In today’s global market place your organization needs network connectivity with external entities – suppliers, credit card processing companies, business partners, data feeds etc. But are you really sure these connections are secure and compliant? Are you really sure they are not inadvertently creating holes in your network and exposing your organization to cyber criminals? The Target breach – and many others like it – should at least make you double check your practices.
Presented by the renowned industry expert Professor Avishai Wool, this technical webinar will cover best practices for managing external connectivity lifecycle to and from your network, including:
• Defining the right infrastructure, network segmentation, security controls and additional security protections
• Managing changes to connectivity for third party applications or data feeds
• Routing partner traffic through your network
• Auditing and compliance challenges for both you and your partner
• Technical considerations for managing the business and ownership aspects of third party connectivity
4. What is an External Connection?
An external organization that needs a permanent network
connection that allows access to/from internal networked
servers:
• Market data feeds
• Access to supplier databases,
• Messaging gateways, etc.
Confidential 4
What is not an external connection?
• Customer access to web portal; remote offices; VPN
access for field teams
5. Poll
• How many external connections do you estimate you
handle?
• Less than 50
• 50-250
• More than 250
• I wish I knew
Confidential 5
6. Legal Aspects
• There is a contract governing the connection
• Technical sections of the contract may specify:
• IP addresses and ports
• Technical contact points: internal and external
• SLAs
• Problem resolution and escalation processes
• Testing procedures
• Physical location of servers
• … and more…
Confidential 6
7. Who Do You Trust?
• The other side of the connection is semi-trusted
• Place servers in a DMZ
• Segregate DMZ by firewalls
• Restrict traffic in both directions
• Additional controls to consider:
• Web application firewall (WAF)
• Data Leak Prevention (DLP)
• Intrusion Detection (IDS/IPS)
Confidential 7
8. Are you a Target?
"Getting from a procurement portal
to a cardholder data environment is a
long road“
“Only highly skilled hackers could find
a way around such network
segmentation”
“… If Target gave the vendor too much
access to the network the blame lies
firmly with Target…”
Confidential 8
13. Regulatory Compliance
If the data being accessed over the external connection is
regulated, the systems and possibly the peer’s systems
are subject to audit!
• PCI 3.0: If the connection touches credit card data then
both sides of the connection are in scope
• Outsourcing does not let you off the hook…
Confidential 13
15. Reasons for Maintenance
Confidential 15
Planned changes Unplanned outages
• By the IT staff
• By the peer
• Networking changes
• …
• Server or network element
down
• Device misconfiguration
• …
16. Knowledge is Power
Change/outages affect an external connection:
• Remember the contract!
• Coordinate with peers
• Workflow
Confidential 16
17. Knowledge is Power
Change/outages affect an external connection:
• Remember the contract!
• Coordinate with peers
• Workflow
• Your Information Systems should:
• Allow teams to recognize external connections
• Provide access to relevant information: contact points,
contract, SLAs, etc.
• Support the tweaked workflows
Confidential 17
19. Routing Considerations
• Your peer obviously has an Internet connection…
• You do not want to use your peer as an ISP!
• and you do not want to be their ISP either
Confidential 19
20. Routing Considerations
• Your peer obviously has an Internet connection…
• You do not want to use your peer as an ISP!
• and you do not want to be their ISP either
Tips:
1. Point the default route toward the “trusted” side
2. No dynamic routing protocols (no BGP/OSPF)
3. … and filter irrelevant traffic (in both directions)
Confidential 20
43. Summary
• External connections require special attention
• Design your network architecture carefully
• IT systems should assist the teams:
• Recognize the external connections
• Track relevant information
• Intelligently support planned and unplanned maintenance
scenarios
Confidential 43