Object: Eurocopter network architecture and security rules. Technical implementation in each Eurocopter site (EC/ECD/subsidiaries)

Transcription

1 ANNEX 2 Marignane, September 2001 K/V n 999/01 JPP Information System Directorate Network Services Departement E-Services Object: Eurocopter network architecture and security rules. Technical implementation in each Eurocopter site (EC/ECD/subsidiaries) 1. Introduction eneral security rules Technical implementation Required network architecture and means Equipment standards proposal Price estimation Conclusion lossary... 9 Copy(s) : KVj/B. hedighian

2 1. Introduction Eurocopter is implementing one private corporate network (ECWAN) between all the plants, including the subsidiaries. All internal network in each plant will be interconnected as if all plants are on the same internal network. The ECWAN installation and operation is under the responsibility (management, availability, encryption means ) of one supplier, T-System, and based on Frame-relay technology.. The subsidiaries will be connected to ECWAN by permanent links with backup. The Eurocopter plants and subsidiaries are also connected to public network (Internet). As we build a common private network in the group, we must have the same security rules in each plant to filter access from outside inside our private network. These. security rules must be followed by those entities which have a connection to EC WAN. Regarding the current architecture of the subsidiaries and their internet services needs, we describe hereafter required connection architecture to make you compliant with the EC security rules. 2. eneral security rules The following rules have to be applied in all the Eurocopter entities (EC and subsidiaries), in accordance also with the EADS rules : 1) Each Eurocopter entity is responsible for controlling its connection point and monitoring the activities on the network. The monitoring organization and means in each Eurocopter entity can be audited by Eurocopter roup security team. 2) Each Eurocopter entity is responsible for the accessors to the Eurocopter network. Accessors are submitted to individual authorization and to reinforced authentication system (ex : one session password). 3) The Eurocopter entity s internal network must be isolated from Internet physically or through a filtering device (firewall or filtering router). 4) The link connecting each Eurocopter entity must be encrypted, using hardware or software from European origin (this is covered by T- systems services). The encryption keys management must be done by Eurocopter or EADS security teams. 5) In case of unauthorized entrance inside the network or serious incident affecting systems integrity or preventing correct operation 2

3 the Eurocopter entity must inform the Eurocopter roup security teams and other subsidiaries managers. 6) All electronic communication between Eurocopter entities should pass through the encrypted network and not through Internet. 3. Technical implementation These general rules lead to following technical consequences on the network technical organization and on the general services provided on this network (Internet access, , domain name services, Intranet access, application software access) : Internet access o Double connection on workstation Internal network-internet direct access is strictly forbidden without protection of internal network from unauthorized access coming from Internet o Internet access to the network must be protected either by firewall filtering functions or by physical separation of Internet access from network access. o No direct incoming session is allowed inside the network from internet o All servers needing an incoming access ( gateway, Web servers, Domain Name Servers : DNS, ) must be put in a special zone (DMZ : Demilitarized Zone) protected from internal network by a firewall (to deny the possibility of an end-to-end session between Internet and internal network) o Access to Internet by subsidiaries EC staff must be protected by user/password DNS (Domain Name Services) o Internal and external DNS must be different and not connected between themselves o Internal and external domain name must be different o External DNS has to be located in DMZ o Internal domain name proposed for subsidiary is: subsidiary.eurocopter.corp aec. eurocopter.corp ecl. eurocopter.corp for example o Connection between internal system and internet must be done through an Internet connector located in DMZ o Anti-virus scanning on system is mandatory Intranet access o Connection done by a proxy server is recommended to save bandwidth and simplify intranet and internet connections, but it is not mandatory Internet Web server o May be hosted by an external provider o If hosted in the subsidiary; it must be located in DMZ Eurocopter roup Information System access (SAP, IMS, ) o Connection must be done by an authentication software (for example with one session password) Information (mailboxes for example) can be stored only in external providers approved by EC (to ensure storage privacy of Eurocopter ) 3

4 Information exchange within Eurocopter and subsidiaries must be done through the EC network and not through Internet These rules have to be settled step by step to be fully running before end of The most urgent rule to apply before the network connection is isolation or filtering from internet connection. 4. Required network architecture and means The required means to apply the rules are depending on : o The way to access Internet (Permanent or Dial-up connection, one way or two ways connection) o The accessed services on internet (what is used on Internet) For each of the following three types of Internet connection : Type 1) Full : Subsidiary connected to Internet in a permanent two ways communication with hosted active services (ex : , Web server, DNS) (Inbound and outbound permanent connection) Type 2) Medium : Subsidiary connected to Internet in a permanent one way communication to access WEB (outbound permanent connection) Type 3) Light: Subsidiary accessing today Internet by Dial-up only to access WEB (outbound switched connection), we define hereafter the recommended architecture. 4

5 Type 1 : Subsidiary connected to Internet in a permanent way with hosted active services o The hosted active services need servers accessible from Internet (Internet gateway, Domain Name Server : DNS). o The associated equipment must be located in DMZ. o A firewall is mandatory to isolate the DMZ from internal network and Internet o The DNS Server et Internet connector must be located in the DMZ o A proxy recommended if the number of users accessing Intranet EC is high EC / Subsidiary network Intranet connection Full Architecture Internet Smtp relay Web Server DNS server containing addresses having to be known by Internet and forwarding rules to other Internet DNS DMZ DNS server containing internal addresses not connected to the external DNS Subsisiary Lan Proxy server used to connect to internet and EC Intranet server Eurocopter entry point Subsisiaries FIREWALL EC LAN Eurocopter applications & services... Managed by T- System Managed by the subsidiary _. _ Managed by Eurocopter K.VE J-P Parcy 5

6 Type 2 : Subsidiary connected to Internet in a permanent way without hosted active services o Subsidiary with only access to WEB on Internet o Neither system nor DNS nor WEB server are accessed from Internet (excepted if it s hosted by an external provider not connected to Subsidiary network) A router including fire-wall functions is enough, but o Denies the possibility to have servers accessible from internet ( , webserver) o Is strictly limited to connection of workstations to Internet EC / Subsidiary network Intranet connection Medium Architecture Internet Router including Fire-wall functions Subsisiary Lan Workstation Eurocopter entry point Subsisiaries FIREWALL EC LAN Eurocopter Network Eurocopter applications & services... Managed by T- System Managed by the subsidiary _. _ Managed by Eurocopter K.VE J-P Parcy Type 3 : Subsidiary accessing Internet by Dial-up connection only to access WEB 6

7 o Subsidiary uses Internet only to access WEB services o and DNS services o A specific project must be launched to define how the DNS and services will be changed and organized between subsidiaries and mother company to be compliant with the security rules o Internet access must be done with: o A stand-alone workstation not connected to the subsidiary internal network EC / Subsidiary network Intranet connection Light Architecture Internet Internet Modem Workstation Modem Subsisiary Lan Eurocopter entry point Subsisiaries FIREWALL EC LAN Workstation Eurocopter Network... Managed by T- System Managed by the subsidiary _. _ Managed by Eurocopter Eurocopter applications & services K.VE J-P Parcy 5. Equipment standards proposal In a corporate Network we have better to install the same standard hardware everywhere to make the operation and maintenance of these means easier. 7

8 For those subsidiaries which have not such equipments, it is highly recommended to follow these standards. For those which have already some of these equipments, it must be studied case by case : the replacement must be planned after the current hardware depreciation period or after the end of the current hardware rental contract. According to the different architectures the standard for equipments is the following All architectures o Authentication: Safe Data (to authenticate to be able to access business applications like Sacha, Sap,.if needed). o 3270 Emulator: Host-Explorer from Hummingbird (to access legacy mainframe business applications like Sacha, if needed) o There's a global Eurocopter contract; with discounts for these software licences Full architecture o Firewall: Firewall 1 from Checkpoint o DNS: CNR from CISCO o Proxy: Cacheflow from Cacheflow o Exchange from Microsoft Medium architecture o Firewall Router: Cisco Series with IOS Firewall feature Light Architecture o No additional equipment required The equipment management must be done locally by subsidiary means (internally or through a local service provider) 6. Price estimation The range of price is based on French prices to give a rough estimation. It must be checked with local providers. o Firewall 1 from Checkpoint o 6K+15K (hard+soft) o CNR from CISCO o Soft included in the Eurocopter licence, hard: 3K o Cacheflow: 6K o Cisco router with IOS Firewall feature: hard between 2K (1700 series) and 4K (2600 series) depending on the model, soft between 1K and 2,5 K depending on the router model o Safe Data: 0,1 K by user. The software licences must be acquired through Eurocopter global contract to get relevant discounts. o Host-Explorer: 0,4 K by workstation. The software licences must be acquired through Eurocopter global contract to get relevant discounts 7. Conclusion 8

9 For all subsidiaries some tasks have to be done to be able: o to define the type of connection (1, 2 or 3) o to take into account current installation and local specificities o to size the needed equipment according to number of users, traffic These tasks are: o Current situation analysis regarding the network architecture and security means o Definition of the target architecture and required means o Price estimation for minimal implementation to be safely protected from Internet o Definition of further steps to go to the target architecture to be compliant with all the rules. They must be done locally either internally or by external IT company depending on the IT capabilities in each subsidiary. 8. lossary WAN: Wide Area Network: Network used within plants DMZ: Demilitarized Zone : special network zone with access from outside networks. This zone is connected to internal network through a firewall to prevent unauthorized access from outside to internal network DNS: Domain Name Server: Function and server use to manage the association between the logical name and the network address (IP address). Jean-Pierre Parcy Tel. : Fax :