USPS Homepage Skip Navigation Home   |   Help   |   Sign In
  Find a ZIP Code   /   Calculate Postage   /   Print a Shipping Label   /   Schedule a Pickup   /   Locate a Post Office   /   Track & Confirm  
Main Navigation Bar Business Household Buy Stamps and Shop All Products and Services About USPS and News
Search
 

Home > About USPS & News > Forms & Publications > Postal Periodicals and Publications > Handbooks > Handbook AS-805 - Information Security > 11 Networks and Communications > 11-7 Protecting the Network/Internet Perimeter

Go to previous section of document Link to chapter contents   Go to next section of document

11-7 Protecting the Network/Internet Perimeter

The perimeter between the Postal Service network and the Internet environments must be protected through the following:

a. Implementing Internet security requirements.

b. Implementing firewalls.

c. Establishing demilitarized zones (DMZs).

d. Monitoring network traffic.

11-7.1 Implementing Internet Security Requirements

Internet-accessible information resources, such as those residing on DMZs, must implement Internet security requirements that include, but are not limited to, the following:

a. Securely partitioning each Internet accessible environment, such as the Intranet and Extranet, from each other.

b. Using firewalls or filtering devices to screen and monitor incoming and outgoing traffic.

c. Supporting encryption to protect the storage and transmission of sensitive and business-controlled sensitivity information.

d. Performing continual evaluation, testing, monitoring, and maintenance of the firewalls.

e. Applying real-time monitoring, auditing, and alerting to detect intrusion, fraud, abuse, or misuse.

11-7.2 Implementing Firewalls

A firewall is a safeguard or type of gateway that is used to control access to information resources. A firewall can control access between separate networks, between network segments, or between a single computer and a network. A current-generation firewall is generally not a single component, but a strategy composed of both hardware and software for protecting an organization's resources.

11-7.2.1 Firewall Configurations

Postal Service firewalls must be configured to:

a. Deny all services not expressly permitted (i.e., deny all inbound and outbound traffic not specifically allowed).

b. Restrict inbound Internet traffic to Internet Protocol (IP) address with the DMZ (ingress filters).

c. Prevent internal addresses from going from the Internet into the DMZ.

d. Implement dynamic packet filtering (i.e., only allow "established" connections into the network).

e. Secure and synchronize router configuration files (i.e., running configuration files and start-up configuration files used to re-boot machines must have the same secure configuration).

f. Audit and monitor all services, including those not permitted, to detect intrusions or misuse.

g. Notify the firewall administrator and system administrator in near real time of any item that may need immediate attention.

h. Run on a dedicated computer.

i. Stop passing packets if the logging function becomes disabled.

j. Disable or delete all nonessential firewall-related software, such as compilers, editors, and communications software.

Return to top of page

11-7.2.2 Firewall Administrators

Each firewall or logical group of firewalls must have adequate resources assigned for firewall administration. Firewall administrators are responsible for ensuring compliance with standards for configuration and approved services and protocols.

11-7.2.3 Firewall Administration

All Postal Service firewalls must be located in a controlled environment. Firewall administration must be performed from the local console or via remote access if approved by the manager, SIS, and appropriately secured through strong authentication and encryption. Firewall configurations must be protected and treated as "RESTRICTED INFORMATION." Access to firewall configuration information must be based upon the security principles of need to know and least privilege.

11-7.2.4 Firewall System Integrity

Firewall system configuration and integrity must be validated and tested periodically by the firewall administrator.

11-7.2.5 Firewall Backup

The firewall (system software, configuration data, database files, etc.) must be backed up as determined in the Business Contingency and Continuity Plan (BCCP).

11-7.3 Establishing Demilitarized Zones

Demilitarized zones (DMZs) are network segments between Intranets, Extranets, and the Internet that provide increased security for data transfer between information resources, vendors, and the public. Web servers and electronic commerce systems accessible to the public must reside within a DMZ with approved access control, such as a firewall or gateway. Sensitive, critical, and business-controlled data must not reside within a DMZ. All inbound traffic to the Intranet from the DMZ must be passed through a proxy-capable device.

Return to top of page

11-7.4 Monitoring Network Traffic

The Postal Service network perimeter must be monitored for network connectivity, services, and traffic. Monitoring must be conducted on both active and inactive connections.

Go to previous section of document Link to chapter contents   Go to next section of document
 
       Site Map    Contact Us    Affiliates    Gov't Services    Jobs     |    National & Premier Accounts
Copyright © 1999-2006 USPS. All Rights Reserved.Terms of Use  Privacy Policy  No FEAR Act EEO Data
Postal Inspectors Web Page  Postal Inspectors
Preserving the Trust		 Inspector General Web Page Inspector General
Promoting Integrity