall be stored in centralized log repository with restricted access.
All the traffic (specifically generating from the critical network segments) shall be scanned for attack signature and anomalous behaviour.
Network Diagnostic Tools
The use of network diagnostic tools shall be strictly controlled to prevent unauthorized users. Only network staff shall be allowed to use diagnostic tool.
Network diagnostic tool and software shall be stored in physically secured location when not in use.
As far as possible usage of these tools shall not be done during office hours as it may cause the network to slowdown
Add to Portfolio (opens a new window)