Procedure for Network and Communications Security

Details

DateVersionStatusInformation ClassificationDocument Template IDDocument No
08-01-20202.0ApprovedInternalAMS DOCAMS-SP-26

Revision History

DateVersionDescriptionAuthorReviewed byApproved byApproved date
17-05-20151.0Initial VersionJeevanPraveenPremanand
23-03-20161.1Reviewed but no changes made
31-07-20171.1Reviewed but no changes made
02-01-20201.2Combined Communications process and Network process as one and elaboratedShailaPraveenSuresh08-01-2020

Acronym Used

AcronymExpanded Form

Introduction

  • Network and Communications Security procedures are aimed at providing preventive/ corrective measures to be taken to minimize the risks arising out of the networked computers and connecting devices.

ISO27001 Control Reference

  • A.13.1.1 Network controls

  • A.13.1.2 Security of network services

  • A.13.1.3 Segregation in networks

Scope

  • The network and communications procedures are applicable during the design of a new network, operations of an existing network, or during a proposed change of an existing network.

Key Practice Details

Network Documentation

  • The Network Lead will maintain approved network documentation of ASL.

Network and Cabling Specifications

  • The following specifications will be detailed in the network documentation:

    • Cabling Specifications

    • Routing of cables and ducts in the premises, appropriately plotted on dimensioned floor plans and location plans

    • IP addressing scheme being followed.

Network Diagrams

  • The following logical diagrams will be detailed in the network documentation:

    • Server, nodes and peripherals labeling

    • Listing of external links

    • Network components (switches, routers, firewall etc.) and their configuration

    • The local area network diagram

    • The wide area network diagram indicating Internet and voice links

  • The network diagrams will always be maintained at the "current status". Any changes to the network will be reflected in the network diagram within one week of the changes being effected.

  • The Revision history of the network diagram will be maintained.

  • The network documentation will be classified as "ASL Company Confidential".

Network Controls

  • The network access controls to be configured on the firewall, router and switches will be decided based on the business needs of ASL in Consultation with Network Lead and Network Security Expert.

  • The network lead will ensure to document the rules/ tables for network gateways including the firewall, router and switches. In addition, to the rules on the firewall the permitted services in the network should also be documented. The Head - IT should authorize these documents.

  • The Function Head will raise a request using the IT Job Request ticket to request for services such as specific network configuration, enabling ftp access, etc. and send it to IT Support.

  • The IT Support will take necessary action to service the request.

Network Design and Architecture

  • Centralized management of ASL networks allows for a strategic network design and architecture that can be more readily optimized for performance, availability, and security. All endpoints are terminated to network switches to remove the possibility of internal network traffic sniffing by computers and users. Highly sensitive data and traffic such as for Data Centers or communications facilities are isolated by secure zone of Firewalls.

  • The architecture of the network allows for the strategic placement of firewalls, demilitarized zones (DMZ\'s), and IDS/IPS devices such that all network traffic between the ASL production & ASLdevelopment Intranet and the Internet are adequately controlled and monitored.

  • Network services include Directory services, Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), authentication services, messaging/email, remote access, and others. These services have traditionally been provided on premise by ASL network and/or security administrators.

Network Performance Monitoring

  • The Network Connectivity Expert in consultation with Network Lead is responsible for administration, maintenance, security, and troubleshooting the network operations. The Network Connectivity Expert is responsible for regular monitoring of the following:

    • Link errors

    • Packet drops

    • Network load

  • The Network Connectivity Expert may also monitor network traffic pattern including trends of protocol wise breakup of network traffic.

  • The Network Connectivity Expert will monitor the network performance on a daily basis. The principal statistics to be monitored are:

    • WAN Links

      • Response Time: The Network Connectivity Expert should monitor the response time on WAN links (ping response report). A node across the WAN should be pinged and the response time noted. An increasing trend of time to ping in certain nodes would tend to indicate network congestion in that server's resources.

      • Network Downtime Report: This will represent the amount of time during the day when the network was not available for use. An increasing trend indicates deteriorating network health.

      • Packet Loss Detail: This is a measure of the amount of packets being lost in transmission over the WAN. A high rate of packet loss would indicate some defect in the network.

    • Link Utilization based on the details provided in the Procedure for Capacity Management (Section Network Capacity Management)

  • Any deterioration in network performance should be immediately reported to the Network Lead and Head - IT. The Network Lead in consultation with Head-IT should then take action based on an analysis of the likely cause.

Network Management

  • ASL may consider using software and/or tools for network management and monitoring. The software used must at a minimum have the following capabilities:

    • CPU Load

    • Protocol Analysis and Packet Shaping

    • Bandwidth Utilization

    • Availability

  • Network Alerts can be created to trigger on events including network latency problems, high percent utilization on interfaces, interface status changes (up, down warning, etc) and abnormal number of errors.

  • Network analysis and diagnostic tools should be used only under a specific approval from the Head - IT as these can be used to capture a lot of information about the internal network configuration of ASL. In case the IT department wishes to use such a tool, then any such usage will happen under the supervision of the Network Lead/Network Security Expert. The results should be submitted to the Head -IT by the IT team after due analysis.

  • The following parameters, at a minimum, should be monitored for all network equipment. (For all core switches, the parameters need to be monitored on all ports connecting to critical computing equipment including voice equipment; firewalls, routers and servers must be pro-actively monitored.)

    • Interface Statistics

    • CPU Utilization

    • Interface Utilization

  • The Network Connectivity Expert should record the status of the network in the Network Monitoring Report and this report should be reviewed by the Network Lead on a weekly basis and submit the report to Head-IT.

External Connectivity

  • Where there is a valid business requirement for the provision of remote external access connections including those from or to client sites, third parties, new offices, and the establishment of new Internet connections, the following apply:

    • All external access connections planned into ASL LANs must be reviewed and approved in advance.

    • All third party connections have to be owned by the IT department. Network design should enforce central approaches for network gateways wherever applicable to ensure best monitoring, logging and escalation mechanisms.

    • Every network connection at the company's infrastructure border has to enforce the least functionality principle in terms of physical, network and application services.

    • Modems at desktops/ notebooks used for dial out, e.g. into a client network or an ISP, require disconnection from the ASL LAN.

  • Any link that is to or from a dedicated device at the ASL end that is not connected to any ASL LAN is not considered a risk as long as strict virus quarantine measures are in force and all data transferred to or from it are virus scanned. Such limited requirements are rare, but only need sign off by IT team and notification to the Head - IT for inclusion in the risk database.

  • All available, relevant audit trails or alert facilities must be enabled with monitoring or review processes in place.

  • The Head - IT responsible for authorizing and the Network Lead/Network Security Expert is responsible for monitoring the following classes of connections

    • WAN-LAN/ LAN-LAN connections

    • Private extranets

    • VPN (Virtual Private Networks)

    • Remote Access and Administration

    • Dial out services

  • The Group lead in the respective functions will be responsible for authorizing the following classes of connections:

    • Internet Service Usage

    • Remote Access for Internal tools

Remote Connectivity

  • New remote access to the internal IT resources will be given strictly based on the business needs after authorization from the respective department heads. Further, all remote access requests 1will be granted only after a risk analysis exercise is conducted by the Network Security Expert/Network Lead. The risk analysis exercise will evaluate the business benefits of remote access vis-à-vis the security risks involved.

  • ASL will adopt mitigating controls to manage all specific areas of risks reported by the Head - IT in his/ her risk assessment exercise.

Authentication and Security

  • The following control procedures should be implemented to ensure a secure identification and authentication process:

    • Remote user will be authenticated by means of secure connectivity mechanism. Eg: HTTPS, VPN etc. A "two factor authentication" can also be considered in which the users will be denied access unless both the criteria defined in the authentication mechanism are satisfied (e.g. Password and Token, PIN and Smart Card). The risk analysis will identify the need for implementation of a two factor authentication for information systems of ASL.

    • A record of all remote users will be maintained. The record will be updated as and when a new user is added or an existing user is removed from remote access.

    • Remote access will be based on identification of parameters like the user, node, port, etc for off-site usage of IT services.

    • All remote access will be filtered by a firewall.

    • The applications where remote access is granted will be strictly controlled giving only the minimum necessary level of access to the remote user.

    • All passwords will be transmitted in an encrypted form only.

    • Remote access will be permitted only for authorized users and under no circumstances will root / admin / super user or users with equivalent privileges be permitted remote access. The network communication of any user connecting to the network remotely will be terminated on providing three consecutive incorrect passwords.

    • Audit logs will be maintained and monitored for remote access sessions. Operator logs should be maintained and the logs should be periodically reviewed to ensure compliance with the operating procedures on a monthly basis. Audit logs should be archived on a media that can be used to write once and read many times, for example CD-ROMs or prints of the audit logs.

    • Head -- IT or authorized representatives will review the audit trails on a regular basis for exceptions and security events (e.g. unauthorized access attempts, etc).

    • The secrecy of a telephone number will not be considered a mechanism for preventing unauthorized access.

    • Telephone numbers allowing dial-in remote access will be changed on an annual basis, or immediately in case of a suspected or reported security incident.

    • All connections allowing dial out will use a suitable mechanism to prevent dial in (e.g. unplug connection when not in use, telephone line configured for dial out only etc.).

Internet Access Policy

  • The Access to Internet is regulated by this Internet Access Policy at ASL Services. All Internet Traffic originating from all end user desktops/laptops, Servers & Network Devices at ASL will be governed by this policy which is detailed in Acceptable Usage Policy.

    • All Websites that directly host or related to Offensive Content, Violence, Criminal Activity, Threat URLs, Hacking etc... are blocked for all Users.

    • Apart from the above mentioned sites, Senior Management Employees will have complete access to Internet.

    • All employees at ASL will have access to Technical Sites only, by default. Additional access will be provided based on business requirement and approval from Function head

    • Internet access will also be governed by the customer policies applicable to the respective projects

    • Key IT Team Members will have privileged access as this is required for administration, configuration & troubleshooting Internet access.

    • All Internet activities will be logged and ASL will monitor all Internet usages on a monthly basis. This is to ensure all Internet users adhere to our policy.

    • All Internet usages are meant for business purposes only. Internet usage is a privilege reserved for those with a business need.

    • All Employees are advised and expected to adhere to Internet Usage Policy as described in Acceptable Usage policy. Internet misuse can result in termination of employment or other disciplinary action.

Perimeter Controls

  • Fortinet firewall 620B & Fortinet firewall 500 D with proactive unified threat management is strategically placed such that all network traffic flowing in and out of the ASL production & ASLHO networks are monitored and controlled. These controls are critical to network functionality and security and therefore must be fault-tolerant and have redundant backups available. In addition, they must be capable of processing the anticipated peak volume of network traffic. Typical perimeter controls include:

    • Routers - The border router is typically capable of allowing or denying connections, but it\'s primary purpose is to route traffic at the network border or DMZ (STT Global)

    • Firewalls - firewalls (sometimes called border firewalls) block or limit traffic, typically by TCP/UDP port (STT Global & Antares)

    • IDS/IPS - An Intrusion Detection System and/or Intrusion Prevention System adds an extra layer of protection, examining, limiting, or blocking traffic that was allowed through the border firewall, but is highly suspicious or known to be malicious ( IDS/IPS is integrated within Fortinet 500 D firewall)

    • Data Loss Prevention (DLP) - some DLP solutions inspect all network traffic to detect or block confidential data from leaving the Intranet ( implementation of a software is in progress)

    • Network Address Translation (NAT) - not strictly a security control, NAT limits the visibility of endpoints within the ASL production network from potential attackers on the Internet

    • Encryption - Encryption methodology (triple DES asymmetric) for client data transactions and SSL, IP sec is used for remote access of production systems.

Interior/Endpoint Controls

  • Isolation - Network segments or subnets within the ASL LAN and production networks are separated as per the security requirements.

    • Following are the logical network segmentation at ASL HO Fortinet firewall 200c

      • Second floor network (Development, IT & HR)

      • First floor network (CRM/BD, & Support Functions)

      • Other office (CRM at Branch Office).

    • STT Global Production Environment

      • Production servers & Storages (all production servers of TW, AW )

      • Mail server

    • ASL Intranet is appropriately isolated according to the security requirements of the business and endpoints. Production infrastructure is co-located within STT Global data center and development & testing is located at ASL HO.

  • Endpoint Hardening - All network devices and endpoints are hardened to reduce their attack surface. Hardening involves maintaining current patch levels, Antivirus, host-based firewalls, host-based IDS/IPS, disabling unnecessary services, using strong passwords, and other protections as appropriate. Software implementation is restricted by users and permitted by only administrators as per the software management policy.

  • Vulnerability Management - A Vulnerability Management System can help ensure that all endpoints on the network are adequately hardened. Vulnerability Management should ideally include web-based applications to reduce vulnerability to SQL-Injection, Cross-Site Scripting, and other web-based exploits. ASL conducts web application security checks and VA& PT regularly and corrective action is initiated.

  • Network Access Control (NAC) - Registering all endpoints before allowing connection to the network can prevent unauthorized devices from connecting as well as enforce security baselines. ASL implemented Active directory and Kaspersky end point protection for network access control. Only registered devices can be connected to ASL network with proper authentication.

  • Wi-Fi Security Controls - ASL Wi-Fi is protected and not permitted for open access. Mobile devices are not to be connected in ASL. Wi-Fi that connects to more sensitive portions of the network are limited to authorized users only. All Wi-Fi routers use WPA2 or stronger encryption.

  • Remote Access - remote access to internal or Intranet networks for employees are strictly through VPN and IPsec. Network access control is enforced for VPN connections and the use of VPN is limited to trusted users only. Outbound VPN connections are initiated with MPSEDC, Beltron ,A&N and HAL networks only and these networks are extremely trustful.

    Remote Desktop Protocol (RDP) and Secure Shell (SSH) are permitted only through VPN/IPsec. RDP is blocked at firewall level. Though SSH is a secure protocol, the Linux and Unix systems that typically use SSH are often administered outside of the ASL directory service are permitted only from ASL HO internal network with IPsec tunnel and with strong passwords. No person can access the production environment remotely by using any of these protocols unless connected through VPN to ASL HO or ASL production network. Passwords are changed regularly to block attempt to use Rainbow tables or Brute Force to crack passwords.

    Web-based services such as Ammyy admin (freeware), Team-viewer (licensed) are being used strictly under the supervision of the IT team to protect from the risk of unauthorized remote access. ASL network administrators carefully assess the risks associated with these services.

  • Back Doors - Remote Access protocols and services can create "back doors" of access into internal networks and are carefully administered. Other back doors include data cards, cellular services on smartphones and tablets, Bluetooth personal area networks, and removable media such as USB and CD/CDRW drives are restricted to use on ASL network.

  • Encryption

    • Secure Sockets Layer (SSL) is a common encryption protocol used for web traffic by ASL.  

    • PKI based encryption methodology is used for application access

Segregation in Networks

  • ASL management will split ASL network into logical segments, zones or domains based on the following criteria, but not be limited to:

    • Access requirements (e.g., Management, Department, Academic, Employees, IT, Students, Third Parties).

    • Relative cost and performance impact of incorporating suitable technology.

    • Value and classification of information stored or processed in the network (e.g., Critical, Sensitive).

    • Levels of trust (e.g., Trusted, Internet, DMZ).

    • Lines of business (e.g., Service, Support).

  • Internal network will be segregated from the external network with different perimeter security controls on each of the networks.

Network Vulnerability Assessment

  • Competent personnel must perform network vulnerability assessments on an ongoing basis. Assessment report will be submitted to the senior management during MRMs regularly.

  • Using a reliable tool for vulnerability assessment is recommended. IT along with MR and Business Head will evaluate from the available tools for VA and deploy the finalized tool(s).

  • Third-party independent network assessment (in form of penetration testing) must be carried out at least once in a year in order to provide assurance to the management, customers and other interested parties.

Mitigation of Identified Vulnerabilities

  • ASL will mitigate all high and medium vulnerabilities identified during VA. However the identified low vulnerabilities will be mitigated only if the risk to business is analyzed.

References

Srl.Document/Section Name
Procedure for Capacity Management

Implementation Artifacts

Srl.Template IDArtifact Name
F-NGCNetwork Gateway Configuration
F-PNSPermitted network Services
F-NMRNetwork Monitoring Report
F-IJRIT Job Request
  1. Access to any ASL Internal Application server will be provided only through VPN and no access will be provided over public networks (Internet).