DMZ Lab Security Policy

Created by or for the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to stephen sans.edu 1.0 Purpose This policy establishes information security requirements for all networks and equipment deployed in <Company Name> labs located on the "De-Militari ed !one" "DM!#$ %dherence to these requirements will minimi e the potential risk to <Company Name> from the dama&e to public ima&e caused by unauthori ed use of <Company Name> resources' and the loss of sensiti(e)company confidential data and intellectual property$ 2.0 Scope <Company Name> *ab networks and de(ices "includin& but not limited to routers' switches' hosts' etc$# that are +nternet facin& and located outside <Company Name> corporate +nternet firewalls are considered part of the DM! *abs and are sub,ect to this policy$ This includes DM! *abs in primary +nternet -er(ice .ro(ider "+-.# locations and remote locations$ %ll e/istin& and future equipment' which falls under the scope of this policy' must be confi&ured accordin& to the referenced documents$ This policy does not apply to labs residin& inside <Company Name>0s corporate +nternet firewalls$ -tandards for these labs are defined in the Internal Lab Security Policy 3.0 Policy 3.1. Ownership and Responsibilities 1$ %ll new DM! *abs must present a business ,ustification with si&n-off at the business unit 2ice .resident le(el$ +nfo-ec must keep the business ,ustifications on file$ 3$ *ab ownin& or&ani ations are responsible for assi&nin& lab mana&ers' point of contact ".4C#' and back up .4C' for each lab$ The lab owners must maintain up to date .4C information with +nfo-ec 5and the corporate enterprise mana&ement system' if one e/ists6$ *ab mana&ers or their backup must be a(ailable around-the-clock for emer&encies$ 7$ Chan&es to the connecti(ity and)or purpose of e/istin& DM! *abs and establishment of new DM! *abs must be requested throu&h a <Company Name> Network -upport 4r&ani ation and appro(ed by +nfo-ec$ 8$ %ll +-. connections must be maintained by a <Company Name> Network -upport 4r&ani ation$ 9$ % Network -upport 4r&ani ation must maintain a firewall de(ice between the DM! *ab"s# and the +nternet$ :$ The Network -upport 4r&ani ation and +nfo-ec reser(e the ri&ht to interrupt lab connections if a security concern e/ists$ ;$ The DM! *ab will pro(ide and maintain network de(ices deployed in the DM! *ab up to the Network -upport 4r&ani ation point of demarcation$ <$ The Network -upport 4r&ani ation must record all DM! *ab address spaces and current contact information 5in the corporate enterprise mana&ement system' if one e/ists6$ =$ The DM! *ab Mana&ers are ultimately responsible for their DM! *abs complyin& with this policy$ 1>$ +mmediate access to equipment and system lo&s must be &ranted to members of +nfo-ec and the Network -upport 4r&ani ation upon request' in accordance with the Audit Policy

11$ +ndi(idual lab accounts must be deleted within three "7# days when access is no lon&er authori ed$ ?roup account passwords must comply with the Password Policy and must be chan&ed within three "7# days from a chan&e in the &roup membership$ 13$ +nfo-ec will address non-compliance wai(er requests on a case-by-case basis$ 3.2. eneral !on"i#uration Re$uire%ents 1$ .roduction resources must not depend upon resources on the DM! *ab networks$ 3$ DM! *abs must not be connected to <Company Name>0s corporate internal networks' either directly or (ia a wireless connection$ 7$ DM! *abs should be in a physically separate room from any internal networks$ +f this is not possible' the equipment must be in a locked rack with limited access$ +n addition' the *ab Mana&er must maintain a list of who has access to the equipment$ 8$ *ab Mana&ers are responsible for complyin& with the followin& related policies@ a. Password Policy b. Wireless Communications Policy c. Lab &nti'(irus Policy 9$ The Network -upport 4r&ani ation maintained firewall de(ices must be confi&ured in accordance with least-access principles and the DM! *ab business needs$ %ll firewall filters will be maintained by +nfo-ec$ :$ The firewall de(ice must be the only access point between the DM! *ab and the rest of <Company Name>0s networks and)or the +nternet$ %ny form of cross-connection which bypasses the firewall de(ice is strictly prohibited$ ;$ 4ri&inal firewall confi&urations and any chan&es thereto must be re(iewed and appro(ed by +nfo-ec "includin& both &eneral confi&urations and rule sets#$ +nfo-ec may require additional security measures as needed$ <$ Traffic from DM! *abs to the <Company Name> internal network' includin& 2.N access' falls under the Remote Access Policy =$ %ll routers and switches not used for testin& and)or trainin& must conform to the DM! Aouter and -witch standardi ation documents$ 1>$ 4peratin& systems of all hosts internal to the DM! *ab runnin& +nternet -er(ices must be confi&ured to the secure host installation and confi&uration standards$ 5%dd url link to site where your internal confi&uration standards are kept6$ 11$ Current applicable security patches)hot-fi/es for any applications that are +nternet ser(ices must be applied$ %dministrati(e owner &roups must ha(e processes in place too stay current on appropriate patches)hotfi/es$ 13$ %ll applicable security patches)hot-fi/es recommended by the (endor must be installed$ %dministrati(e owner &roups must ha(e processes in place to stay current on appropriate patches)hotfi/es$ 17$ -er(ices and applications not ser(in& business requirements must be disabled$ 18$ <Company Name> Confidential information is prohibited on equipment in labs where non<Company Name> personnel ha(e physical access "e$&$' trainin& labs#' in accordance with the Information Sensitivity Classification Policy 19$ Aemote administration must be performed o(er secure channels "e$&$' encrypted network connections usin& --B or +.-CC# or console access independent from the DM! networks$

).0 *n"orce%ent %ny employee found to ha(e (iolated this policy may be sub,ect to disciplinary action up to and includin& termination of employment$ +.0 De"initions ,er%s De"initions %ccess Control *ist "%C*# *ists kept by routers to control access to or from the router for a number of ser(ices "for e/ample' to pre(ent packets with a certain +. address from lea(in& a particular interface on the router#$

DM! "de-militari ed one# Networkin& that e/ists outside of <Company Name> primary corporate firewalls' but is still under <Company Name> administrati(e control$ Network -upport 4r&ani ation networkin& of non-lab networks$ *east %ccess .rinciple permitted$ %ny +nfo-ec-appro(ed support or&ani ation that mana&es the %ccess to ser(ices' hosts' and networks is restricted unless otherwise

+nternet -er(ices -er(ices runnin& on de(ices that are reachable from other de(ices across a network$ Ma,or +nternet ser(ices include DN-' DT.' BTT.' etc$ Network -upport 4r&ani ation .oint of Demarcation The point at which the networkin& responsibility transfers from a Network -upport 4r&ani ation to the DM! *ab$ Esually a router or firewall$ *ab Mana&er The indi(idual responsible for all lab acti(ities and personnel$

*ab % *ab is any non-production en(ironment' intended specifically for de(elopin&' demonstratin&' trainin& and)or testin& of a product$ Direwall % de(ice that controls access between networks$' such as a .+F' a router with access control lists' or a similar security de(ice appro(ed by +nfo-ec$ +nternally Connected *ab % lab within <Company Name>0s corporate firewall and connected to the corporate production network$ -.0 Re.ision /istory