摘要:此为国外某大型企业的信息安全策略规范,涉及企业信息安全的各方面,共数十个策略,我将陆续翻译整理出来。这是第五篇:远程访问策略。
欢迎转载,但请注明出处及译者。请不要用于商业用途。
原文:
Remote Access Policy
1.0 Purpose
The purpose of this policy is to define standards for connecting to <Company Name>'s network from any host. These standards are designed to minimize the potential exposure to <Company Name> from damages which may result from unauthorized use of <Company Name> resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical <Company Name> internal systems, etc.
2.0 Scope
This policy applies to all <Company Name> employees, contractors, vendors and agents with a <Company Name>-owned or personally-owned computer or workstation used to connect to the <Company Name> network. This policy applies to remote access connections used to do work on behalf of
<Company Name>, including reading or sending email and viewing intranet web resources.
Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
3.0 Policy
3.1 General
1. It is the responsibility of <Company Name> employees, contractors, vendors and agents with remote access privileges to <Company Name>'s corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to <Company Name>.
2. General access to the Internet for recreational use by immediate household members through the <Company Name> Network on personal computers is permitted for employees that have flat-rate services. The <Company Name> employee is responsible to ensure the family member does not violate any <Company Name> policies, does not perform illegal activities, and does not use the access for outside business interests. The <Company Name> employee bears responsibility for the consequences should the access be misused.
3. Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of <Company Name>'s network:
a. Acceptable Encryption Policy
b. Virtual Private Network (VPN) Policy
c. Wireless Communications Policy
d. Acceptable Use Policy
4. For additional information regarding <Company Name>'s remote access connection options, including how to order or disconnect service, cost comparisons, troubleshooting, etc., go to the Remote Access Services website.
3.2 Requirements
1. Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy.
2. At no time should any <Company Name> employee provide their login or email password to anyone, not even family members.
3. <Company Name> employees and contractors with remote access privileges must ensure that their <Company Name>-owned or personal computer or workstation, which is remotely connected to <Company Name>'s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
4. <Company Name> employees and contractors with remote access privileges to <Company Name>'s corporate network must not use non-<Company Name> email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct <Company Name> business, thereby ensuring that official business is never confused with personal business.
5. Routers for dedicated ISDN lines configured for access to the <Company Name> network must meet minimum authentication requirements of CHAP.
6. Reconfiguration of a home user's equipment for the purpose of split-tunneling or dual homing is not permitted at any time.
7. Frame Relay must meet minimum authentication requirements of DLCI standards.
8. Non-standard hardware configurations must be approved by Remote Access Services, and InfoSec must approve security configurations for access to hardware.
9. All hosts that are connected to <Company Name> internal networks via remote access technologies must use the most up-to-date anti-virus software (place url to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.
10. Personal equipment that is used to connect to <Company Name>'s networks must meet the requirements of <Company Name>-owned equipment for remote access.
11. Organizations or individuals who wish to implement non-standard Remote Access solutions to the <Company Name> production network must obtain prior approval from Remote Access Services and InfoSec.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions
Term Definition
Cable Modem Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.
CHAP Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function.
DLCI Data Link Connection Identifier ( DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) end point in a frame relay network. DLCI identifies a particular PVC endpoint within a user's access channel in a frame relay network, and has local significance only to that channel.
Dial-in Modem A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name "modem" for modulator/demodulator.
Dual Homing Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the Corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP). Being on a <Company Name>-provided Remote Access home network, and connecting to another network, such as a spouse's remote access. Configuring an ISDN router to dial into <Company Name> and an ISP, depending on packet destination.
DSL Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).
Frame Relay A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company's network.
ISDN There are two flavors of Integrated Services Digital Network or ISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two "Bearer" channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info.
Remote Access Any access to <Company Name>'s corporate network through a non-<Company Name> controlled network, device, or medium.
Split-tunneling Simultaneous direct access to a non-<Company Name> network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into <Company Name>'s corporate network via a VPN tunnel.
VPN Virtual Private Network (VPN) is a method for accessing a remote network via "tunneling" through the Internet.
6.0 Revision History
译文:
远程访问策略
1.0 目的
本策略的目的使为了定义任何外部主机连接到企业网络的标准。这些标准是为了使非授权使用企业资源造成的损害及相应的企业信息暴露最小化。损害包括企业机密性数据的丧失,知识产权的侵犯,公众信息的破坏,以及企业内部系统的破坏等。
2.0 范围
此策略适用于所有企业员工、承包商、使用企业所有或个人所有的计算机或工作站连接到企业网络的厂商和代理商。此策略适用于远程访问连接,包括读或发送邮件以及浏览企业内部网资源。
本策略范围包含但不仅限于下列远程访问方式:拨号上网、帧中继、ISDN、DSL、VPN、SSH、以及cable modem等
3.0 策略
3.1 通用策略
1. 企业员工、承包商、对企业网络拥有远程访问权限的厂商和代理商,负责确保他们的远程访问连接具有和企业用户本地连接同样适当的配置。
2. 对于网络服务统一收费的员工,允许他们的直接家庭成员通过企业网络使用个人电脑为了娱乐等普通目的访问Internet。企业员工负责确保他们的家庭成员不会违反任何的企业策略,不会从事违法行为,并且不会为了外部组织的商业利益来实施远程访问。员工必须承担访问误用所带来的后果。
3. 当通过远程访问方式访问企业网络时请参阅以下策略,以详细的了解如何保护信息以及如何正确的使用企业网络:
1) 可接受加密策略
2) 虚拟专用网(VPN)策略
3) 无线通信策略
4) 可接受使用策略
4. 如果想得到更多的关于企业远程访问连接选项的信息,包括如何订购或断开服务、价格比较、故障检修等,请登录远程访问服务网站。
3.2 要求
1. 必须严格控制以保障远程访问的安全。控制措施包括使用一次性口令认证获具有强口令短语的公/私钥。如果想了解关于如何创建强口令短语的信息请参阅口令策略。
2. 企业员工无论何时都不能将登录口令或email口令泄露给其他人,包括家庭成员。
3. 企业员工和拥有远程访问权限的承包商,必须确保他们远程连接到企业网络的电脑或工作站在同一时间没有连接到其它网络上,除非该网络是被用户完全控制的个人网络。
4. 企业员工和对于企业网络拥有远程访问权限的承包商在处理业务时,不能使用非企业email帐户(如Hotmail、Yahoo、AOL等)或其它外部资源。这是为了保证公务业务不会与个人业务相混淆。
5. 实施远程访问企业网络的ISDN线路配置路由器必须符合CHAP的最小认证要求。
6. 任何情况下都不允许为了实施隧道拆分或双端连接而重新配置端用户设备。
7. 帧中继必须符合DLCT标准的最小认证要求。
8. 非标准的硬件配置必须由远程访问服务部门许可,并且信息安全部门必须认可对于访问硬件的安全配置。
9. 所有通过远程访问技术连接到企业内部网的主机,包括个人电脑,必须使用最新的防病毒软件(点击此处定位到软件公司的站点)。第三方连接必须遵守“第三方协议”中列出的要求。
10. 用于连接企业网络的个人设备必须符合企业所有的远程访问设备的要求。
11. 组织或个人如果想要对企业生产网络进行一些非标准的远程访问,必须首先得到远程访问服务部门和信息安全部门的授权。
4.0 执行
所有违反此策略的员工都会面临纪律处分,直至中止雇佣合同。
5.0 定义
术语和定义
Cable Modem 电缆调制解调器
电话公司如AT&T宽带提供通过TV同轴电缆访问Internet的方式。电缆调制解调器通过同轴电缆可以以超过1.5Mbps的速度从Internet接收数据。目前此方式只在某些团体内可以使用。
CHAP 挑战握手认证协议
挑战握手认证协议是一种使用单向哈希函数的认证方式。
DLCI 数据链路连接标识符
数据链路连接标识符是在帧中继网络中分配给永久虚电路(PVC)终端的一个唯一的数字。DLCI标识了在帧中继网络一个用户访问信道中的特定的PVC端点,该标识具有本地性,仅限于本信道。
Dial-in Modem 拨号调制解调器
一种连接到计算机的外围设备,可用来通过电话线发送通信数据。调制解调器将计算机的数字数据解调为模拟信号通过电话线传送,然后在另一端重新调制成数字信号以便由计算机读取。由此modem即为modulator(调制器)/demodulator(解调器)。
Dual Homing 双端连接
一台计算机或网络设备,拥有同时与多个网络的并发连接。例如:通过本地以太网连接登录到企业网络,并且同时拨号到AOL或其他Internet服务提供商(ISP)。在拥有企业提供的远程访问连接的同时,又连接到其它网络。可以配置ISDN路由器,使得同时拨号到企业网络和一个ISP,并根据包的目的地址发送数据。
DSL 数字用户线路
数字用户线路是一种与cable modem竞争的高速Internet访问方式。DSL使用标准电话线,并支持超过2M的数据下传速率(到用户端)和相对较慢的上传速率(到Internet)。
Frame Relay 帧中继
一种通信方式,其传输速率可以从ISDN的速度递增到T1线路的速度。帧中继使用统一计费方式而不是分时计费。帧中继通过电话公司的网络进行连接。
ISDN 综合服务数字网络
ISDN(综合服务数字网络)有两种方式:BRI和PRI。BRI用于家用办公/远程访问。BRI有两条64Kbit的载体信道(共计128kb)和一条发送信道。
Remote Access 远程访问
任何通过非企业控制的网络、设备或介质对于企业网络的访问。
Split-tunneling 隧道拆分
在通过VPN隧道连接入企业网络后,同时通过远程设备(PC、PDA、WAP电话等)直接访问非企业网络(如Internet、或家庭网络)。
VPN 虚拟专用网
虚拟专用网(VPN)一种通过Internet中的“隧道”访问远程网络的方式。
6.0 修订历史
本文详细阐述了一家大型企业的远程访问安全策略,旨在规范员工、承包商等通过各种方式接入公司网络的行为,确保网络和数据的安全。策略覆盖了接入标准、具体要求、执行措施等内容。
扫一扫
30
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
