Eurocopter network architecture and security rules. Technical ... .fr

o Double connection on workstation Internal network-Internet direct access is strictly forbidden without protection of internal network from unauthorized.
Télécharger le PDF
180KB taille 8 téléchargements 383 vues
commentaire
Report
ANNEX 2 Marignane, September 2001 K/V n° 999/01 JPP

Information System Directorate Network Services Departement E-Services

Object: Eurocopter network architecture and security rules. Technical implementation in each Eurocopter site (EC/ECD/subsidiaries)

1. 2. 3. 4. 5. 6. 7. 8.

Introduction....................................................................................................................... 2 General security rules ...................................................................................................... 2 Technical implementation................................................................................................. 3 Required network architecture and means....................................................................... 4 Equipment standards proposal......................................................................................... 7 Price estimation................................................................................................................ 8 Conclusion........................................................................................................................ 8 Glossary ........................................................................................................................... 9

Copy(s) : KVj/B. Ghedighian "Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

1. Introduction Eurocopter is implementing one private corporate network (ECGWAN) between all the plants, including the subsidiaries. All internal network in each plant will be interconnected as if all plants are on the same internal network. The ECGWAN installation and operation is under the responsibility (management, availability, encryption means…) of one supplier, T-System, and based on Frame-relay technology.. The subsidiaries will be connected to ECGWAN by permanent links with backup. The Eurocopter plants and subsidiaries are also connected to public network (Internet). As we build a common private network in the group, we must have the same security rules in each plant to filter access from outside inside our private network. These. security rules must be followed by those entities which have a connection to EC WAN. Regarding the current architecture of the subsidiaries and their internet services needs, we describe hereafter required connection architecture to make you compliant with the EC security rules.

2. General security rules The following rules have to be applied in all the Eurocopter entities (ECG and subsidiaries), in accordance also with the EADS rules : 1) Each Eurocopter entity is responsible for controlling its connection point and monitoring the activities on the network. The monitoring organization and means in each Eurocopter entity can be audited by Eurocopter Group security team. 2) Each Eurocopter entity is responsible for the accessors to the Eurocopter network. Accessors are submitted to individual authorization and to reinforced authentication system (ex : one session password). 3) The Eurocopter entity’s internal network must be isolated from Internet physically or through a filtering device (firewall or filtering router). 4) The link connecting each Eurocopter entity must be encrypted, using hardware or software from European origin (this is covered by Tsystems services). The encryption keys management must be done by Eurocopter or EADS security teams. 5) In case of unauthorized entrance inside the network or serious incident affecting systems integrity or preventing correct operation

"Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

2

the Eurocopter entity must inform the Eurocopter Group security teams and other subsidiaries managers. 6) All electronic communication between Eurocopter entities should pass through the encrypted network and not through Internet.

3. Technical implementation These general rules lead to following technical consequences on the network technical organization and on the general services provided on this network (Internet access, E-mail, domain name services, Intranet access, application software access) :

G

Internet access o Double connection on workstation Internal network-Internet direct access is strictly forbidden without protection of internal network from unauthorized access coming from Internet o Internet access to the network must be protected either by firewall filtering functions or by physical separation of Internet access from network access. o No direct incoming session is allowed inside the network from internet o All servers needing an incoming access (e-mail gateway, Web servers, Domain Name Servers : DNS,…) must be put in a special zone (DMZ : Demilitarized Zone) protected from internal network by a firewall (to deny the possibility of an end-to-end session between Internet and internal network) o Access to Internet by subsidiaries EC staff must be protected by user/password

G

DNS (Domain Name Services) o Internal and external DNS must be different and not connected between themselves o Internal and external domain name must be different o External DNS has to be located in DMZ o Internal domain name proposed for subsidiary is: subsidiary.eurocopter.corp § aec. eurocopter.corp § ecl. eurocopter.corp for example E-mail o Connection between internal e-mail system and internet must be done through an Internet E-mail connector located in DMZ o Anti-virus scanning on E-mail system is mandatory Intranet access o Connection done by a proxy server is recommended to save bandwidth and simplify intranet and internet connections, but it is not mandatory Internet Web server o May be hosted by an external provider o If hosted in the subsidiary; it must be located in DMZ Eurocopter Group Information System access (SAP, IMS,…) o Connection must be done by an authentication software (for example with one session password) Information (mailboxes for example) can be stored only in external providers approved by EC (to ensure storage privacy of Eurocopter E-mail)

G

G

G

G

G

"Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

3

G

Information exchange within Eurocopter and subsidiaries must be done through the EC network and not through Internet

These rules have to be settled step by step to be fully running before end of 2002. The most urgent rule to apply before the network connection is isolation or filtering from internet connection.

4. Required network architecture and means The required means to apply the rules are depending on : o The way to access Internet (Permanent or Dial-up connection, one way or two ways connection) o The accessed services on internet (what is used on Internet) For each of the following three types of Internet connection : Type 1) Type 2) Type 3)

Full : Subsidiary connected to Internet in a permanent two ways communication with “hosted active services” (ex : E-mail, Web server, DNS) (Inbound and outbound permanent connection) Medium : Subsidiary connected to Internet in a permanent one way communication to access WEB (outbound permanent connection) Light: Subsidiary accessing today Internet by Dial-up only to access WEB (outbound switched connection),

we define hereafter the recommended architecture.

"Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

4

Type 1 : Subsidiary connected to Internet in a permanent way with “hosted active services” The hosted active services need servers accessible from Internet (Internet E-mail gateway, Domain Name Server : DNS). The associated equipment must be located in DMZ. A firewall is mandatory to isolate the DMZ from internal network and Internet The DNS Server et Internet E-mail connector must be located in the DMZ A proxy recommended if the number of users accessing Intranet EC is high G

o o o o o

EC / Subsidiary network Intranet connection Full Architecture

Internet

Smtp relay

DNS server containing addresses having to be known by Internet and forwarding rules to other Internet DNS

Web Server

DMZ DNS server containing internal addresses not connected to the external DNS

Proxy server used to connect to internet and EC Intranet

Eurocopter entry point Subsisiaries FIREWALL

E-mail server

EC LAN

Subsisiary Lan

Eurocopter applications & services . . . Managed by TSystem

_ _ Managed by the subsidiary

_ . _ Managed by Eurocopter

K.VE J-P Parcy

"Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

5

G

Type 2 : Subsidiary connected to Internet in a permanent way without “hosted active services”

o Subsidiary with only access to WEB on Internet o Neither E-mail system nor DNS nor WEB server are accessed from Internet (excepted if it’s hosted by an external provider not connected to Subsidiary network) A router including fire-wall functions is enough , but o Denies the possibility to have servers accessible from internet (E-mail, webserver) o Is strictly limited to connection of workstations to Internet EC / Subsidiary network Intranet connection Medium Architecture

Internet

Router including Fire-wall functions

Eurocopter entry point Subsisiaries FIREWALL

Workstation

EC LAN

Subsisiary Lan

Eurocopter Network

Eurocopter applications & services . . . Managed by TSystem

G

_ _ Managed by the subsidiary

_ . _ Managed by Eurocopter

K.VE J-P Parcy

Type 3 : Subsidiary accessing Internet by Dial-up connection only to access WEB

"Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

6

o Subsidiary uses Internet only to access WEB services o E-mail and DNS services o A specific project must be launched to define how the DNS and E-mail services will be changed and organized between subsidiaries and mother company to be compliant with the security rules o Internet access must be done with: o A stand-alone workstation not connected to the subsidiary internal network EC / Subsidiary network Intranet connection Light Architecture

Internet Internet

Modem

Workstation

Modem

Eurocopter entry point Subsisiaries FIREWALL

EC LAN

Subsisiary Lan

Workstation

Eurocopter Network

. . . Managed by TSystem

_ _ Managed by the subsidiary

_ . _ Managed by Eurocopter

Eurocopter applications & services K.VE J-P Parcy

5. Equipment standards proposal In a corporate Network we have better to install the same standard hardware everywhere to make the operation and maintenance of these means easier. "Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

7

For those subsidiaries which have not such equipments, it is highly recommended to follow these standards. For those which have already some of these equipments, it must be studied case by case : the replacement must be planned after the current hardware depreciation period or after the end of the current hardware rental contract. According to the different architectures the standard for equipments is the following G

All architectures o Authentication: Safe Data (to authenticate to be able to access business applications like Sacha, Sap,….if needed). o 3270 Emulator: Host-Explorer from Hummingbird (to access legacy mainframe business applications like Sacha, if needed) o There's a global Eurocopter contract; with discounts for these software licences

G

Full architecture o Firewall: Firewall 1 from Checkpoint o DNS: CNR from CISCO o Proxy: Cacheflow from Cacheflow o E-mail: Exchange from Microsoft

G

Medium architecture o Firewall Router: Cisco Series with IOS Firewall feature

G

Light Architecture o No additional equipment required

The equipment management must be done locally by subsidiary means (internally or through a local service provider)

6. Price estimation The range of price is based on French prices to give a rough estimation. It must be checked with local providers . o Firewall 1 from Checkpoint o 6K +15K (hard+soft) o CNR from CISCO o Soft included in the Eurocopter licence, hard: 3K o Cacheflow: 6K o Cisco router with IOS Firewall feature: hard between 2K (1700 series) and 4K (2600 series) depending on the model, soft between 1K and 2,5 K depending on the router model o Safe Data: 0,1 K by user. The software licences must be acquired through Eurocopter global contract to get relevant discounts. o Host-Explorer: 0,4 K by workstation. The software licences must be acquired through Eurocopter global contract to get relevant discounts

7. Conclusion "Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

8

For all subsidiaries some tasks have to be done to be able: o to define the type of connection (1, 2 or 3) o to take into account current installation and local specificities o to size the needed equipment according to number of users, traffic… These tasks are: o Current situation analysis regarding the network architecture and security means o Definition of the target architecture and required means o Price estimation for minimal implementation to be safely protected from Internet o Definition of further steps to go to the target architecture to be compliant with all the rules. They must be done locally either internally or by external IT company depending on the IT capabilities in each subsidiary.

8. Glossary WAN: Wide Area Network: Network used within plants DMZ: Demilitarized Zone : special network zone with access from outside networks. This zone is connected to internal network through a firewall to prevent unauthorized access from outside to internal network DNS: Domain Name Server: Function and server use to manage the association between the logical name and the network address (IP address).

Jean-Pierre Parcy Tel. : +33 4 42 85 60 10 Fax : +33 4 42 85 92 65

"Ce document est la propriété d'EUROCOPTER, il ne peut être communiqué à des tiers et/ou reproduit sans l'autorisation préalable écrite d'EUROCOPTER et son contenu ne peut être divulgué". © EUROCOPTER Erreur! Signet non défini.

9