fEISD QMS document title/ titre du document IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY prepared by/préparé par Christoph Kröll reference/réference EISD-EPNS-00003 issue/édition 2 revision/révision 2(.3) date of issue/date d’édition 28/09/2004 status/état Second Issue Document type/type de document Implementation Document Distribution/distribution ESA a ESACERT http://www.esacert.esa.int Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 2 of 45 APPROVAL Title Implementation of the ESA Network Security Policy issue 2 revision 2 titre issue revision author Christoph Kröll date 28/09/2004 auteur date approved by ESA Information Systems Security Advisory Group (EISSAG) date 28/09/2004 approuvé par date Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 3 of 45 CHANGE LOG reason for change /raison du changement issue/issue revision/revision date/date Update by Christoph Kröll 2 2 28/09/2004 CHANGE RECORD ISSUE: 1 REVISION: 0 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) First Issue by Christoph Kröll All. All. ISSUE: 1 REVISION: 1 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 2 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 3 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Internal Review All. All. ISSUE: 1 REVISION: 4 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following 1st Review of All. All. the ESA Information Systems Security Advisory Group Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 4 of 45 ISSUE: 1 REVISION: 5 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following 2nd Review of All. All. the ESA Information Systems Security Advisory Group (EISSAG) ISSUE: 2 REVISION: 0 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll All. All. ISSUE: 2 REVISION: 1 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following Review by the All. All. ESA Information Systems Advisory Group (EISSAG) ISSUE: 2 REVISION: 2 reason for change/raison du changement page(s)/page(s) paragraph(s)/paragraph(s) Update by Christoph Kröll following technical Appendix B and D. All. changes and approval by the ESA Information Systems Advisory Group (EISSAG) Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 5 of 45 T ABLE O F C ONTENTS 1 INTRODUCTION .................................................................................................................................... 8 2 SCOPE AND APPLICABILITY............................................................................................................ 8 3 DEFINITIONS AND ABBREVIATIONS.............................................................................................. 8 3.1 Definitions ..........................................................................................................................................8 3.2 Abbreviations ...................................................................................................................................11 4 RELATED DOCUMENTS...................................................................................................................13 4.1 Applicable Documents .....................................................................................................................13 4.2 Reference Documents ......................................................................................................................13 5 BACKGROUND....................................................................................................................................14 6 THE ESA NETWORK SECURITY POLICY ....................................................................................15 7 SECURITY HIERARCHY CLASSIFICATION OF THE ESA NETWORKS ...............................16 7.1 External Networks............................................................................................................................17 7.2 ESA External Services Networks.....................................................................................................17 7.3 ESA Internal Services Networks......................................................................................................17 7.4 ESA Restricted Networks.................................................................................................................17 8 COMMUNICATION WITHIN OR AMONG ESA NETWORK CLASSES....................................19 8.1 Connection to a Single ESA Network Security Class......................................................................19 8.2 Protocol Support...............................................................................................................................19 8.3 Data exchange among ESA Internal Services Networks, ESA External Services Networks and External Networks........................................................................................................................................19 8.4 Data Exchange for ESA Internal Services Networks.......................................................................20 8.5 Data Exchange for ESA Restricted Networks..................................................................................20 9 IMPLEMENTATION OF EISD SERVICES......................................................................................21 9.1 Baseline Services..............................................................................................................................21 9.2 Delta Services...................................................................................................................................21 9.2.1 Definition.................................................................................................................................21 9.2.2 Procedure..................................................................................................................................21 9.2.3 Funding.....................................................................................................................................21 9.3 Security Delta Services ....................................................................................................................21 Implementation of the ESA Network Security Policy s issue 2 revision 2 – 28/09/2004 EISD-EPNS-00003 page 6 of 45 9.3.1 Definition.................................................................................................................................21 9.3.2 Procedure..................................................................................................................................21 9.3.3 Funding.....................................................................................................................................22 10 THE ESACERT.................................................................................................................................23 10.1 Mission and Services........................................................................................................................23 10.2 Policies.............................................................................................................................................24 10.3 Mandate............................................................................................................................................24 10.4 Support.............................................................................................................................................25 11 IMPLEMENTATION OF THE ESA NETWORK SECURITY POLICY BY THE MEANS OF THE ESA FIREWALLS...............................................................................................................................26 11.1 The ESA Firewalls ...........................................................................................................................26 11.2 Connectivity.....................................................................................................................................27 11.3 Data Traffic ......................................................................................................................................27 11.4 ESA ISN Gateways ..........................................................................................................................27 11.5 Data Exchange for ESA Internal Services Networks.......................................................................27 11.6 ESA Demilitarised Zones (ESA DMZs) ..........................................................................................28 11.6.1 THE PROJECT SERVICES DMZ..........................................................................................28 11.6.2 THE CORPORATE SERVICES DMZ....................................................................................28 11.6.3 THE INFRASTRUCTURE MANAGEMENT DMZ..............................................................29