Network Security Guidelines. e-governance

Similar documents
March

SonicWALL PCI 1.1 Implementation Guide

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Achieving PCI-Compliance through Cyberoam

Consensus Policy Resource Community. Lab Security Policy

Remote Access Procedure. e-governance

74% 96 Action Items. Compliance

United States Trustee Program s Wireless LAN Security Checklist

e-governance Password Management Guidelines Draft 0.1

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI Requirements Coverage Summary Table

Payment Card Industry Self-Assessment Questionnaire

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

1B1 SECURITY RESPONSIBILITY

PCI DSS Requirements - Security Controls and Processes

PCI Requirements Coverage Summary Table

INTRUSION DETECTION SYSTEMS and Network Security

Best Practices for PCI DSS V3.0 Network Security Compliance

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Central Agency for Information Technology

Best Practices For Department Server and Enterprise System Checklist

Did you know your security solution can help with PCI compliance too?

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Developing Network Security Strategies

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LogRhythm and PCI Compliance

Enforcing PCI Data Security Standard Compliance

State of Texas. TEX-AN Next Generation. NNI Plan

Network and Security Controls

GE Measurement & Control. Cyber Security for NEI 08-09

CTS2134 Introduction to Networking. Module Network Security

Client Security Risk Assessment Questionnaire

GFI White Paper PCI-DSS compliance and GFI Software products

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Securing the Service Desk in the Cloud

IT Security Standard: Network Device Configuration and Management

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

IP Telephony Management

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Supplier Security Assessment Questionnaire

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Retention & Destruction

Windows Remote Access

Wired Network Security: Hospital Best Practices. Jody Barnes. East Carolina University

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Basics of Internet Security

Industrial Security for Process Automation

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

How To Protect Your School From A Breach Of Security

RuggedCom Solutions for

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

University of Sunderland Business Assurance PCI Security Policy

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

E Security Assurance Framework:

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Credit Card Security

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Automate PCI Compliance Monitoring, Investigation & Reporting

ADM:49 DPS POLICY MANUAL Page 1 of 5

The Protection Mission a constant endeavor

Implementation Guide

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Catapult PCI Compliance

Standard: Network Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Information Technology Security Procedures

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

CISCO IOS NETWORK SECURITY (IINS)

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Achieving PCI Compliance Using F5 Products

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

INFORMATION TECHNOLOGY ENGINEER V

Building A Secure Microsoft Exchange Continuity Appliance

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Technology Branch Access Control Technical Standard

RL Solutions Hosting Service Level Agreement

Recommended IP Telephony Architecture

Supplier Information Security Addendum for GE Restricted Data

SANS Top 20 Critical Controls for Effective Cyber Defense

CCNA Security. Chapter Two Securing Network Devices Cisco Learning Institute.

General Standards for Payment Card Environments at Miami University

Network Security Administrator

Firewall Audit Techniques. K.S.Narayanan HCL Technologies Limited

Transcription:

Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

Document Control S/L Type of Information Document Data 1. Document Title e-gov Network Security Guidelines 2. Document Code GL_eGov_NS 3. Date of Release 4. Next Review Date 5. Document Revision Number 6. Document Owner DietY 7. Document Author(s) 8. Document Reference Document Approval Sr. No. Document Approver Approver Designation Approver E-mail ID Document Change History Version No. Revision Date Nature of Change Date of Approval For Internal Use Only Page 2 of 17

Table of Contents 1. INTRODUCTIO N... 4 2. SCOPE... 5 3. PURPO SE... 5 4. NETWORK M ANAGEM NT... 5 4.1 NETWORK CONNECTIVITY... 6 4.2 NETWORK SERVICES... 6 5. NETWORK ARC HITEC TURE & DESIG N... 7 5.1 LOCAL AREA NETWORK... 7 5.2 LOCAL AREA NETWORK... 7 6. PHYSIC AL S ECURITY... 8 7. PERIMETER SEC URITY... 8 7.1 FIEWALL ADMINISTRATION... 9 7.2 ROUTER... 10 7.3 INTRUSION DETECTION / PREVENTION SYSTEM... 11 8. INTRANET SECURITY... 11 8.1 SWITCH SECURITY... 11 8.2 DESKTOP AND SERVER SECURITY... 12 8.3 VIRTUAL PRIVATE NETWORK... 13 8.4 SAN... 13 9. REMO TE ACCESS S ECURI TY... 14 9.1 REMOTE DESKTOP ACCESS... 14 9.2 THIRD PARTY ACCESS... 14 For Internal Use Only Page 3 of 17

10. WIREL ESS ACC ESS... 15 11. ENCRYPTION... 15 12. NETWORK MO NITO RING A ND TROUBL ESHO OTING... 16 13. REF ERENCE... 16 1. INTRODUCTION For Internal Use Only Page 4 of 17

The increasingly important role of automated information system networks in organizations has fuelled the need for more secure systems. Any intrusion or network failure would affect confidentiality, availability and integrity of the organization information assets. 2. SCOPE This guideline is applicable to all Network devices such as routers, switches, and firewalls etc. used in e-gov service delivery. 3. PURPOSE The purpose of these guidelines is to guide network administrators of e-gov information systems on appropriate use of its assets & facilities deployed for providing e-gov services. It also helps to implement Network Segmentation (I.AC-5), Network Routing Control (I.AC-6), and Network Connection Control mentioned (I.AC-7) in esafe GD200 4. NETWORK MANAGEMNT Network services and servers should be controlled to ensure that connected users or computer services do not compromise the security of any other networked services. Network design / architecture of the organization should be formally documented, approved and periodically reviewed by the CISO. Any change initiated in the network design should undergo proper change management process; with appropriate testing and formal approvals for implementation should be sought from CISO, along with any compensating controls if required. The changes should be reflected in an updated network diagram. For Internal Use Only Page 5 of 17

The network administrator should ensure that the network diagram is current. Number of entry points and single point of failures should be minimized to ensure a stable network. Servers / Systems which need to be placed in the DMZ should be identified. The firewall and other filtering devices to control the external traffic will be deployed, configured and managed by Network Administrator. Antivirus software should be deployed and managed by Network Team. 4.1 NETWORK CONNECTIVITY All network connections from the untrusted network (internet) should pass through the firewall and router prior to accessing the trusted network. All connections from the internet to the internal network should be through SSL VPN communication channel. 4.2 NETWORK SERVICES The network services and ports, required for business function operations, should be identified, documented and updated periodically or whenever any change is observed The Security team should conduct periodic reviews to ensure no unnecessary services are active on the servers. In case any noncompliance is found during such reviews, CISO should be informed who should take an appropriate action. For Internal Use Only Page 6 of 17

Other than the maintained standard list of services and ports if any other service or port needs to be enabled on the server as per the business requirement; must follow a change management process and must be properly authorized, tested and implemented along with the compensating controls if required. The details of this test and approval process should be documented. A network server should be dedicated to a single service; this simplifies configuration thereby reducing the risk of configuration errors. In some cases however, it may be appropriate to offer more than one service on a single host computer. Any remote access or VPN request should go through proper authorization process. 5. NETWORK ARCHITECTURE & DESIGN 5.1 LOCAL AREA NETWORK The network design should clearly demarcate the Local area Network (LAN) of the organization. The LAN should cover the desktops, servers and other devices which are supposed to be placed so as to be protected from the un-trusted network. VLANs configured within the LAN should be highlighted in the design to segregate access to any critical server. Communication between different segments of LAN should be restricted if not required. 5.2 LOCAL AREA NETWORK For Internal Use Only Page 7 of 17

The network design should reflect the connections made to the external (i.e. SWAN) networks WAN communication controls will be managed and controlled by network administrator Proper segregation of LAN, WAN, SWAN and Internet connection should be depicted in the network diagram 6. PHYSICAL SECURITY All Devices should be hosted inside secure environment like server room. Devices should be installed inside rack locked with lock & key. Proper environmental condition should be maintained to protect the devices. Every quarter review of physical & environmental condition should be carried out. 7. PERIMETER SECURITY The perimeter security should be managed with the implementation of adequate filtering and monitoring devices such as firewall, Router, Intrusion detection or prevention systems. For Internal Use Only Page 8 of 17

7.1 FIEWALL ADMINISTRATION For any systems hosting e-gov applications, or providing access to sensitive or confidential information, internal firewalls or filtering routers must be used to provide strong access control and support for auditing and logging. Physical access to the firewall terminal is limited to authorize people only. Only the firewall administrator and backup administrator must be given user accounts on the firewall. The firewall administrator or backup administrator must only do any modification of the firewall system after raising a proper change request. Before an upgrade of any firewall component, the firewall administrator must verify with the vendor that an upgrade is required. After any upgrade the firewall must be tested to verify proper operation prior to going operational. All security patches recommended by the firewall vendor must be implemented in a timely manner. Firewall Logs: The firewall must be configured to log all reports. Firewall logs will be reviewed on a daily basis by the network security team if any attacks have been detected Firewall backup The firewall (systems software, configuration data, etc.) must be backed up and a copy of current configuration/last configuration would be available with Security team. For Internal Use Only Page 9 of 17

Firewall backup files must be stored securely offsite to recover during a disaster. 7.2 ROUTER All default passwords used for administrative or otherwise authorization must be changed. Router must have the latest vendor-supplied security patches installed. Relevant security patches shall be installed within one month of release. Configuration files of the router must be protected properly. Passwords must be changed as per password security policy. Routers must have appropriate login banners. All router operating system upgrades from vendors must be scanned for viruses before using in the production environment. All maintenance fixes must be applied on the routers during non-peak or off businesshour times. Latest configuration of all the routers must be backed up as per the backup policy. Router configuration and rule set should be reviewed after every quarter. Default SNMP community strings must be replaced with complex strings and this strings will be known to only authorized personnel in Data centre. Access rules must be added as business needs arise. Telnet should never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH is the preferred management protocol. For Internal Use Only Page 10 of 17

7.3 INTRUSION DETECTION / PREVENTION SYSTEM All default passwords used for administrative or otherwise authorization must be changed IDS / IPS signatures must be updated on regular basis Configuration files of the IDS / IPS must be protected properly and should be backed up as per back up policy Vendor-supplied security patches must be installed on IDS / IPS. All changes must be followed by change management procedure. IDS / IPS rule set must be reviewed after every quarter. Access to IDS / IPS for management purpose must be restricted to authorized personnel and it should be a secure means of access like SSH or HTTPS. 8. INTRANET SECURITY 8.1 SWITCH SECURITY The core switches should be physically located in the Server Room with adequate physical access control and favourable environmental controls. Adequate segregation of internal network should be implemented by configuring VLANs. Inter VLAN based policies and policy based routing should be implemented on the switches. For Internal Use Only Page 11 of 17

Only Network Administrators should have user accounts on the switch. Passwords should be changed as per the password policy. Remote access management should only be implemented over VPN or SSH. Configuration files of the switch should be protected by appropriate file permissions/authentication. The switch operating system upgrades from vendors should be scanned for viruses prior to deployment in the production environment. Latest configuration of all the switches should be backed up as per the backup policy. All maintenance fixes shall be applied on the switches during non-peak or off businesshour times. All switches should be configured as per the defined secured guidelines document. 8.2 DESKTOP AND SERVER SECURITY All desktops should be equipped with an updated version of antivirus software. The desktops should be updated with the latest security patch released by the vendor. Access to system utilities should be limited to administrators only. The desktops and servers should be managed and maintained by the system administrator. The desktops and servers should be hardened as per the respective hardening or baseline documents. For Internal Use Only Page 12 of 17

8.3 VIRTUAL PRIVATE NETWORK The Organization will be using a Virtual Private Network (VPN) service as a mechanism for its users to access network resources from remote locations. All employees/third parties/contractors requiring VPN access to the organizational network should seek formal approval from the CISO and their Departmental Head highlighting the business need for the access. A list of users granted VPN access should be maintained by the Network Security team All VPN users should authenticate to the VPN server using their network account user ID and password. IPSEC or SSL mode for VPN communication channel should be implemented All users using VPN service should ensure that firewall and virus protection software is installed and maintained on their machine. Software updates should be applied regularly and other standard practices must be followed to keep their VPN client system secure against unauthorized access. Users should not share their VPN account or password with others. Administrative access to VPN should controlled using two factor authentication. 8.4 SAN SAN storage box must be protected from unauthorized access. Only authorized users will have access to the SAN boxes. Changes on SAN storage box should adhere to change management process SAN configuration files should be backed up and copied to secure place For Internal Use Only Page 13 of 17

SAN should support cloning (create copy of production disks) onto less expensive disks from which the backup would be performed without affecting the performance of the production disks. 9. REMOTE ACCESS SECURITY The following procedures should be followed to secure IT systems of when they are accessed remotely. 9.1 REMOTE DESKTOP ACCESS All users requiring access to RDP (Remote Desktop Connectivity) services should seek formal approval from their departmental Head and CISO highlighting the business requirement for the same. The list of users granted access to the RDP service should be maintained and updated following changes along with the respective expiration time period. Periodic review of desktop/server should be conducted to ensure adherence to authorized access of RDP service. 9.2 THIRD PARTY ACCESS All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. Third party or vendor must follow e-gov Security Policy. All changes in the third party connections must be approved and authorized by the Organization. For Internal Use Only Page 14 of 17

Third party access privileges should be reviewed at regular intervals. Third party access should be deactivated as per the proper procedure if not required 10. WIRELESS ACCESS Implementation of wireless devices should be approved by authorized personnel. Wireless LAN Access should be over encrypted channel using stronger encryption methods. It should be ensured that wireless access points are secured properly. SSID (Service Set Identifier) of the wireless network should be unique and must not be broadcasted. 11. ENCRYPTION Encryption must be used when information of Confidential and Proprietary classification is passed over the network. Network security team should evaluate the different protocols and implement strong cryptographic controls to safeguard information. Critical information, such as passwords in Database should be encrypted using strong encryption algorithm. For Internal Use Only Page 15 of 17

Encryption and decryption keys should be securely stored in a sealed envelope or in a system. 12. NETWORK MONITORING AND TROUBLESHOOTING All network devices should be monitored regularly to identify any link/component failures. The network should also be monitored to ensure legitimate use of the allocated network bandwidth. Appropriate corrective actions and preventive actions should be implemented and documented for any network failures. 13. REFERENCE Network Segmentation (I.AC-5) in esafe-gd200 The network architecture and segmentation should be based on different security level (depending on the nature of the information asset and anticipated security threats). Network Routing Control (I.AC-6) in esafe-gd200 The organization should adopt a policy in respect of controlling the information flow within the system and between interconnected systems. The For Internal Use Only Page 16 of 17

information system should enforce such policy wherever there is a difference in the level of trust. Network Connection Control mentioned (I.AC-7) in esafe-gd200 For shared networks, especially those extending across the organization s boundaries, the capability of users to connect to the network should be restricted, in line with the access control policy and requirements of the business applications For Internal Use Only Page 17 of 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information