Arts & Architecture

IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY

Published
of 36
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Description
f EISD QMS document title/ titre du document IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY prepared by/préparé par Christoph Kröll reference/réference issue/édition 2 revision/révision 2(.3) date of
Transcript
f EISD QMS document title/ titre du document IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY prepared by/préparé par Christoph Kröll reference/réference issue/édition 2 revision/révision 2(.3) date of issue/date d édition 28/09/2004 status/état Second Issue Document type/type de document Implementation Document Distribution/distribution ESA a ESACERT issue 2 revision 2 28/09/2004 page 2 of 45 APPROVAL Title titre issue issue 2 revision revision 2 author auteur Christoph Kröll date date 28/09/2004 approved by approuvé par ESA Information Systems Security Advisory Group (EISSAG) date date 28/09/2004 issue 2 revision 2 28/09/2004 page 3 of 45 CHANGE LOG reason for change /raison du changement issue/issue revision/revision date/date Update by Christoph Kröll /09/2004 CHANGE RECORD ISSUE: 1 REVISION: 0 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) First Issue by Christoph Kröll All. All. ISSUE: 1 REVISION: 1 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 2 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 3 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 4 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following 1 st Review of the ESA Information Systems Security Advisory Group All. All. issue 2 revision 2 28/09/2004 page 4 of 45 ISSUE: 1 REVISION: 5 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following 2 nd Review of the ESA Information Systems Security Advisory Group (EISSAG) All. All. ISSUE: 2 REVISION: 0 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll All. All. ISSUE: 2 REVISION: 1 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Review by the ESA Information Systems Advisory Group (EISSAG) All. All. ISSUE: 2 REVISION: 2 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following technical changes and approval by the ESA Information Systems Advisory Group (EISSAG) Appendix B and D. All. issue 2 revision 2 28/09/2004 page 5 of 45 T ABLE O F C ONTENTS 1 INTRODUCTION SCOPE AND APPLICABILITY DEFINITIONS AND ABBREVIATIONS Definitions Abbreviations RELATED DOCUMENTS Applicable Documents Reference Documents BACKGROUND THE ESA NETWORK SECURITY POLICY SECURITY HIERARCHY CLASSIFICATION OF THE ESA NETWORKS External Networks ESA External Services Networks ESA Internal Services Networks ESA Restricted Networks COMMUNICATION WITHIN OR AMONG ESA NETWORK CLASSES Connection to a Single ESA Network Security Class Protocol Support Data exchange among ESA Internal Services Networks, ESA External Services Networks and External Networks Data Exchange for ESA Internal Services Networks Data Exchange for ESA Restricted Networks IMPLEMENTATION OF EISD SERVICES Baseline Services Delta Services Definition Procedure Funding Security Delta Services...21 issue 2 revision 2 28/09/2004 page 6 of Definition Procedure Funding THE ESACERT Mission and Services Policies Mandate Support IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY BY THE MEANS OF THE ESA FIREWALLS The ESA Firewalls Connectivity Data Traffic ESA ISN Gateways Data Exchange for ESA Internal Services Networks ESA Demilitarised Zones (ESA DMZs) THE PROJECT SERVICES DMZ THE CORPORATE SERVICES DMZ THE INFRASTRUCTURE MANAGEMENT DMZ THE TRANSIT SERVICES DMZ Data Exchange between ESA Demilitarised Zones (ESA DMZs) and External Networks Data Exchange for ESA External Services Networks (including ESA Demilitarised Zones) and ESA Internal Services Networks IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY BY THE MEANS OF THE ESA REMOTE ACCESS ESA Strong Authentication ESA IPsec Client Access ESA Intranet Dial-In ESA Web Client Access IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY BY OTHER MEANS ESA Anti-Virus Services ESA Anti-SPAM Services ESA Personal Firewall ESA Hard Disk Encryption ESACERT Intrusion Detection and Prevention Services ESACERT System Scanning Services Distributed Computing Applications LAN Port Access Authentication Wireless LANs...36 issue 2 revision 2 28/09/2004 page 7 of 45 APPENDIX A SUPPORT FOR DATA EXCHANGE OF ESA INTERNAL SERVICES NETWORKS VIA THE ESA FIREWALLS...37 APPENDIX B SUPPORT FOR DATA EXCHANGE VIA ESA IPSEC CLIENT ACCESS...40 APPENDIX C SUPPORT FOR DATA EXCHANGE OF ESA INTERNAL SERVICES NETWORKS VIA ESA INTRANET DIAL-IN...42 APPENDIX D SUPPORT FOR DATA EXCHANGE OF ESA INTERNAL SERVICES NETWORKS VIA ESA WEB CLIENT ACCESS...43 APPENDIX E SUPPORT FOR THE ESA STRONG AUTHENTICATION...45 This document contains 45 pages page 8 of 45 1 INTRODUCTION This document outlines the ESA/ADMIN(99)6 by the ESA Information Systems Department (EISD) for the whole of the Agency. 2 SCOPE AND APPLICABILITY The document applies to all services, systems and users of the ESA Cooperate IT Infrastructure. It maps the infrastructure for the implementation of the ESA Network Security Policy ESA/ADMIN(99)6 from the rollout of the respective EISD projects. 3 DEFINITIONS AND ABBREVIATIONS 3.1 Definitions The following terms are used in this document: Agency Baseline Services An abbreviation for the European Space Agency . Baseline Services are services, which are available to all entitled users at the ESA establishments as defined in the CITI Baseline Service Definition (ADM-ITI/02/0001), please refer to 9.1. Delta Services Delta Services are services, which are supported outside the defined scope or coverage of the baseline services on request as defined in the CITI Baseline Service Definition (ADM-ITI/02/0001). Please refer to 9.2 and also to Security Delta Services (9.3). ESACERT The ESA Computer and Communications Emergency Response Team is the central focal point to direct the ESA Information Systems Security solutions. The ESACERT addresses three main areas: General focal point for operational Information Systems Security issues and advice on how to protect systems operated under the responsibility of the Agency, Operational handling, coordination and follow through of security incidents, and provision of a central emergency response line and , Proactive measures such as alerts, detection and preventive scanning services. For the ESACERT mission and services, please refer to 10. page 9 of 45 ESACOM ESACOM is the European Space Agency's Communications network services package. Its core caters for the general-purpose data networking requirements of the Agency. The following services, all based on the TCP/IP communications protocol, constitute the ESACOM core: Wide-area data connectivity between the ESA establishments; Interconnection between ESA establishments and sites where ESA has a permanent presence, like ESA Ground stations (Redu, Vilspa), Brussels, Cologne, Washington, Moscow, Kourou and Toulouse; Access to public networks: Internet, PSTN, ISDN, provided at all sites via different local providers; Local Area Network services; Protection and security according to ESA policy; Operations and maintenance of all the above. Additional services are provided on top of the basic ESACOM infrastructure to cater to project-specific networking. ESA External Services Network ESA Firewall ESA Internal Services Network ESA Network Security Class ESA Networks ESA Restricted Network An ESA Network with unrestricted data exchange to External Networks and restricted data exchange to other ESA Networks. (Unrestricted means in this case that external business access need can be supported according to the project requirements, see also 11.6) A Network Security Facility to protect unauthorised data exchange between External Networks or ESA External Services Networks and ESA Internal Services Networks. An ESA Network protected from unauthorised data exchange by ESA Firewalls. A Class of ESA Networks with a common level of network security requirements. There are three ESA Network Security Classes: the ESA Restricted Networks, the ESA Internal Services Networks and the ESA External Services Networks (including ESA Demilitarized Zones). Networks owned, leased or subscribed to by ESA. An ESA Network with access only for a restricted list of users. page 10 of 45 External Networks Security Delta Services TCP/IP Protocol Suite Virus Throughout this document the term is used for all networks not owned, leased or subscribed to by ESA. Security Delta Services are Delta Services, which have an impact on the Information Systems Security of the Agency, please refer to 9.3. A Term for the whole family of applications and protocols bundled with the Internet Protocol. Computer code that can damage data or programs. page 11 of Abbreviations The following abbreviations are used in this document: ADSL DNS Asymmetric Digital Subscriber Line. The Domain Name Services Protocol is a member of the TCP/IP Protocol Suite. DMZ Demilitarized Zone, please refer to ESA EISD EISSAG FTP HTTP HTTPS ICA IP ISB ISDN ITSOA LAN MTA NTP PSTN SMTP European Space Agency. ESA Information Systems Department ESA Information Systems Security Advisory Group. The File Transfer Protocol is a member of the TCP/IP Protocol Suite. The Hyper Text Transfer Protocol is a member of the TCP/IP Protocol Suite. The Hyper Text Transfer Protocol Secure Socket Layer is a member of the TCP/IP Protocol Suite. The Independent Computing Architecture Protocol is a member of the TCP/IP Protocol Suite. Internet Protocol. Information Systems Board. Integrated Services Digital Network. IT Systems Operational Authority. Local Area Network. Message Transfer Agent. The Network Time Protocol is a member of the TCP/IP Protocol Suite. Public Switched Telephone Network. The Simple Mail Transfer Protocol is a member of the TCP/IP Protocol Suite. page 12 of 45 SSH SSL TCP TSE UDP VPN WAN WLAN WWW The Secure Shell Protocol is a member of the TCP/IP Protocol Suite. Secure Socket Layer. Transmission Control Protocol. Terminal Server Edition. User Datagram Protocol. Virtual Private Network. Wide Area Network. Wireless Local Area Network. World Wide Web. page 13 of 45 4 RELATED DOCUMENTS 4.1 Applicable Documents The following documents are applicable to the extent specified herein: [AD 01] EISD Quality Manual 4.2 Reference Documents The following documents do not form a part of this document but provide useful information: [RD 01] [RD 02] [RD 03] [RD 04] [RD 05] ESA/ADMIN(91)16, Loan of Computer Equipment to Staff ESA/ADMIN(98)15, Computing services for staff away from their duty station. ESA/ADMIN(99) 6, ESA Network Security Policy ESA/ADMIN(2001)17, ESA External Services Network Security Policy ESA Security Regulations page 14 of 45 5 BACKGROUND The rapid growth in the usage of workstations and personal computers by the Agency, alongside the corresponding deployment of networks and services, increasingly targeted to communicating with the outside world, the outside world, have led to a marked increase in user demand for more flexible connectivity, both internally within ESA and especially to external networks and services. These requirements arise in all sectors of ESA s activities, e.g. spacecraft operations, software development, office automation, data dissemination and studies. The satisfaction of such requirements depends on worldwide standards and best practices for internetworking and their relation to the specific communication standards used in the ESA Networks. The advent of ever more powerful network capabilities and the increase in external connectivity requirements led to the need to consolidate and strengthen the measures in place to guarantee the security of ESA communications, and to formally issue and operate a communications security and access policy for the ESA Networks. The European Space Agency considers network security as an essential function for the effective usage of the critical network systems used ESA wide by staff, contractors and authorised users. Strict enforcement of the network security policy and compliance therewith is considered essential and formal measures are being taken. This document introduces briefly the ESA network security policy and its scope, and then describes how the policy is implemented by ESA by means of rules and hardware/software tools enforcing them. The appendices list the services currently supported by the state-of-the-art of the ESA security infrastructure in compliance with the security policy. page 15 of 45 6 THE ESA NETWORK SECURITY POLICY The ESA Network Security Policy ESA/ADMIN(99)6 establishes the security framework for the Agency's electronic communication networks and the rules defining the exchange of data on those networks. It applies to all ESA Networks including local (LAN) and wide area (WAN) networks or communications services owned, leased or subscribed to by the Agency. The policy covers all communication facilities of these networks and their components, hardware as well as software. The goal of the policy is to enable open, efficient and secure use of the Agency's network facilities whilst at the same time safeguarding the Agency s information technology and information resources. It is not meant to hamper employees from efficiently performing their professional duties, but to protect them and the resources under their responsibility from any security threats, with minimal disruption. Overall information system security is a balanced combination of host security and network security, and must include measures to ensure controlled access, authentication, availability, integrity, confidentiality and auditability. The policy described in this document only addresses network security, i.e. security of access to a host via a communications link or network. Confidentiality is taken into account where it would apply to authentication, not with regards to the content of any information on the network. The other aspects of security, namely integrity and availability, are not addressed. Security implemented by the host, once access to it from the network has been rightfully obtained, is outside the scope of the network security policy. The following two chapters repeat the major parts of the ESA Network Security Policy, indicated with grey background. The additional illustration introduces also the ESA Demilitarised Zones (ESA DMZs) that are explained later in 11.6. page 16 of 45 7 SECURITY HIERARCHY CLASSIFICATION OF THE ESA NETWORKS The requirement to protect ESA data and resources implies the need for network security. A hierarchy comprising four ESA network security classes has been defined for the Agency's network infrastructure and is shown in Figure 1 below: External Networks ESA External Services Networks (including ESA DMZs) ESA DMZ ESA DMZ ESA Internal Services Networks ESA Firewall ESA Restricted Networks ESA Firewall Figure 1: ESA Network Classification External Networks ESA External Services Networks ESA Internal Services Networks ESA Restricted Networks page 17 of External Networks The External Networks are networks outside ESA control, e.g. supplied or owned and controlled by off-site industrial partners, scientific institutes or other space agencies. This class includes national or international research networks and networks of Internet Service Providers (ISP) as well as the global Internet. Also included in this class are public circuit switched networks used for data exchange, whether they are built with analogue technology (PSTN) or digital technology (ISDN), or operated by a public or private provider. Systems of ESA users working in other organisations or on contractors' premises where the Agency is not responsible for the network infrastructure are classified as being part of the External networks class. It is recognised that external partner organisations, in particular space agencies, may themselves have networks having different security categories. From an ESA security point of view, however, all non-esa networks fall into the single category of External Networks. 7.2 ESA External Services Networks The ESA External Services Networks allow for unrestricted access between the External Networks and specific Agency-owned information servers. These are transit networks of limited size and coverage. They are only available in a minor number of networks, sites and computer centres. For example, the ESA external World Wide Web (WWW) servers and the ESA external File Transfer Protocol (FTP) servers are placed on these networks. 7.3 ESA Internal Services Networks The ESA internal services networks form the general-purpose networks of the Agency and fall into two major groups: - networks for the support of technical systems - networks for the support of the Agency's corporate information technology infrastructure. These networks are protected from the External networks as well as from the ESA external services networks using the Agency's security barriers ( firewalls ). Connection to these networks is provided at all ESA Establishments. Local Area Networks at remote ESA sites that have no direct access to the External networks but are connected to an ESA Establishment also come into this category. 7.4 ESA Restricted Networks The ESA restricted networks are dedicated to specific administrative, technical or operational functions where access is restricted to specific user groups, for example the operational networks supporting space mission operations. page 18 of 45 The networks that support the Agency's financial and personnel management systems also come into this category. page 19 of 45 8 COMMUNICATION WITHIN OR AMONG ESA NETWORK CLASSES 8.1 Connection to a Single ESA Network Security Class A computer or network device shall only be part of a single network class in the ESA network security classification. With the exception of a security facility as such, it is not permitted to connect a device at the same time to any combination of two or more network classes. In particular, it is expressly forbidden to link a computer connected to the ESA Restricted or ESA Internal Services Networks to the External Networks or ESA External Services Networks by using a modem or any other device establishing a connection of any kind. 8.2 Protocol Support The TCP/IP protocol suite is in principle the only protocol family that shall be used to exchange data among ESA networks belonging to different ESA network security classes. In particular, for the exchange of data between the Agency and the External networks and for the encryption of data across untrustworthy links, the TCP/IP protocol suite is the only communication protocol family that shall be supported. Any requirement for use and support of other protocols requires written authorisation from the parties responsible for this policy and its implementation. 8.3 Data exchange among ESA Internal Services Networks, ESA External Services Networks and External Networks The ESA firewalls are positioned to control all traffic crossing the boundary between the ESA Internal Services Networks on the one hand, and on the ESA External Services Networks and the External Networks on the other. All data exchanged between the ESA Internal Services Networks and the ESA External Services Networks or the External networks shall pass through the ESA firewalls and shall be positively authenticated. All access to the ESA firewalls, successful or unsuccessful, is logged. Only traffic that is supported on the ESA Firewalls is allowed to pass the boundary between the ESA Internal Services Networks and the ESA External Services Networks or External Networks. Access from the Extern
Search
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks