SECURE INTERCONNECTIONS FOR INFORMATION TECHNOLOGY SYSTEMS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Organizations may decide to interconnect their information technology (IT) systems so they can share their data and information resources with each other. Benefits that participating organizations may realize include reduced operating costs, greater functionality, improved efficiency, and centralized access to data. Organizations choose to interconnect their IT systems for a variety of reasons, depending on their organizational needs or the requirements of Congressional mandates or Executive department agreements. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, Security Guide for Interconnecting Information Technology Systems, provides guidance for planning, establishing, maintaining, and terminating secure yet cost-effective interconnections between IT systems that are owned and operated by different organizations. This ITL Bulletin summarizes the document, which also discusses the benefits of interconnecting IT systems, the basic components of an interconnection, the methods and levels of interconnectivity, and the potential security risks associated with interconnections. Written by Tim Grance, Joan Hash, Steven Peck, Jonathan Smith, and Karen Korow-Diks, NIST SP 800-47 is available at http://csrc.nist.gov/publications/nistpubs/index.html. The appendices contain sample documents to help organizations interconnect their IT systems, including an Interconnection Security Agreement (ISA), which specifies the technical and security requirements of the interconnection; a Memorandum of Understanding/Agreement (MOU/A), which defines the responsibilities of the participating organizations; and a System Interconnection Implementation Plan, which defines the process for establishing the interconnection. Also included are a glossary, references, and an index. Interconnection Issues Organizations deciding to interconnect their systems should determine the method of interconnection. IT systems can be interconnected by a dedicated line that either is owned by one of the organizations or is leased from a third party, such as an Integrated Services Digital Network (ISDN), a T1, or a T3 line. Dedicated physical lines provide a higher level of security for the interconnected systems, because they can be breached only through direct physical access to the line. However, dedicated lines can be expensive. A less expensive alternative to the dedicated line is interconnection over a public network, using a virtual private network (VPN). A VPN is a data network that enables two or more parties to communicate securely across a public network by creating a private connection, or "tunnel," between them. This alternative can be less secure than the dedicated line, however, because unauthorized parties could intercept unprotected data that is transmitted over the public network. Interconnected IT systems can expose the participating organizations to risks. In planning for interconnected systems, organizations should apply risk management procedures. Federal agencies are required to protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, unauthorized access, or modification of such information. If the interconnection is not properly designed, security failures could compromise the connected systems and the data they store, process, or transmit. In addition, if one of the connected systems is compromised, the interconnection could be used to compromise the other system and its data. In most cases, the participating organizations have little or no control over the operation and management of the other party's system. Therefore, both parties should learn as much as possible about the risks associated with the planned or current interconnection and the security controls that they can implement to mitigate those risks. A written agreement is needed to establish and describe the management, operation, and use of the interconnection. The agreement should be reviewed and approved by appropriate senior staff from each organization. OMB Circular A-130, Appendix III, requires agencies to obtain written management authorization before connecting agency IT systems to other systems, based on an acceptable level of risk. The written authorization should define the rules of behavior and controls that must be maintained for the system interconnection, and it should be included in the agencies' system security plans. Four Phases of the System Interconnection Life Cycle The NIST SP 800-47 guide recommends a "life-cycle management" approach for interconnecting IT systems: ? planning for the interconnection; ? establishing the interconnection; ? maintaining the interconnection; and ? disconnecting an interconnection. Planning for the Interconnection. The planning phase is the first step in establishing an efficient and secure interconnection. The participating organizations should examine all relevant technical, security, and administrative issues; and form an agreement governing the management, operation, and use of the interconnection. A joint planning team should be established by the participating organizations, composed of management and technical staff, including program managers, security officers, system administrators, network administrators, and system architects. The joint planning team should coordinate the planning process with the support of senior managers and system and data owners. The team would be responsible for coordinating all aspects of the planning process and ensuring that it had clear direction and sufficient resources. After the initial planning phase, the team may remain active to discuss future issues involving the interconnection. The business case for the interconnection should be defined, including its purpose and expected benefits, costs for staff and equipment, and potential technical, legal, and financial risks. Privacy issues and access rules also should be discussed. Systems to be interconnected should be certified and accredited in accordance with federal certification and accreditation (C&A) guidelines. Certification involves testing and evaluating the technical and nontechnical security features of the system to determine the extent to which it meets a set of specified security requirements. Accreditation is the official approval by a Designated Approving Authority (DAA) or other authorizing management official that the system may operate for a specific purpose using a defined set of safeguards at an acceptable level of risk. The planning team should consider the interconnection requirements, including all relevant technical, security, administrative, and personnel issues. This information will be used to develop an Interconnection Security Agreement (ISA) and a Memorandum of Understanding or Agreement (MOU/A). Further, the collected information may be used to develop an implementation plan for establishing the interconnection. Issues that should be considered include the level and method of the interconnection, impact on existing operations, hardware and software requirements, data sensitivity, user community, security controls, and rules of behavior, among others. The joint planning team should document an agreement governing the interconnection and the terms under which the organizations will abide by the agreement, based on the team's review of all relevant technical, security, administrative, and personnel issues. An ISA should be developed to specify the technical and security requirements for establishing, operating, and maintaining the interconnection. The MOU/A documents the terms and conditions for sharing data and information resources in a secure manner. The ISA and MOU/A should be reviewed by management officials of participating organizations and approved or rejected. Approval of the ISA and MOU/A constitutes approval of the interconnection. Approval may also be granted on an interim basis. The ISA and MOU/A that are developed should be kept in a secure location to protect against theft, damage, or destruction. Copies stored electronically should be protected from unauthorized disclosure or modification. Establishing an Interconnection. The following steps are recommended for establishing a system interconnection after it has been planned and approved. The participating organizations develop and execute a plan for the interconnection, including security controls. The joint planning team should develop an implementation plan. The plan should document all aspects of the interconnection effort and clarify how technical requirements specified in the ISA will be implemented. The plan should include a description of the IT systems to be interconnected, the sensitivity of the data to be exchanged, the staff members who will be responsible for the interconnected systems, and the security controls, tests, and procedures that will be in place. The implementation plan should be reviewed and approved by the planning team. Once approved, the plan may be implemented. Recommended steps for establishing the interconnection are described below. Security controls should be implemented or configured. These controls may include firewalls and intrusion detection systems. Audit logs should be installed to record the activities that take place across the interconnection and should be appropriately reviewed, protected, and maintained. Identification and authentication procedures should be established to prevent unauthorized access to the interconnected systems. Passwords, biometrics, and smart cards are additional measures that may be used. Logical access controls should be used to designate users who have access to system resources and the type of transactions and functions that they are permitted to perform. Data passing from one system to another should be scanned with antivirus software to detect and eliminate malicious code. Antivirus software should be installed on all servers and computer workstations linked to the interconnection. The software should be automatically updated and maintained with current virus definitions. Encryption can be used to protect the confidentiality and integrity of data during transmission and storage, to authenticate users to the interconnection and to shared applications, and to provide for nonrepudiation of data. Hardware and software supporting the interconnection should be located in a secure location that is protected from unauthorized access, interference, or damage. Interconnections should be protected from hazards such as fire, water, and excessive heat and humidity. Computer workstations should be in secure areas to protect them from damage, loss, theft, or unauthorized physical access. Hardware and software to establish the interconnection should be installed or configured. The hardware and software should be installed with proper communications lines, VPN software, routers, and switches. Database, web, and application servers should support services provided across the interconnection, and needed hubs should be installed to join multiple computers into a single network segment. Computer workstations should be configured to provide authorized users with a link to the interconnection. Applications or protocols for services that are provided across the interconnection should be integrated. These includes word processing, database applications, e-mail, web browsers, application servers, authentication servers, domain servers, development tools, editing programs, and communications programs. Conduct operational and security testing to ensure equipment operates properly and to mitigate or counter the ways for unauthorized users to circumvent or defeat security controls. The interface between applications should be tested across the interconnection, and security controls should be tested under realistic conditions. Testing should be done in an isolated, non-operational environment to avoid disturbing the systems. Weaknesses or problems should be corrected, and the interconnection retested. Operational and security testing may be performed as part of the recertification and reaccreditation processes. Conduct security training and awareness for all authorized personnel who will be involved in managing, using, and/or operating the interconnection. Ensure that staff members understand the rules and that they know how to report suspicious or prohibited activities. Both organizations should update their system security plans and related documents to reflect the changed security environment in which their respective systems operate. The MOU/A should address the details of conducting a mutual review of the interconnection. Perform recertification and reaccreditation if significant changes have been made to the connected systems. Activate the interconnection for use by both organizations. One or both organizations should monitor the interconnection for at least three months to ensure that it operates properly and securely. Maintaining the Interconnection. After it is established, the interconnection must be actively maintained for secure operation. The maintenance steps are: Maintain clear lines of communication to ensure that the interconnection is properly maintained and that both sides are notified of changes or security incidents. Communications should be conducted between designated personnel using approved procedures. Authorized personnel should maintain the equipment in accordance with the manufacturer's specifications. Appropriate documentation and notification procedures should be used. User profiles should be managed to assure access to authorized users only. Active management of user profiles helps to prevent intruders from using inactive accounts. Security reviews should be conducted to ensure security controls are working properly and providing appropriate levels of protection. Audit logs should be analyzed at predetermined intervals to detect and track unusual or suspicious activities across the interconnection that might indicate intrusions or internal misuse. Security incidents should be reported to participating organizations. Both organizations should respond to security incidents by isolating systems if necessary and by coordinating their incident response activities. Coordinate contingency planning, training, testing, and exercises to minimize the impact of disasters and other contingencies that could damage the connected systems or jeopardize the confidentiality and integrity of shared data. Perform change management procedures to ensure that the interconnection is properly maintained and secured. A change control board should review and approve planned changes for each organization. Changes should be based on the security requirements specified in the ISA and a determination that the change will not adversely affect the interconnection. A joint change control board should review and approve changes that affect the interconnection. Update system security plans and other relevant documentation at least annually or whenever there is a significant change to the IT systems or to the interconnection. Disconnecting an Interconnection. If an interconnection must be terminated, the process should be conducted in a methodical manner to avoid disrupting the IT system of either organization. The decision to terminate the interconnection should be made by the system owner with the advice of appropriate managerial and technical staff. Before terminating the interconnection, the initiating party should notify the other party in writing, and it should receive an acknowledgment in return. If an organization detects an attack, intrusion attempt, or other contingency that exploits or jeopardizes the connected systems or data, it may be necessary to abruptly terminate the interconnection without written notice to the other party. This is an extraordinary measure taken only in extreme circumstances and only after consultation with appropriate technical staff and senior management. Both organizations may choose to restore the system interconnection after it has been terminated. The decision to restore the interconnection should be based on the cause and duration of the disconnection. Both organizations should modify the ISA and MOU/A to address issues requiring attention. If the interconnection has been terminated for more than 90 days, each party should perform a risk assessment on its respective system and reexamine all relevant planning and implementation issues, including developing a new ISA and MOU/A. Summary Interconnecting IT systems can provide significant benefits to participating organizations, but can expose both to risks. Interconnections must be properly designed, and appropriate security controls must be in place to avoid compromise of systems and data. Both parties must understand the risks associated with the interconnection and the security controls they can implement to mitigate those risks. The organizations should establish a formal agreement concerning the management, operation, and use of the interconnection. The agreement should be reviewed and approved by appropriate senior staff from each organization. Reference List NIST's Information Technology Laboratory issues publications covering research, guidance, standards, and the results of collaborative outreach efforts with industry, government, and academic organizations. NIST publications dealing with information security topics, including archived copies of bulletins, are available in electronic format from the NIST Computer Security Resource Center at http://csrc.nist.gov/publications/ . The following NIST Special Publications provide guidance to help organizations plan, establish, maintain, and terminate secure IT system interconnections: NIST Special Publication 800-3, Establishing a Computer Security Incidence Response Capability (CSIRC), provides information on detecting and reporting security incidents. NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, provides guidance on certification and accreditation (C&A), and other security procedures. NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, provides details on access control issues, and developing and updating security plans. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, provides guidance on conducting risk assessments. NIST Special Publication 800-31, Intrusion Detection Systems (IDS), and NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy, provide information on selection of security controls. NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, gives information on coordinating contingency planning activities. Guidance on physical security techniques is included in NIST Special Publications 800- 12, An Introduction to Computer Security: The NIST Handbook; NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security); and NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems. Details on integrating applications and protocols can be found in NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security); NIST Special Publication 800-28, Guidelines on Active Content and Mobile Code; and NIST Special Publication 800-33, Underlying Technical Models for Information Technology Security. NIST Special Publication 800-42 (draft), Guidelines on Network Security Testing, includes a methodology for using network-based tools to test IT systems for vulnerabilities. Information about Federal Information Processing Standards (FIPS)-approved algorithms and cryptographic modules that must be used by federal agencies is available at http://csrc.nist.gov/publications/fips/index.html. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.