LAN-to-WAN Domain Policies

The LAN-to-WAN domain refers to the technical infrastructure that connects an organization’s LAN to a wide area network (WAN). The main concern is controlling network traffic between the outside network, or the WAN, and the private network, or the LAN. The LAN-to-WAN domain denotes, for many organizations, its connection to the Internet. This connection represents significant risk. LAN-to-WAN security standards often focus on how to configure devices to maintain message and transaction integrity. Establishing secure point-to-point communications is an important part of the connectivity through the Internet. The Internet should never have a direct connection to the organization’s private network without the traffic being heavily filtered and inspected.

An important policy concern is how to filter traffic between the Internet and the internal network. Additionally, many organizations have an Internet presence. This has the additional challenge of serving content on the Internet to customers and businesses. These public-facing websites often provide access to internal resources such as databases for product information. As a result, they are a prime target for hackers.

NOTE

An Internet proxy is a server that acts as an intermediary between users and the Internet. The server receives requests and responses and filters unwanted traffic.

The LAN-to-WAN key standards define the security requirements to harden Internet-facing servers, filter traffic between these networks, and monitor for breaches in security. Although there are other policy requirements, such as defining what data the public can access, these standards generally represent core requirements.

Control Standards

The industry has well-defined standards that require access control to the Internet. As such, the standards tend to be specific about technologies and architecture choices. For example, these standards often require the use of an Internet proxy and specific demilitarized zone (DMZ) architecture.

A content filtering standard can be an effective method of reducing malware attacks. This is achieved by blocking sites known to have malware. This also means blocking sites employees may wish to access. In short, a content filtering standard describes which websites an employee is allowed to access from a company-owned device. The purpose and objective of the filtering needs to be well explained to gain employee support. The standard typically will not list specific sites, but rather types of sites, such as email, gambling, adult material, or political activist websites.

Here are several additional examples of policies that deal with LAN-to-WAN connectivity and filtering:

  • External Information System Services Connect Standard—Requires that providers of external services establish a secure connection. This standard applies to all external parties such as business partners and outsourced providers. It also establishes service level agreements and sets forth how to measure and report security control compliance.
  • DMZ Control Standard—Establishes the controls for publicly accessible devices to place them in a DMZ. DMZs are critical because, by definition, outside users can access them rather easily.
  • User Internet Proxy Standard—Establishes controls for using an Internet access proxy (a user proxy) for all inbound and outbound Internet traffic.

Baseline Standards

A LAN-to-WAN domain baseline standard focuses on perimeter devices that separate the WAN from the LAN. The following are some examples:

  • Content-Blocking Tools Configuration Standard—Requirements that describe what types of web content should be blocked and how updates are approved. Most organizations have at least some content they should block.
  • Intrusion Detection and Prevention Tools Configuration Standard—Requirements for each product with particular emphasis on those places in the DMZ. Keep in mind that IDS/IPS can also be used within the network, as well as in the DMZ.
  • Proxy Server Configuration Standard—Requirements for maintaining the access control list (ACL) for the device that controls access to the Internet from the LAN.
  • Firewall Configuration Standard—Describes DMZ and firewall architecture.

Procedures

Many of the same procedures’ issues exist between domains such as configuration and patch management. In the case of WAN-to-LAN connectivity, there is a greater emphasis on managing changes and detecting and responding to network attacks. For example, you can view the DMZ as the “front door” to your private network. Changes to configuration in this domain can have a serious impact on the publicly facing website or the ability to prevent an intrustion. It is not uncommon to see procedures in this domain require senior-level approval and extensive testing before changes are applied.

Guidelines

Guidelines in this domain are useful for individuals who must determine how much Internet access should be permitted. Controls and baselines create crisp lines on minimum standards. The guidelines establish additional choices while balancing the additional risk. The following guideline documents are examples:

  • DMZ Guidelines—Recommend additional services to be placed in the DMZ and, depending on those services, additional security requirements
  • Intrusion Detection and Prevention Systems Guidelines—Recommend how to design an IDS system of sensors, collection stations, and alert mechanisms to eliminate or reduce false positives
  • Content-Filtering Guidelines—Recommend content-filtering options, ways to maintain the list of banned sites, and ways to request access to blocked sites when needed

NOTE

LAN policies are also a good place to consider digital rights management (DRM). You want to ensure policies take steps to avoid both copyright infringement and your organization’s own confidential data being exfiltrated.