Upload
eric-martinez
View
253
Download
23
Embed Size (px)
DESCRIPTION
IAS
Citation preview
Document identification: ITEAM_3STD_023_V01 Internet Access Services.doc Template reference: ITQMS_5TPL_009_V05 Template for Standards Page: 1 of 8
Standard for Internet Access Services
TABLE OF CONTENTS
1. OBJECTIVE / PURPOSE .......................................................................................................2
2. STANDARD DESCRIPTION ..................................................................................................2
2.1. Scope ...............................................................................................................................2 2.2. Definitions.........................................................................................................................2 2.3. Roles Involved ..................................................................................................................2 2.4. Responsibilities.................................................................................................................3 2.5. Standard Owner ...............................................................................................................3 2.6. Standard Description ........................................................................................................4
2.6.1. Standard Services .........................................................................................................4 2.6.2. Architecture ...................................................................................................................4 2.6.3. Hardware description ....................................................................................................6 2.6.4. Software description......................................................................................................6 2.6.5. Configuration setting description ...................................................................................6 2.6.6. Procedure description ...................................................................................................6 2.6.7. Naming conventions......................................................................................................6 2.6.8. Interface Description .....................................................................................................7
3. ANNEXES...............................................................................................................................8
3.1. Key Documents, Tools and other References..................................................................8 3.2. Keywords..........................................................................................................................8 3.3. Version History .................................................................................................................8 3.4. Signatures ........................................................................................................................8
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 2 of 8
1. Objective / Purpose
The purpose of this IT Standard is the improvement of
• Security
• Seamless Cooperation
• Cost Saving
2. Standard Description
2.1. Scope
People All CI Staff of the Merck Group. Third party employees working for CI in any Merck’s premises are considered as CI Staff.
Geographical All Merck Group Sites with IT.
Time As per publication date.
Process/System Standard applies to Internet access point infrastructure providing outbound Internet access services.
2.2. Definitions
The definitions are as in ITQMS_7ANX_004 Glossary of IT Terms & CI PnP Directory.
2.3. Roles Involved
The role definitions are as in ITQMS_7ANX_004 Glossary of IT Terms & CI PnP Directory.
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 3 of 8
2.4. Responsibilities
Core Activities CI M
anag
emen
t
Cus
tom
er
Sta
ndar
d O
wne
r
Pro
duct
/Ser
vice
Man
ager
IT S
ecur
ity
Con
figur
atio
n M
anag
er
Loca
l IT
Ass
et M
anag
er
Define and maintain specifications I A C I I I
Select and update standard proposal A C
Get standard proposal approved A
Inform about standard and propagate usage A R
Get and maintain contract for standard purchasing A C R R
Provide Training for Standard A
Provide Support for Standard A
Maintain Standard Sheet A
Have SOPs written dealing with Standard A R C
Define and maintain interfaces A
Explanation RACI means Responsible, Accountable, Consulted, Informed Responsible Execute the activity (several “R” per activity are possible) Accountable Ensure the activity is executed (only one “A” per line, “A” may include “R”) Consulted Contribute to the activity (2 way communication) Informed Informed about activity (1 way communication)
2.5. Standard Owner
Patrick Herrmann
CI-SWN
[email protected] +49-6151-72-8412
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 4 of 8
2.6. Standard Description
2.6.1. Standard Services
Basic Internet Access Services
• The basic services allow users and systems to connect to the Internet from the internal Merck network with authenticated access to Internet web pages via the standard browser.
• It also allows authenticated FTP access to the Internet via standard FTP clients as well as access to standard streaming services (MMS, RTSP).
Advanced Internet Access Services
• FTP tunneling to provide native FTP proxy services for server based applications.
• TCP tunneling or port forwarding. Any application protocol running over TCP can be tunneled using this service.
• SOCKS gateway services to provide a generic way to proxy any TCP/IP or UDP protocols. Both SOCKSv4 and SOCKSv5 are supported. This option is only permitted in exceptional cases.
2.6.2. Architecture
All CMGs have to use one of the following regional Internet Access points:
• Asia and Pacific: Singapore, SG
• China and Hong Kong: Beijing, CN
• Europe, Middle East and Africa: Darmstadt, DE
• Latin and North America: Rockland, US
Deviations will only be considered in special cases and need formal approval from CI. In these cases the Internet Access points must be standard-compliant and operated by the Corporate Service Centers – Infrastructure. Internet access points completely separated from the Corporate Network will not be treated as such. CMGs are not allowed to operate local proxy servers. Exceptions will only be considered in special cases to allow access to firewall protected data centers.
This architecture has been approved by the former Senior Working Group Infrastructure in 2005. The decision has been reviewed and reapproved by CI Infrastructure management in 2007. Information Security also requested to centralize the Internet Access points worldwide. The related IT GSS action item 33077 has been closed in 2009. The main focus is on both increasing the overall level of security as well as reducing the operational costs.
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 5 of 8
Logical architecture diagram:
Client Load BalancerF5 BIG-IP LTM
Inner FirewallCisco ASA
Authentication AgentBluecoat BCAAA
Outer FirewallJuniper SSG
RouterCisco C7200
Antivirus EngineBluecoat ProxyAV
Apache HTTP/IISPAC File Server
Inner Proxy+ URL Filter
Bluecoat ProxySGOuter ProxyBluecoat WebFilter
Bluecoat ProxySG
Physical architecture diagram:
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 6 of 8 Dependent on the number of us users a third and/or fourth proxy line consisting of inner proxy, outer proxy, antivirus engine and authentication agent may be necessary.
2.6.3. Hardware description
To properly execute this IT Standard, the following hardware equipment is required:
• Proxy server: Blue Coat ProxySG 510 or 810 Series (Full Proxy Edition)
• Antivirus engine: Blue Coat ProxyAV 510 or 810 Series
2.6.4. Software description
To properly execute this IT Standard, the following software is required:
• Proxy server: Blue Coat SGOS 5.4 or higher
• Antivirus server: Blue Coat ProxyAV Firmware 3.2 or higher with Sophos Plc. AV licenses
• Authentication and authorization agent: Blue Coat AAA (version depends on SGOS version)
• Content filter: Blue Coat WebFilter (on ProxySG)
• Logfile analysis: Blue Coat Reporter 9 or higher
• Browser: Internet Explorer 6 or higher (Merck standard browser)
• FTP client: WS_FTP Pro 8 or higher (Merck standard client)
• sFTP client: WinSCP 3.8 or higher (Merck standard client)
• Media player: Windows Media Player 11 or higher (Merck standard player)
• SOCKS client: Open Text SOCKS Client 14 or higher (Merck standard client)
2.6.5. Configuration setting description
• Client, server and network device configuration settings are described in specific Working Instructions. The current list of applicable Working Instructions is defined in ITEAM_7ANX_015 List of Applicable Working Instructions
• The current content filtering rules including the list of blocked categories are defined in ITEAM_7ANX_014 Internet Content Filtering Rules
2.6.6. Procedure description
To properly execute this IT Standard, the following procedures must be used:
• ITCFM_3SOP_033 Operation of Internet Access Services
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 7 of 8 2.6.7. Naming conventions
Inner proxies proxyin<N>.<REGION>.merckgroup.com, e.g. proxyin1.eu.merckgroup.com
Outer proxies Internal name: proxyout<N>.<REGION>.merckgroup.com, e.g. proxyout2.la.merckgroup.com External name: proxyout<N>.<LOCALDOMAIN>.<TLD>, e.g. proxyout2.merck.com.br
Local proxies <SITE>proxy<N>.<REGION>.merckgroup.com, e.g. chge1proxy1.eu.merckgroup.com
Antivirus engines proxyav<N>.<REGION>.merckgroup.com, e.g. proxyav1.ap.merckgroup.com
BCAAA servers (as alias) <SITE>bcaaa<NN>.<REGION>.merckgroup.com, e.g. usro1bcaaa01.la.merckgroup.com
PAC file servers (as alias) pacsrv.<REGION>.merckgroup.com, e.g. pacsrv.la.merckgroup.com
Regional PAC files pacfiles.<REGION>.merckgroup.com/<REGION>.pac, e.g. pacfiles.na.merckgroup.com/na.pac
Local PAC files pacfiles.<REGION>.merckgroup.com/<SITE>.pac, e.g. pacfiles.eu.merckgroup.com/chge1.pac
2.6.8. Interface Description
To host the proxy infrastructure it is mandatory that the security environment “DMZ” is implemented based on the Internet DMZ standard and the related SOP.
To ensure high availability it is mandatory to use the standard load balancer service.
IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective
ITEAM_3STD_023_V01 Internet Access Services.doc Page: 8 of 8
3. Annexes
3.1. Key Documents, Tools and other References
• ITEAM_7ANX_014 Internet Content Filtering Rules
• ITEAM_7ANX_015 List of Applicable Working Instructions
• ITCFM_3SOP_033 Operation of Internet Access Services
3.2. Keywords
Internet Access, Proxy, PAC file, Content filter, Antivirus engine, BCAAA, HTTP, FTP, RTSP
3.3. Version History
Version Version date Change(s)
1 2010-12-14 Initial version
3.4. Signatures
Role Name & Title Date Signature
Author Patrick Herrmann Standard Owner
Reviewer Nigel Rixon Associate Director Networking & Telecommunications
Reviewer Manfred Lauer Director Quality Management
Approver Bernhard Schaffrik Head of Architecture Governance Board (AGB)
The original signature page is scanned and stored by the CIO Office.