S 2.77 Integration of servers in the security gateway

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator

Along with installing and operating the security gateway, servers must often also be arranged securely. For example, these include information servers for providing internal and external users with information, mail servers, and DNS servers.

Regarding the arrangement of servers, it must be differentiated whether these are to be arranged in the network to be protected, in the network between the two packet filters (hereinafter only referred to as "intermediate network"), or on the external side of the security gateway.

External accesses

External accesses to the trustworthy network, e.g. using SSH via a modem pool, should be handled similarly to accesses from the untrustworthy network. For example, this may be achieved by locating a terminal server with connected modems to the external side of the security gateway so that access from this side to the internal computer can only be performed using SSH.

Unambiguous rules must be established specifying that no external accesses must be established by bypassing the security gateway. These rules must be announced to all employees. It must be ensured that both the Security Management and the Administrator of the security gateway are informed in due time about corresponding plans in order to guarantee incorporation into the security concept and the security policy of the security gateway.

Additional information on how to handle external accesses can be found in module S 4.4 VPN.

Arrangement of information servers

In general, servers intended for providing information to external users should be located "as near as possible" to the untrustworthy network (e.g. downstream of the external packet filter) and handled similarly to other servers present in the untrustworthy network. Locating servers "as far away as possible" makes it more difficult to access the trustworthy network in the event of a compromised information server, since the attacker must overcome several components of the security gateway. The servers should be administered either only locally or using specifically protected and possibly even time-limited accesses from the trustworthy network.

Since information servers providing external users with information should be handled similarly to computers of the untrustworthy network, filter rules and possibly a corresponding configuration of the server should ensure that such a server is not able to establish any connections to the trustworthy network, but only from the trustworthy network to the server.

For example, no SSH connections coming from the server should be allowed for a web server, the administration of which is performed via an SSH connection from the trustworthy network, but only connections from the trustworthy network to the server.

If there is data that should only be accessible to the users of the trustworthy network (e.g. an intranet web server), this data should not be stored on a server which also offers services for external users, as far as possible. In this case, it is recommendable to use additional information servers in the intermediate network that cannot be accessed from the outside and are protected against attacks from the inside by the packet filter.

If the data that should only be accessible to internal users is characterised by high protection requirements in terms of confidentiality, the corresponding information server must not be located in the same intermediate network as the information servers for external users. In this case, a separate DMZ must be established for the servers concerned.

Some safeguards contain information regarding the integration into a security gateway for the following information servers:

Review questions:

© Federal Office for Information Security. All rights reserved.