Internet DMZ Equipment Policy
|Version: 1.00||Issue Date: 12/8/2014|
This is an example Internet DMZ Equipment Policy. An Internet DMZ Equipment Policy is required to ensure the security of the security perimeter.
This Internet DMZ Equipment Policy describes or defines standards for equipment and services operating in the DMZ. It defines configuration requirements to meet security standards, change management requirements, and operational requirements.
DMZ - The term DMZ is an acronym for demilitarized zone. The DMZ is a part of a network where servers that may be accessed by the public are normally placed. The DMZ is normally between the internet and the "trusted network" and is separated by a firewall from the internet and from the trusted part of the network. The DMZ is considered to be a semi-trusted network and is more secure than the internet but less secure than the trusted part of the network since the servers accessed by the public have a higher risk with a greater chance of security incidents.
Untrusted network - Any network that is not trusted by your organization and a firewall must exist between it and your organization's semi-trusted or trusted network. Any network not managed by your organization should not be trusted since you cannot guarantee the security of that network.
Semi-trusted network - Another name for DMZ.
Trusted network - A part of the network protected from the internet and any untrusted network using a firewall. It is also protected from the semi-trusted network using a firewall. Normally workstations and servers that hold data are kept in the trusted network although there is good reason to keep the servers with sensitive data protected from the "trusted network" considering the state of security on many networks.
This Internet DMZ Equipment Policy is designed to protect the data of the organization and its business partners or any data the organization is in custody of by defining the requirements for devices that operate in the DMZ.
This Internet DMZ Equipment Policy applies to any equipment or devices operating in the organizational network DMZ. Equipment includes but is not limited to routers, hosts, and switches. This policy includes servers hosted externally for the organization or to any internet domain name owned by the organization if they are accessible from any untrusted network or from the internet. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Equipment Lists
Equipment or systems that this policy applies to must be listed in the enterprise management system with the following information:
Name and IP addresses of the server or device.
Operating system and version.
Installed applications and their versions including services such as email.
5.0 Configuration Requirements
The system must use approved operating systems, applications, and services that are approved for use by the Information Technology Department.
Installation of all computer systems and applications including updates and configuration must be according to the Server Security Policy and System Lockdown Policy.
Installation and changes to all computer systems and applications including updates and configuration must follow the Change Management Policy.
The change management process that applies to this equipment must include processes to keep patches current within specified time periods.
All vendor recommended patches are required to be installed for all installed software and services according to the Change Management Process.
Passwords must be managed according to the password policy.
Two factor authentication shall be used when remotely accessing any device in the DMZ.
Remote administration must use secure encrypted channels, use a one time password, or be performed over a secure network.
Remote access connectivity rules for administration must be limited to a trusted source address or a limited number of trusted source addresses rather than allowing any remote connection for the purposes of administration.
Interfaces to hosts must have Domain Name Server records on applicable domain servers.
Any services not required to support the business need must be disabled.
Any services not used by the public must be restricted using firewall rules or network rules such as access control lists.
Any services or protocols in use that are not considered secure by the Chief information Security Officer must be replaced with a protocol or service that is considered to be secure within an agreed time.
Relationships of trust between systems in the DMZ and any other system must be required by the business need, be approved by the security officer, and be documented.
Updates to software must be done locally or over a secure channel.
6.0 System Logs
Events related to computer security must be logged. Logs must be saved for a minimum of 30 days. Security related events that should be logged include:
Successful user login
Failed login attempts
Attempt to use an unauthorized privilege
7.0 Administrative Requirements
Access to system logs and equipment must be provided to authorized auditors upon demand according to the Auditing Policy.
Equipment purchased through contractors or from any third party must meet the requirements of this policy. Contracts must specify that the requirements of this and other policies are met by vendors and contractors.
Organizational members that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
10.0 Related Policies
Perimeter Security Policy
Incident Response Policy
Remote Access Policy
Network and Server Scanning Policy
11.0 Additional Requirements
Senior management must ensure that this policy is published and users agree to abide by the policy.
Auditors must periodically check to be sure this policy is being followed.
Devices in the DMZ must be covered by disaster recovery and business continuity plans.
Enterprise management system must exist or be created so equipment may be tracked.
Approved by:__________________________ Signature:_____________________ Date:_______________