Internet Access Services

Document identification: ITEAM_3STD_023_V01 Internet Access Services.doc Template reference: ITQMS_5TPL_009_V05 Template for Standards Page: 1 of 8

Standard for Internet Access Services

TABLE OF CONTENTS

1. OBJECTIVE / PURPOSE .......................................................................................................2

2. STANDARD DESCRIPTION ..................................................................................................2

2.1. Scope ...............................................................................................................................2 2.2. Definitions.........................................................................................................................2 2.3. Roles Involved ..................................................................................................................2 2.4. Responsibilities.................................................................................................................3 2.5. Standard Owner ...............................................................................................................3 2.6. Standard Description ........................................................................................................4

2.6.1. Standard Services .........................................................................................................4 2.6.2. Architecture ...................................................................................................................4 2.6.3. Hardware description ....................................................................................................6 2.6.4. Software description......................................................................................................6 2.6.5. Configuration setting description ...................................................................................6 2.6.6. Procedure description ...................................................................................................6 2.6.7. Naming conventions......................................................................................................6 2.6.8. Interface Description .....................................................................................................7

3. ANNEXES...............................................................................................................................8

3.1. Key Documents, Tools and other References..................................................................8 3.2. Keywords..........................................................................................................................8 3.3. Version History .................................................................................................................8 3.4. Signatures ........................................................................................................................8

IT Quality System Only the current version of the electronic copy in the Merck Intranet is effective

ITEAM_3STD_023_V01 Internet Access Services.doc Page: 2 of 8

1. Objective / Purpose

The purpose of this IT Standard is the improvement of

• Security

• Seamless Cooperation

• Cost Saving

2. Standard Description

2.1. Scope

People All CI Staff of the Merck Group. Third party employees working for CI in any Merck’s premises are considered as CI Staff.

Geographical All Merck Group Sites with IT.

Time As per publication date.

Process/System Standard applies to Internet access point infrastructure providing outbound Internet access services.

2.2. Definitions

The definitions are as in ITQMS_7ANX_004 Glossary of IT Terms & CI PnP Directory.

2.3. Roles Involved

The role definitions are as in ITQMS_7ANX_004 Glossary of IT Terms & CI PnP Directory.



2.4. Responsibilities

Core Activities CI M

anag

emen

t

Cus

tom

er

Sta

ndar

d O

wne

r

Pro

duct

/Ser

vice

Man

ager

IT S

ecur

ity

Con

figur

atio

n M

anag

er

Loca

l IT

Ass

et M

anag

er

Define and maintain specifications I A C I I I

Select and update standard proposal A C

Get standard proposal approved A

Inform about standard and propagate usage A R

Get and maintain contract for standard purchasing A C R R

Provide Training for Standard A

Provide Support for Standard A

Maintain Standard Sheet A

Have SOPs written dealing with Standard A R C

Define and maintain interfaces A

Explanation RACI means Responsible, Accountable, Consulted, Informed Responsible Execute the activity (several “R” per activity are possible) Accountable Ensure the activity is executed (only one “A” per line, “A” may include “R”) Consulted Contribute to the activity (2 way communication) Informed Informed about activity (1 way communication)

2.5. Standard Owner

Patrick Herrmann

CI-SWN

[email protected] +49-6151-72-8412

mailto:[email protected]



2.6. Standard Description

2.6.1. Standard Services

Basic Internet Access Services

• The basic services allow users and systems to connect to the Internet from the internal Merck network with authenticated access to Internet web pages via the standard browser.

• It also allows authenticated FTP access to the Internet via standard FTP clients as well as access to standard streaming services (MMS, RTSP).

Advanced Internet Access Services

• FTP tunneling to provide native FTP proxy services for server based applications.

• TCP tunneling or port forwarding. Any application protocol running over TCP can be tunneled using this service.

• SOCKS gateway services to provide a generic way to proxy any TCP/IP or UDP protocols. Both SOCKSv4 and SOCKSv5 are supported. This option is only permitted in exceptional cases.

2.6.2. Architecture

All CMGs have to use one of the following regional Internet Access points:

• Asia and Pacific: Singapore, SG

• China and Hong Kong: Beijing, CN

• Europe, Middle East and Africa: Darmstadt, DE

• Latin and North America: Rockland, US

Deviations will only be considered in special cases and need formal approval from CI. In these cases the Internet Access points must be standard-compliant and operated by the Corporate Service Centers – Infrastructure. Internet access points completely separated from the Corporate Network will not be treated as such. CMGs are not allowed to operate local proxy servers. Exceptions will only be considered in special cases to allow access to firewall protected data centers.

This architecture has been approved by the former Senior Working Group Infrastructure in 2005. The decision has been reviewed and reapproved by CI Infrastructure management in 2007. Information Security also requested to centralize the Internet Access points worldwide. The related IT GSS action item 33077 has been closed in 2009. The main focus is on both increasing the overall level of security as well as reducing the operational costs.



Logical architecture diagram:

Client Load BalancerF5 BIG-IP LTM

Inner FirewallCisco ASA

Authentication AgentBluecoat BCAAA

Outer FirewallJuniper SSG

RouterCisco C7200

Antivirus EngineBluecoat ProxyAV

Apache HTTP/IISPAC File Server

Inner Proxy+ URL Filter

Bluecoat ProxySGOuter ProxyBluecoat WebFilter

Bluecoat ProxySG

Physical architecture diagram:


ITEAM_3STD_023_V01 Internet Access Services.doc Page: 6 of 8 Dependent on the number of us users a third and/or fourth proxy line consisting of inner proxy, outer proxy, antivirus engine and authentication agent may be necessary.

2.6.3. Hardware description

To properly execute this IT Standard, the following hardware equipment is required:

• Proxy server: Blue Coat ProxySG 510 or 810 Series (Full Proxy Edition)

• Antivirus engine: Blue Coat ProxyAV 510 or 810 Series

2.6.4. Software description

To properly execute this IT Standard, the following software is required:

• Proxy server: Blue Coat SGOS 5.4 or higher

• Antivirus server: Blue Coat ProxyAV Firmware 3.2 or higher with Sophos Plc. AV licenses

• Authentication and authorization agent: Blue Coat AAA (version depends on SGOS version)

• Content filter: Blue Coat WebFilter (on ProxySG)

• Logfile analysis: Blue Coat Reporter 9 or higher

• Browser: Internet Explorer 6 or higher (Merck standard browser)

• FTP client: WS_FTP Pro 8 or higher (Merck standard client)

• sFTP client: WinSCP 3.8 or higher (Merck standard client)

• Media player: Windows Media Player 11 or higher (Merck standard player)

• SOCKS client: Open Text SOCKS Client 14 or higher (Merck standard client)

2.6.5. Configuration setting description

• Client, server and network device configuration settings are described in specific Working Instructions. The current list of applicable Working Instructions is defined in ITEAM_7ANX_015 List of Applicable Working Instructions

• The current content filtering rules including the list of blocked categories are defined in ITEAM_7ANX_014 Internet Content Filtering Rules

2.6.6. Procedure description

To properly execute this IT Standard, the following procedures must be used:

• ITCFM_3SOP_033 Operation of Internet Access Services


ITEAM_3STD_023_V01 Internet Access Services.doc Page: 7 of 8 2.6.7. Naming conventions

Inner proxies proxyin<N>.<REGION>.merckgroup.com, e.g. proxyin1.eu.merckgroup.com

Outer proxies Internal name: proxyout<N>.<REGION>.merckgroup.com, e.g. proxyout2.la.merckgroup.com External name: proxyout<N>.<LOCALDOMAIN>.<TLD>, e.g. proxyout2.merck.com.br

Local proxies <SITE>proxy<N>.<REGION>.merckgroup.com, e.g. chge1proxy1.eu.merckgroup.com

Antivirus engines proxyav<N>.<REGION>.merckgroup.com, e.g. proxyav1.ap.merckgroup.com

BCAAA servers (as alias) <SITE>bcaaa<NN>.<REGION>.merckgroup.com, e.g. usro1bcaaa01.la.merckgroup.com

PAC file servers (as alias) pacsrv.<REGION>.merckgroup.com, e.g. pacsrv.la.merckgroup.com

Regional PAC files pacfiles.<REGION>.merckgroup.com/<REGION>.pac, e.g. pacfiles.na.merckgroup.com/na.pac

Local PAC files pacfiles.<REGION>.merckgroup.com/<SITE>.pac, e.g. pacfiles.eu.merckgroup.com/chge1.pac

2.6.8. Interface Description

To host the proxy infrastructure it is mandatory that the security environment “DMZ” is implemented based on the Internet DMZ standard and the related SOP.

To ensure high availability it is mandatory to use the standard load balancer service.



3. Annexes

3.1. Key Documents, Tools and other References

• ITEAM_7ANX_014 Internet Content Filtering Rules

• ITEAM_7ANX_015 List of Applicable Working Instructions

• ITCFM_3SOP_033 Operation of Internet Access Services

3.2. Keywords

Internet Access, Proxy, PAC file, Content filter, Antivirus engine, BCAAA, HTTP, FTP, RTSP

3.3. Version History

Version Version date Change(s)

1 2010-12-14 Initial version

3.4. Signatures

Role Name & Title Date Signature

Author Patrick Herrmann Standard Owner

Reviewer Nigel Rixon Associate Director Networking & Telecommunications

Reviewer Manfred Lauer Director Quality Management

Approver Bernhard Schaffrik Head of Architecture Governance Board (AGB)

The original signature page is scanned and stored by the CIO Office.