S 2.476 Concept for secure Internet connection

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

Numerous variants of internal and external networks can be found in the various types of organisations. Almost everywhere, this also includes the connection of the internal IT systems and networks to the Internet. Every connection to open external networks, however, also implies risks, being potential entry point for malware, attempted attacks of any kind, and data leaks. For this reason, the type of the Internet connection and its reliable protection must be developed carefully. Likewise, every new variant of Internet use should be planned carefully, and IT components and their connection to the relevant networks should be installed and configured securely.

In a concept for secure Internet connection, it must be clarified first of all how the internal IT systems are to be protected. The framework for using the Internet, i.e., for example, who may use which Internet services and which rules must be observed while doing so, must also be clarified (see S 2.457 Concept for secure Internet use). It must also be co-ordinated which types of Internet communication and which Internet services are generally allowed (see also S 2.459 Overview of Internet services). Depending on the objectives associated with the Internet use in the organisation, the requirements for the Internet connection change, e.g. the operation of a web server requires a higher band width and availability of the Internet connection than occasional searches for information using web services.

The concept must be embedded in the general security strategy of the particular organisation and therefore needs to be co-ordinated with the information security management.

Organisation

A large number of IT components are required for using the Internet. For this reason, it must be clarified which organisational units are responsible for which tasks in this connection, i.e., for example, configuration of user IDs, user support or editorial team for the web offer. In order to be able to respond to problems quickly and effectively, it is also necessary to specify the organisational framework, for example, to be able to quickly shut down an Internet service in case of emergencies.

In order to be able to select an appropriate Internet service provider (ISP) and an expedient connection technology, the required bandwidths and response times should furthermore be documented for the individual Internet services (see S 2.176 Selection of a suitable Internet service provider.

When adapting the network structure, it must be clarified which other systems and which network connections could be affected by the Internet use. Moreover, it should be defined how data from the Internet, e.g. downloaded files, are handled and whether this data may be processed further on other systems or has to be archived, for example.

Regarding the security requirements, the concept should define whether the information retrieved from the Internet or sent to other computers on the Internet must be protected against unauthorised reading or unauthorised modification.

Secure Internet connection

Whenever services such as the World Wide Web (WWW), E-mail or other Internet services are used in a local network (LAN), the LAN has to be connected to an untrusted network such as the Internet. As a result, the organisation exposes its previously closed network to significant threats, even before the first application is installed and used. Attackers from the Internet can attempt to exploit vulnerabilities of the underlying Internet protocols, services, and components and to eavesdrop on the data traffic (sniffing), to forge sender information (spoofing) or to gain access to the internal network.

A robust network connection, selection of suitable equipment, secure configuration settings, and controlled operation may counteract these threats. For connection of the LAN to an untrusted network, an architecture that consists of four zones can be selected:

• The first zone comprises the internal network. It contains all client systems and all infrastructure and application servers required for autonomous local LAN operation.
• The second zone accommodates the security gateway (see S 3.301 Security gateway (firewall)) which protects the LAN against attacks from the Internet. In addition, it contains the servers required for providing services in the Internet which are each secured by means of packet filters, i.e. are located in Demilitarised Zones.
  
  A Demilitarised Zone (DMZ) - an intermediate network which is established at network gateways - can be used to protect the internal network structures. Then, the servers connected to it can only be accessed in a controlled manner. Services can thus be made available to the WAN as well as the LAN. Proxy servers can be used to connect the two networks to each other.
• The third zone comprises the components for Internet connection. In the simplest case, it contains a single router which is connected to the network of the Internet service provider. Where demands on the availability of clients are higher, the connection must be designed redundantly.
• In the management zone all management data can be collected and processed centrally. It is also possible to include a time server here with which all system clocks in the network are synchronised.

All other aspects should already have been defined with the behaviour of the security gateway, see S 2.71 Establishing a policy for a security gateway for more information.

Up-to-dateness

The concept for the Internet connection must be updated in regular intervals, at least once a year as this area is subject to rapid development. In addition, the concept for the Internet connection should be developed and updated in line with the development of the concept for security gateways (see S 2.70 Developing a concept for security gateways) to ensure secure connection to the Internet.

If the objectives, strategies or the threat scenario of the organisation change, then the Internet connection must be checked to see if it is affected by the changes.

Review questions:

• Is there an up-to-date concept for the Internet connection?
• Is the concept for the Internet connection regularly reviewed and modified, if necessary?