S 2.301 Outsourcing the security gateway

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

The implementation and operation of a security gateway implies considerable financial outlay and human resource input. Nevertheless, a security gateway is essential and cannot be dispensed with if LANs are to be connected to insecure networks (particularly the Internet). In many cases, therefore, consideration is given to contracting the operation of a security gateway out to an external service provider. There are a number of feasible options:

• On-site operation and administration by external contractors
  
  The security gateway is operated and administrated on the customer's premises. An external security gateway administrator is charged with this task.
  
  In many cases this solution does not even deliver cost benefits. As with all other solutions, the drawback is that external contractors take on security-related tasks and the relevant knowledge is not developed in-house, rendering it extremely difficult to conduct effective controls.
• Remote management
  
  The security gateway is set up and operated on the customer's premises but is administrated by remote access.
  
  In this case strong authentication and encryption is essential for the connection. The service providers should only be permitted to access the actual security gateway and should be denied access to other data and directories in the LAN. As outlined in module S 4.4 VPN, further organisational precautions should be taken to contain potential instances of misuse. These precautions include, e.g.:
  
  • imposition of a time ban in the event of failed attempts at access,
  • disablement of remote maintenance access during normal operation and explicit enabling for a specified time period,
  • restriction of the rights of external administrators so that, for example, the security settings cannot be lowered,
  • "Forced log-out" in case of line interruption; if the connection between the remote maintenance unit and the PC gateway is interrupted in any way then access to the system must be stopped by a "forced log-out".
• Hosting
  
  With this solution the security gateway is set up and maintained on the service provider's premises. There should therefore be a fixed secure connection from the internal LAN to the security gateway.
  
  It is imperative in this regard to guarantee a high level of availability for both the connection and the security gateway system as external connections are rendered impossible if they fail.
  
  In general, it is also advisable to use other components which facilitate communication between the secured and the external network. For example, these include information servers for providing internal and external users with information, mail servers, and DNS servers. These are usually set up in a DMZ in the security gateway (see also S 2.77 Integration of servers in the security gateway). In this case they would therefore have to be operated on the premises of the external service provider. This can push up the costs quite considerably.

There should be an alternative connection to the service provider, both with remote management and with hosting of a security gateway, in order to guarantee the administration services and the Internet connection in the event that the primary connection fails. Steps must be taken to ensure that the alternative connection has at least the same level of security as the primary connection.

The following questions should be asked in respect of the various services on offer:

• what level of technical knowledge, and also what level of security-related knowledge, does the supplier have and how is this kept up to date;
• whether and for how long the security gateway system is operated without supervision;
• how staff are deployed given that they are usually attending to several customers.

Even if the management of the security gateway is entrusted to a service provider it is still necessary to draw up an internal security policy for the security gateway in line with the security objectives of the organisation (see also S 2.71 Establishing a policy for a security gateway). If a security gateway is outsourced, the service level agreements should set out the following in particular in writing:

• the response times which must be guaranteed in the event of failure or attack,
• the level of availability which must be guaranteed (performance, maximum failure rate),
• facts which may or must be logged,
• the security safeguards which must be guaranteed. All the safeguards listed in module S 3.301 Security gateway (firewall) are of relevance in this regard.

Module S 1.11 Outsourcing must be applied to the outsourcing of a component which is as critical to security as the security gateway. Ideally the service provider will also have a full information security management system in place, for example, based on IT-Grundschutz. When outsourcing the security gateway it is advisable, at the very least, to check whether the security management system of the service provider meets the requirements set out in module S 1.11 Outsourcing.

Review questions:

• Relating to remote management of the security gateway: Is access by the service provider restricted to the relevant components of the security gateway?
• Relating to hosting of security gateways: Is connection to the security gateway of the service provider only made via a secure connection?
• Are the service level agreements for outsourcing the security gateway set out in writing?