Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Page 1
Annex B
Terms of Reference
Security Review of the Global Communications
Infrastructure
Page 2
Table of Contents
1 Introduction .......................................................................................................... 4
2 Background ......................................................................................................... 4
2.1 Mandate of the Commission.......................................................................... 4
2.2 The Global Communications Infrastructure (‘GCI’) ........................................ 5
3 Objectives and Expected Results ........................................................................ 5
4 Activities .............................................................................................................. 6
5 Data Sources and Methodology........................................................................... 7
6 Deliverables and Acceptance Criteria .................................................................. 8
6.1 Deliverables .................................................................................................. 8
6.2 Acceptance Criteria ....................................................................................... 8
7 Venue And Timing ............................................................................................... 9
8 Venue ................................................................................................................ 10
9 Commission Input .............................................................................................. 10
10 Minimum Requirements of the Contractor and Its Personnel ......................... 10
Page 3
Acronyms
GCI Global Communications Infrastructure
3DES Triple Data Encryption Standard
IMS International Monitoring System
IDC International Data Centre
OSI On-Site Inspection
Next GCI (GCI II) Next Generation of GCI
PTS Provisional Technical Secretariat
MPLS Multiprotocol Label Switching
CTBT Comprehensive Nuclear-Test-Ban Treaty
BGAN Broadband Global Area Network
VSAT Very Small Aperture Terminal
NGCI Next Generation GCI
QoS Quality of Service
OSI Reference Model Open Systems Interconnection Reference Model
IPSec Internet Protocol Security
TCP/IP Transport Control Protocol / Internet Protocol
WGB Working Group B (PTS Technical Working Group)
PTS Provisional Technical Secretariat
ACL Access Control List
NMS Network Management System
Page 4
1 Introduction
The Preparatory Commission for the Comprehensive Nuclear-Test-Ban Treaty
Organisation (‘Commission’) is the international organisation established to carry
out the effective implementation of the global verification system foreseen under the
Comprehensive Nuclear-Test-Ban Treaty (CTBT), which is the Treaty banning any
nuclear weapon test explosion or any other nuclear explosion. The Treaty provides
for a global verification regime, including a network of 321 stations worldwide, a
communications system, an International Data Centre and On-Site Inspections to
monitor compliance.
The Headquarters and the International Data Centre (IDC) of the Preparatory
Commission are in Vienna (Vienna International Centre of United Nations), Austria.
The purpose for this document is to describe the different tasks for the Review
Exercise, which includes the GCI Encryption Standard, IPSec Deployment on GCI
Links and the Security Controls within the GCI Security and Design Documents.
2 Background
2.1 Mandate of the Commission
The Commission is tasked with implementing a global verification regime that
monitors compliance with the CTBT and that is provisionally operational before the
CTBT enters into force. In particular, the Commission is responsible for the
deployment of International Monitoring System Facilities, the establishment of the
International Data Centre and the development of operational procedures for On-Site
Inspections.
The IMS facilities search for, detect and provide evidence of possible nuclear
explosions to States Parties Signatories for verification of compliance with the CTBT.
The facilities consist of 321 monitoring stations and 16 radionuclide laboratories that
monitor the earth for evidence of a nuclear explosion. These consist of seismic,
hydroacoustic, radionuclide and infrasound monitoring technologies. (See
Appendix B)
The IDC supports the States Signatories by providing objective data and products
required for effective global verification. Data collected from the IMS facilities via the
GCI are processed by the IDC to detect, locate and analyse seismo-acoustic and
radionuclide events, and are transmitted to States Signatories for their feedback.
Data and products are transmitted through the GCI or via the public Internet.
Page 5
2.2 The Global Communications Infrastructure (‘GCI’)
The IDC collects data from IMS facilities, National Data Centres (NDCs) and other
entities via the GCI which consists of terrestrial and hybrid terrestrial and satellite
network infrastructure (See Appendix B). The GCI transports measurement and
application data from IMS facilities to the IDC and from the IDC to the all States
Signatories.
The first generation GCI (‘GCI-I’) was established in 1999 and expired on
3 September 2008. The Commission completed the migration to the Next Global
Communications Infrastructure (‘Next GCI’ or ‘GCI-II’) at the end of June 2008 (see
Figure 1 and 2). The GCI-II is currently fully operational.
3 Objectives and Expected Results
The overall objective of this assignment is to ensure that security controls adopted
for GCI II meets the Commission’s security requirements as stated in the GCI II
Terms of Reference (see Appendix C) and to ensure that security controls meet
industry best practices1. The Commission is therefore seeking to ensure that the GCI
II Security plan is fully adhered to; and that provisions within this plan conform to
industry best practices.
The expected overall result of this assignment is to examine Security Implementation
and Management on the GCI II to the Commission, and to make recommendations
for improvement(s) going forward.
The expected specific results of this assignment are:
A new or an improved Security policy established for operating GCI-II is based
on best industry practices;
Improved and fully documented procedures and processes for GCI II Security
Management;
Improved and fully documented Security Plan for GCI II;
Improved and fully documented Security Designed documents for the GCI II
(see task 3)
Efficient encryption standard adopted for the GCI II;
IPSec deployment investigated on the GCI II, together with alternatives for
satellite communications;
1 Where an activity/task has been mentioned to meet industry “best practices”, the minimum
baseline to be used is ISO/IEC 27001:2005 – the de facto International Standard on Information Security best practices.
Page 6
4 Activities
In order to meet the objectives of this assignment, the activities to be performed by
Contractor relate to three tasks and include, but are not necessarily limited, to the
following activities:
Task 1: Encryption Standard for GCI-II
Review current use of cryptographic standards (algorithms) within the GCI-II
and make recommendations on best practices, particularly in satellite networks
with limited capacity. Consider actual or potential interactions, if any, between
the cryptographic standards within the GCI-II and those used in the station
sender equipment to digitally sign the IMS data.
Investigate; compare and contrast performance of traffic on the GCI-II vis-a-vis
using 3DES and AES algorithms. Assessment of these two algorithms should
determine which is computationally more efficient and offers greater security.
This should examine VPN throughput on Cisco firewalls/routers (mainly Cisco
1800 series) and Checkpoint software firewall hosted on a PC.
Task 2: IPSec Deployment on GCI-II
Investigate deployment of IPSec on the GCI links and examine how the extra
bytes added to each IP packet affects bandwidth allocation on the GCI;
Review how IPSec has been implemented and suggest ways to deal with
instability of tunnels at some sites;
Review the interaction between tunnels and QOS mechanisms, and advise on
best practices in implementing tunnels with QOS within and between tunnels.
Compare advantages and disadvantages of IPSec and GRE when used over
satellite links with limited capacity.
Review the tunnelling policies in place and advice on industry best practices
whilst achieving required requirements in Appendix C. Investigate practices of
using a combination IPSec/GRE tunnelling in some locations and IPSec alone
in others.
Investigate alternatives to IPSec for satellites communications networks. The
study should evaluate other options with a view to identifying suitable
candidates that offer less bandwidth overheads for security deployment (eg
fixed IPSec component on each IP packet).
Page 7
Task 3: Review of GCI Security Design documents
The Contractor shall review the security components of the Final Design
Document (FDD) and associated security documents2 – which include, but not
limited to the following:
GCI Security Plan
GCI Resource Access Procedures
GCI Systems Update Procedures
GCI Components and Controls Implementation
GCI Security Procedures
GCI Audit Procedures
Update GCI security requirements (where necessary), Review security policies
pertinent to the GCI and provide recommendations for improvement
The three tasks may be conducted in parallel and do not require one to be
completed before starting the next.
5 Data Sources and Methodology
In performing the activities listed above, the Contractor shall draw, at a minimum, on
the following data sources:-
(a) The internal Commission materials and documents relevant to the GCI, copies
of which will be provided to the Contractor for use exclusively as part of this
project;
(b) GCI Security Design Documents will be provided to the Contractor for use
exclusively as part of the project;
(c) Hard copy report on earlier consultancy work commissioned to look at the
bandwidth capacity and data transmission on the GCI
The choice of methodology to analyse, manipulate and present these data is left to
the Contractor and will form an essential part of the evaluation of the technical
proposal of the Contractor.
2 These security documents are not released as part of the RFP for security reasons; the
Contractor shall estimate seven (7) mandays for reading of these documents and making requests for clarifications once the contract is awarded.
Page 8
6 Deliverables and Acceptance Criteria
6.1 Deliverables
The expected results of this assignment shall be delivered to the Commission as
follows in both electronic and hardcopy format:
A comprehensive written report presenting the detailed findings of the
reviews/analyses and proposed recommendations undertaken by the
Contractor in a separate chapter for each of the three Tasks; this report shall
contain an executive summary not exceeding 2 pages and a summary of the
conclusions and recommendations in the form of bullet points not exceeding 4
pages;
Supporting graphical documents - attached to the Report or submitted
separately - presenting and summarising the findings and recommendations of
the Contractor separately for each Task in a graphical manner by way of
technical drawings, flowcharts, organigrams, mind maps, concept maps, or
similar; these documents shall be drawn up in such a way that readers can
easily identify any proposed changes to the existing security design , processes
and procedures;
An oral presentation of the Report and the supporting graphical documents of
approximately 45 minutes jointly for all three tasks to the Director of IDC on the
basis of a PowerPoint presentation not to exceed 30 pages. This presentation
shall be given prior to submission of the Final Report Draft, ensuring that any
comments/input from the Commission may be incorporated into the Final
Report. This may require further visit to the Vienna premises by the Contractor.
Optional: based on instructions and comments issued/made by the Director of
IDC following the above-mentioned presentation, a further oral presentation of
the Report and the supporting graphical documents of approximately 25
minutes jointly for all three tasks to the Members of Working Group B of the
CTBTO on the basis of a separate PowerPoint presentation not to exceed 20
pages. This will require a further visit to the Vienna premises by one
representative of the Contractor.
6.2 Acceptance Criteria
The Commission will accept any deliverables submitted by the Contractor as fully
meeting the requirements of this assignment only if they are drawn up in accordance
with the Contract, as instructed by the Commission, and in accordance with best
industry practice.
Page 9
7 Timing
The Contractor shall implement this assignment within three (3) months after the
issuance of a commencement notice to the Contractor as follows:
A Kick-off meeting shall take place at the headquarters of the Commission in
Vienna, Austria, within seven (7) working days after the issuance of the
commencement notice. The purpose of this meeting is to arrive at a common
understanding of the purpose and objective(s) of the Contract; to introduce the
representatives of the parties to each other; to provide to the Contractor a brief
overview of the strategic, operational and legal framework in which the Commission
operates; and to agree on the practicalities for the implementation of the Contract.
In Phase 1, the Commission will provide the materials for activities mentioned in
Section 4 above. The Commission will provide additional materials that may also
become relevant during discussions with the Contractor. Materials supplied may be
in soft or hard copies subject to the Commission’s rules on confidentiality and data
protection. This data gathering phase shall last no longer than three weeks. By the
end of these three weeks, the Contractor shall submit to the Information Security
Manager, a draft version of its initial assessment for review and comment.
In Phase 2, the Contractor shall commence the various investigations as outlined in
Section 4 above. This phase shall last no longer than six weeks (or seven weeks
including the optional data gathering exercise in Norway) from the first day of
interviews. During that phase, the Commission will assist the Contractor in setting up
interviews with the key stakeholders (PTS staff and GCI II Contractor) and the
personnel of the Contractor. This phase shall commence upon a written notification
by the Commission, which will include the name of suggested key stakeholders to be
interviewed and a draft interview schedule. Interviews with the GCI contractor may
be conducted via tele/video conferences where feasible.
Phase 3 shall be the final reporting phase. This phase shall commence immediately
after the end of the previous stage and shall last no longer than three weeks.
At the end of the first two weeks of this Phase, the Contractor shall submit to the
Information Security Manager, a draft version of the Final Report for review and
comment. Any comments shall be incorporated into the final version of this Report.
The final version of this Report shall be submitted no later than One week after
receipt of final comments.
Timing described for the different Phases are estimates, and shall be mutually
reviewed (if necessary) during the project to ensure that appropriate timelines are
realised during the three months envisaged project completion.
Page 10
8 Venue
The Commission expects the majority of the tasks in Phases 1 and 2 to be
conducted on site at the premises of the Commission in Vienna, Austria. Phase 3
shall be implemented at the premises of the Contractor.
However, subject to a common assessment by the Commission and the Contractor
whether better results of this assignment could be achieved with visit(s) to GCI
site(s) and/or the headquarters of the GCI-II Contractor, the Commission reserves
the right to request the Contractor to conduct some of the activities under this
Contract at the GCI hub in Norway and/or a visit to the headquarters of the GCI-II
Contractor in the USA.
9 Commission Input
For the performance of this assignment, the Commission will provide to the
Contractor at its premises free of charge sufficient office space, PCs (MS Windows
XP with internet connection and standard office software (MS Office 2007) installed,
reasonable amount of office consumables, access to the data mentioned above and
access to GCI staff.
If the Commission exercises the option set out in Clause 8 above, a Commission
representative will accompany the Contractor, and the Commission will organise and
pay for the travel expenses (limited to restricted economy plane ticket, local
transportation, accommodation, breakfast, 40% of UN-DSA rate) of the Contractor
between Vienna and the GCI hub in Norway and/or the headquarters of the GCI
Contractor in the USA.
All other resources are to be provided by the Contractor.
10 Minimum Requirements of the Contractor and Its Personnel
The Contractor shall meet or exceed the following qualifications:
Proven track record of designing and implementing projects in relevant
technical field(s), particularly in advising large governmental organisations
and/or NGOs on information security issues;
Proven track record of managing projects of a similar scope and complexity;
Availability of sufficient resources to perform the Contract;
Proven track record of applying project management and Quality Assurance
(QA) measures/methodology;
Page 11
The Contractor’s personnel assigned to this Contract shall meet or exceed the
following qualifications:-
Experience in design and analysis of cryptographic algorithms;
Experience in design and implementation of networks using Cisco devices;
Experience in Security Management using ISO/IEC 27001:2005 and with a
certification in CCIE and/or CISSP
Experience in networking and satellite communications (including VSATs), an
understanding of tariff management will be an asset
Experience in OSI Reference Model, IPSec and TCP/IP, MPLS;
Page 12
Tunnel A
Private
Tunnel
BGAN CTBTO Tunnel
Private
VPN
CTBTO Tunnel
Private
Tunnel
Private
Tunnel
Private
Tunnel
BGAN CTBTO VPN Tunnel
MPLSCTBTO Tunnel
CTBTO
Aggregation Router
Pair
MSS Teleport BGAN GGSN
CTBTO
FSS Teleport iDirect
Hub
Santa Paula
Teleport
Eik
Teleport
Southbury
Teleport
CTBTO Architecture
MSS Teleport BGAN GGSN
DP PoP
Router Pair
GAN CTBTO TunnelMSS Teleport GAN ACSE
GAN
Router Pair
CTBTO
FSS Teleport iDirect
Hub
CTBTO
Router Pair
CTBTO
FSS TeleportiDirect
Hub
Nittedal
Teleport
Tunnel A
CTBTO
Router Pair
NDC / ISN
CTBTO
Router Pair
CTBTO
Router Pair
DP PoP
Router Pair
CTBTO
Vienna
GCI
Gateway
Router Pair
CTBTO
FSS Teleport iDirect
Hub
Adelaide
Teleport
CTBTO
Router Pair
CTBTO
Router
Remote
CTBTO
Router
Remote
CTBTO
FSS Teleport iDirect
Hub
CTBTO
Router Pair
Figure 1: Next GCI Network Transport / Security
Page 13
Figure 2: Next GCI IPSec and related traffic
Page 14
Appendix A
Figure 3: Schematic Diagram of the Next GCI
Page 15
Appendix B
Seismic Primary Array
Seismic Primary 3-comp Station
Seismic Auxiliary Array
Seismic Auxiliary 3-comp Station
Hydroacoustic (hydrophone) Station
Hydroacoustic (T-phase) Station
Infrasound Station
Radionuclide
Station
Radionuclide Lab
Seismic Primary Array
Seismic Primary 3-comp Station
Seismic Auxiliary Array
Seismic Auxiliary 3-comp Station
Hydroacoustic (hydrophone) Station
Hydroacoustic (T-phase) Station
Infrasound Station
Radionuclide
Station
Radionuclide Lab
Seismic Primary Array
Seismic Primary 3-comp Station
Seismic Auxiliary Array
Seismic Auxiliary 3-comp Station
Hydroacoustic (hydrophone) Station
Hydroacoustic (T-phase) Station
Infrasound Station
Radionuclide
Station
Radionuclide Lab
Figure 4: International Monitoring Station: 321 stations, 16 Radionuclide
Laboratories
Page 16
Appendix C
Security Requirements for GCI II
Item
Number
Description
1 The Contractor shall implement security processes in accordance with the
approved Security Plan.
2 The Contractor, with the approval of the Commission, shall specify who has access to
which resources and shall define processes for action and audit.
3 The Contractor shall implement a real time detection system to detect viruses, worms,
and intrusions. Intrusion includes direct Site to Site logical connections – all data must
flow to/through the Vienna infrastructure.
4 The Contractor shall provide action plans and processes to identify and stop intruders
and shall notify the Commission immediately.
5 The Contractor shall be responsible for the integrity of all data handled within the GCI
and shall prevent unauthorised access into the GCI via any route through the
implementation of firewalls, ACLs, Intrusion Detection System and other security
controls.
6 The Contractor shall be responsible to ensure the ‘Separation’ of the Commission’s
traffic from other potential subscribers of the Contractor’s network infrastructure. The
Contractor shall demonstrate in its proposal how its proposed architecture will
provide/ensure ‘Community Separation’.
7 The Contractor shall ensure all network devices shall be protected with the highest
security controls possible to prevent unauthorised access to network devices.
8 The Contractor shall implement and maintain strict ACLs to limit management access to
network devices in the GCI and to specific approved management systems.
9 The Contractor shall implement a password management policy detailing the processes
and procedures around the life cycle of network devices and the Contractors NMS
accounts and passwords: generation, strength, distribution, storage, use, validity period,
revocation, etc.
10 The Contractor shall ensure that its NMS includes the security controls required to
prevent unauthorised access to the NMS itself and its subordinate network devices. The
NMS shall provide hierarchical privilege accounts to support the approved Security Plan.
Page 17
11 The Contractor shall ensure that all accounts and passwords issued by the Commission,
allowing access to the Commission’s ITS and NMS are treated in strict confidence and
used only for the purpose they are intended.
12 The Contractor shall harden all network devices where possible to allow only the service
required for operational requirements.
13 The Contractor shall ensure no network device can be installed or replaced to allow
unauthorised access to the GCI. The Contractor shall ensure all unused ports both
physical and logical shall be disabled by default. Any request made by the Commission
to access an unused port shall be handled with a configuration change request initiated
by the Commission, and if access is only temporarily required this shall be disabled once
the requirement has been satisfied.
14 The Contractor shall ensure security configuration is applied at all times to GCI
equipment and part of any configuration management or change control process to
which the GCI is subject.
15 The Contractor shall log, investigate and notify the Commission of security events
affecting the network devices related to the GCI.
16 The Contractor shall generate and submit to the Commission a monthly summary
security report detailing at a minimum the following statistics:
All critical security events
All detection of viruses/worms
All intrusion detections
All unauthorised port/services requests;
All password failures All events shall be verifiable.
17 The Contractor shall cooperate with any security audit/vulnerability assessment
conducted by the Commission either using internal or external security experts. The
Commission will make the report available to the Contractor.
18 The Contractor shall rectify all critical vulnerabilities discovered within 60 days of the
report issue date.