ASD Internet & Electronic Communications Guidelines

1 Firewall Procedure

1.1 Firewall Definition
For purposes of this procedure, firewalls are defined as security systems, which control and restrict both Internet connectivity and Internet services. Firewalls establish a perimeter where access controls are enforced. Connectivity reflects which systems can exchange information. A service, sometimes called an application, refers to the way for information to flow through a firewall. Examples of services include file transfer protocol (FTP) and Web browsing.

1.2 Playing the Role of Firewalls
In some instances, systems of routers may be functioning as though they are firewalls when in fact they are not formally known as firewalls. All ASD systems playing the role of firewalls, whether or not they are formally called firewalls, must be managed according to the rules defined in this procedure. In some instances this will require that these systems be upgraded so that they support the minimum functionality defined in this procedure. Any router that connects a vendor, or any non-ASD entity, into the ASD network must pass through an agency firewall before entering the ASD network.

1.3 Procedure Applicability
All firewalls at ASD must follow this procedure. Departures from this procedure will be permitted only if approved in advance and in writing by the ASD Information Technology Department.

1.4 Defined Decision Maker
Before being enabled, all new firewall services and new connectivity paths must be evaluated in terms of business advantages and security risks. The ASD Information Technology Department is the recognized decision maker who can either approve or deny these requests.

1.5 Default to Denial
Every Internet connectivity path and Internet service not specifically permitted by this procedure must be blocked by ASD firewalls. The list of currently approved services must be documented and distributed to all district employees with a need-to-know by the ASD Information Technology Department.

Likewise, every network connectivity path not specifically permitted by the ASD Information Technology Department must be denied by firewalls. Prior to the deployment of every ASD firewall, a diagram of permissible paths with a justification for each must be submitted to the ASD Information Technology Change Management Team. Permission to enable any paths will be granted by the IT Supervisor only when (1) the paths are necessary for important business reasons, and (2) adequate security measures will be used.

1.6 Logs
All changes to firewall parameters, enabled services, and permitted connectivity must be logged. In addition, all suspicious activity, which might be an indication of unauthorized usage or an attempt to compromise security measures, must also be logged. The integrity of these logs must also be protected with checksums, digital signatures, or similar measures. These logs must be promptly removed from the recording systems and stored in a physically protected container for at least three months. These logs must be reviewed periodically to ensure that the firewalls are operating in a secure manner.

1.7 Intrusion Detection
All ingress points must be protected by firewalls that include intrusion detection systems approved by the ASD Information Technology Department. These intrusion detection systems must each be configured according to the specifications defined by the ASD Information Technology Department. Such intrusion detection systems must also immediately notify technical staff that is in a position to take corrective action. All technical staff working on firewalls must be provided with remote access systems and privileges so that they can immediately respond to these incidents even when they are physically removed from the firewall in question.

1.8 Contingency Planning
Technical staff working on firewalls must prepare a contingency plan which addresses the actions to be taken in the event of various problems including system compromise, system malfunction, and power outage. These contingency plans must be kept up-to-date to reflect changes in the ASD computing environment. These plans must also be periodically tested to ensure that they will be effective in restoring a secure and reliable computing environment.

1.9 External Connections
No ASD computer system may be attached to the Internet unless it is protected by a firewall. Such computer systems include Web servers, electronic commerce servers, and mail servers.

1.10 Virtual Private Networks
To prevent unauthorized disclosure of sensitive and valuable information, all inbound traffic (with the exception of Internet mail and push broadcasts, like PointCaster or Yahoo News Ticker) making access to ASD networks must be encrypted with the products approved as part of the ASD Technical Architecture. These connections are often called virtual private networks or VPNs, and include technologies such as Secure Socket Layer (SSL), Internet Security Association Key Management Protocol (ISAKMP), Point-to-Point Tunneling Protocol (PPTP) or other forms of encryption.

1.11 Firewall Access Privileges
Privileges to modify the functionality, connectivity and services supported by firewalls must be restricted to a few individuals with a business need for these privileges, such as the ASD Information Technology Department personnel. Unless permission from the IT Supervisor has been obtained, these privileges will usually be granted only to individuals who are full-time permanent employees of the ASD (no temporaries, contractors, consultants, or outsourcing personnel). Vendor access for troubleshooting and technical support may be granted on an as needed basis. All firewalls must have at least two staff members who are adequately trained to make changes; as circumstances require they will be retrained to make changes.

1.12 Network Management Systems
Firewalls must be configured so that they are visible to internal network management systems. Cisco Works is the primary auditing and monitoring tool employed by the ASD Information Technology Department.

1.13 Disclosure of Internal Network Information
The internal system addresses, configurations and related system design information for ASD networked computer systems must be restricted such that neither systems nor users outside the ASD's internal network can access this information. Firewalls must be configured so they will not broadcast route or Simple Network Management Protocol (SNMP) information on an outbound basis.

1.14 Secure Back-Up
Current off-line back-up copies of firewall configuration files, connectivity permission files, firewall systems administration procedural documentation files, and related files must be kept close to the firewall at all times. A permissible alternative to off-line copies involves on-line encrypted versions of these files. Either of these options will help to keep trusted copies away from intruders, but at the same time immediately available to reestablish a secure and reliable computing environment. The ASD Information Technology Department will be responsible for maintaining backup information on all router and firewall configurations.

1.15 Firewall Change Control
Because they support critical ASD information systems activities, firewalls are considered to be production systems. This means that all changes to the software provided by vendors (excluding vendor-provided upgrades and patches) must be approved in advance by the ASD Information Technology Department, and then tested and approved before being used in a production environment.

1.16 Posting Updates
Because hackers and other intruders use the latest attack techniques, ASD firewalls must be running the latest software to repel these attacks. Where available from the vendor, all ASD firewalls must subscribe to software maintenance and software update services. Unless approved in advance by the IT Supervisor, staff members responsible for managing firewalls must install and run these updates within a week of receipt. This update provision must be met by the ASD Information Technology Department.

1.17 Monitoring Vulnerabilities
ASD staff members responsible for managing firewalls should subscribe to advisories and other relevant sources providing current information about firewall vulnerabilities. Any vulnerability, which appears to affect ASD networks and systems, must be promptly brought to the attention of the ASD IT Supervisor.

1.18 Firewall Physical Security
All ASD firewalls must be situated in locked rooms accessible only to those who must have physical access to such firewalls. The placement of firewalls in the open area is prohibited; although placement within separately locked rooms or areas which are within a general data processing center is acceptable.

2 VPN Procedure

2.1 Purpose
The purpose of this procedure is to provide guidelines for Remote Access IPSec Virtual Private Network (VPN) connections to the ASD network.

2.2 Scope
This procedure applies to all ASD employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the ASD network. This procedure applies to implementations of VPN that are directed through an IPSec Concentrator or SSL VPN.

2.3 Procedure
Approved ASD employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.

Additionally:

2.3.1 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to ASD internal networks.

2.3.2 VPN use is to be controlled through a two phase approach. Phase one will include group authentication using public/private key system with a strong pass phrase. Phase two will include the use of a directory service for individual user authentication.

2.3.3 When actively connected to the ASD network, VPNs will force all traffic to and from the PC over the VPN tunnel; all other traffic will be dropped.

2.3.4 Dual (split) tunneling is NOT permitted; only one network connection is allowed.

2.3.5 VPN gateways will be set up and managed by the ASD Information Technology Department.

2.3.6 All computers connected to ASD internal networks via VPN or any other technology must pass posture assessment performed by an NAC appliance; this includes personal computers.

2.3.7 VPN users will be automatically disconnected from the ASD's network after two hours of inactivity. The user must then log on again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.

2.3.8 The VPN concentrator is limited to an absolute connection time of 24 hours.

2.3.9 Users of computers that are not ASD-owned equipment must configure the equipment to comply with the ASD's VPN and network policies.

2.3.10 Only ASD-approved VPN clients may be used.

2.3.11 By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of the ASD's network, and as such are subject to the same rules and regulations that apply to ASD-owned equipment, i.e., their machines must be configured to comply with the ASD's network policies.

2.4 Enforcement
Any employee found to have violated this procedure may be subject to disciplinary action, up to and including termination of employment.

3 DMZ Procedure

3.1 Purpose
This procedure establishes information security requirements for all networks and equipment deployed in the ASD "De-Militarized Zone" (DMZ). Adherence to these requirements will minimize the potential risk to ASD from the damage to public image caused by unauthorized use of ASD resources, and the loss of sensitive or confidential data.

3.2 Scope
ASD networks and devices (including but not limited to routers, switches, hosts, etc.) that are Internet facing and located outside ASD Internet firewalls are considered part of the DMZ and are subject to this procedure. All existing and future equipment, which falls under the scope of this procedure, must be configured according to the referenced documents. This procedure does not apply to networks and devices residing inside ASD's Internet firewalls or trusted networks.

3.3 Procedure

3.3.1 Ownership and Responsibilities

3.3.1.1 All new DMZ devices must present a business justification with sign-off at the business unit CIO level. The ASD Information Technology Department must keep the business justifications on file.

3.3.1.2 Third party owned devices and applications are required to have a point of contact (POC), and back up POC, for each piece of equipment or application. The device owners must maintain up to date POC information with the ASD Information Technology Department (and the enterprise management system, if one exists). Third party device and application owners or their backup must be available around-the-clock for emergencies.

3.3.1.3 Changes to the connectivity and/or purpose of existing DMZ devices and establishment of new DMZ networks and devices must be requested through the ASD Information Technology Department.

3.3.1.4 All ISP connections must be maintained by the ASD Information Technology Department.

3.3.1.5 The ASD Information Technology Department must maintain a firewall device between the DMZ and the Internet.

3.3.1.6 The ASD Information Technology Department reserves the right to interrupt any DMZ based connections if a security concern exists.

3.3.1.7 The ASD Information Technology Department must record all DMZ address spaces and current contact information.

3.3.1.8 The ASD Information Technology Department must have immediate access to equipment and system logs.

3.3.1.9 With third party DMZ deployments the ASD Information Technology Department will address non-compliance waiver requests on a case-by-case basis.

3.3.2 General Configuration Requirements

3.3.2.1. DMZ networks and devices must not be connected to ASD's internal networks, either directly or via a wireless connection.

3.3.2.2. DMZ networks and devices should be in a locked rack with limited access. In addition, the ASD Information Technology Department must maintain a list of who has access to the equipment.

3.3.2.3. The ASD maintained firewall devices must be configured in accordance with least-access principles and the DMZ business needs. All firewall filters will be maintained by the ASD Information Technology Department.

3.3.2.4. The firewall device must be the only access point between the DMZ and the rest of ASD's networks and/or the Internet. Any form of cross-connection which bypasses the firewall device is strictly prohibited.

3.3.2.5. Original firewall configurations and any changes thereto must be reviewed and approved by the ASD Information Technology Department (including both general configurations and rule sets).

3.3.2.6. Traffic from the DMZ to the ASD internal network must be configured in accordance with least-access principles. Remote access from the DMZ to the ASD internal network must follow the above stated VPN procedure.

3.3.2.7. Current applicable security patches/hot-fixes for any applications that are Internet services must be applied.

3.3.2.8. All applicable security patches/hot-fixes recommended by the vendor must be installed.

3.3.2.9. Services and applications not serving business requirements must be disabled.

3.3.2.10. Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks.

3.3.2.11. All DMZ switch ports not in use will be disabled.

3.4 Enforcement
Any employee found to have violated this procedure may be subject to disciplinary action, up to and including termination of employment.

4 Traffic Shaping Procedure

4.1 Purpose
The purpose of this procedure is to provide a methodology for creating traffic shaping rules.

4.2 Scope
This procedure applies to all traffic leaving the egress point of the ASD network.

4.3 Procedure
A business analysis needs to be done to classify all traffic in one of three areas: Sensitive, Best-Effort, and Undesired. Based upon these three areas shaping of outbound and inbound traffic will occur.

4.3.1 Sensitive Traffic
Sensitive traffic is traffic whose Quality of Service is critical to ASD business functions. This usually includes VoIP, video streaming, and financial transactions, business partner virtual connections, and other forms of critical data. Shaping schemes are generally tailored in such a way that the Quality of Service of these selected uses is guaranteed, or at least prioritized over other classes of traffic. This can be accomplished by the absence of shaping schemes on these, or by positive shaping (prioritization over others).

4.3.2 Best-Effort Traffic
Best effort traffic is all other kinds of non-detrimental traffic. This is traffic that ASD is not concerned about and does not consider a priority. Shaping schemes are generally tailored in such a way that this traffic gets 'what is left' of the bandwidth after sensitive traffic has 'taken its share'.

4.3.3 Undesired Traffic
This category is generally referred to as the “bit bucket”. Meaning all other traffic not categorized by the above two classes. Shaping schemes usually involve identifying and blocking this traffic entirely, or just by severely hampering its operation.

5 URL Filtering Procedure

5.1 Purpose
The purpose of this procedure is to provide a guideline for filtering Web traffic.

5.2 Scope
This procedure applies to all Web traffic leaving the egress point of the ASD network. This procedure will affect all users within the ASD network.

5.3 Procedure
Generally, URL filtering devices can be deployed in 2 different modes: promiscuous and inline. It is recommended to deploy in promiscuous mode when able because of flexibility and minimal impact on traffic flow. All Web based traffic will be compared against the following list. Determination of how this traffic is filtered will be dictated by ASD policies.

5.3.1 Pornography / Nudity

5.3.1.1. Pornography: Includes Web sites containing the depiction of sexually explicit activities and erotic content unsuitable to persons under the age of 18.

5.3.1.2. Erotic / Sex: Includes Web sites containing erotic photography and erotic material, as can be found on television or obtained free of charge from magazines. Sex toys are also in this category. Sexually explicit activities are not listed here.

5.3.1.3. Swimwear / Lingerie: Includes Web sites containing nudity, but with no sexual references. Includes bikini, lingerie and nudity.

5.3.2 Criminal Activities

5.3.2.1. Illegal Activities: This includes activities that are illegal according to germane law, such as instructions for murder, manuals for bomb building, manuals for murder, instructions for illegal activity, child pornography, etc.

5.3.2.2. Computer Crime: Includes the illegal manipulation of electronic devices, data networks, procedures and also password encryption, manuals for virus programming and credit card misuse.

5.3.2.3. Political Extreme / Hate / Discrimination: Contains Web sites with extreme right and left-wing groups, sexism, racism and the suppression of minorities.

5.3.2.4. Hacking / Warez / Illegal Software: This category contains sites with software cracks, license key lists and illegal license key generators.

5.3.3 Violence / Extreme

5.3.3.1. Includes Web sites that are normally assigned to other categories, but are particularly extreme in their content (e.g. violence).

5.3.4 Games / Gambling

5.3.4.1. Gambling / Lottery: Includes lottery organizations, casinos and betting agencies.

5.3.4.2. Computer Games: Classifies the Web sites of computer games, computer game producers, cheat sites and online gaming zones.

5.3.5 Entertainment / Culture

5.3.5.1. Music: Includes Web sites from radio stations, online radio, MP3, Real Audio, Microsoft Media, home pages of bands, record labels and music vendors.

5.3.6 Information / Communication

5.3.6.1. Chat: This category contains Web sites that allow users to have a Web-based exchange of information with another user from place to place. Also listed are chat-room providers. Login server for Instant Messaging communications are categorized as "Instant Messaging".

5.3.7 Information Technology (“IT”)

5.3.7.1. Anonymous Proxies: Includes Web sites that allow the user to anonymously view Web sites.

5.3.8 Drugs

5.3.8.1. Illegal Drugs: This category contains Web sites about LSD, heroine, cocaine, XTC, pot, amphetamines, hemp and the utilities for drug use (e.g. water pipes).

5.3.9 Lifestyle

5.3.9.1. Dating / Relationships: This category contains Web sites that promote interpersonal relationships.

5.3.10 Weapons / Military

5.3.10.1. This category deals with guns, knives (not including household or pocket knives), air guns, fake guns, explosives, ammunition, military guns (tanks, bazookas), guns for hunting, and swords.

5.3.11 Spam

5.3.11.1. Spam URLs: This category contains Web sites that are solicited in spam e-mails.

5.3.11.2. Phishing URLs: This category includes Web sites that are contained in phishing e-mails.

5.3.12 Malware

5.3.12.1. This category contains Web sites that install data transmitting programs without the user's knowledge.

5.4 Exceptions

Requests for exceptions to this procedure can be made by generating a request in writing to the CIO. This request will include the name of the school or department, requesting person name and contact information, and an educational justification for the exception.

Table of Contents