Service Description Safecom Customer Connection Version 3.5

Similar documents
Service Description Safecom Simple Mail Relay Version 3.5

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

CORPORATE GLOBAL ROAMING PRODUCT SPECIFICATION

Schedule 2g(b) additional terms for VPN Branch service 1. SERVICE DESCRIPTION

ONE OFFICE LITE - PRODUCT SPECIFICATION

SERVICE DESCRIPTION MANAGED FIREWALL/VPN

ADDITIONAL TERMS FOR HOSTED IP TELEPHONY SERVICES SCHEDULE 2K(B)

METRO LAN EXTENSION - PRODUCT SPECIFICATION

Tiscali Business Services Wholesale IPVPN Services Summary

LinchPin. Managed Service For IP VPN Networks. Web Site Telephone

BT One Cloud Cisco UK Schedule to the General Terms

XO Wide Area Network ( WAN ) Services IP Virtual Private Network Services Ethernet VPLS Services

BT Ethernet Connect Global Service Annex to the General Service Schedule (Doc Ref: 13.1 July 2013)

AT&T NetBond User Guide

SERVICE DEFINITION G-CLOUD 7 THALES PSN REMOTE ACCESS. Classification: Open

Who We Are.. ideras Features. Benefits

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICES (CCS)) -- IP ENABLED PVC ATTACHMENT Last Revised 2/1/2017

SCHEDULE DOCUMENT N4PROTECT DDOS SERVICE PUBLIC NODE4 LIMITED 28/07/2017

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICES (CCS)) -- MPLS INTERCONNECT ATTACHMENT Last Revised 12/20/17

AppPulse Point of Presence (POP)

MANAGED WAN SERVICE GENERAL Service Definition Standard Service Features. Monitor and Notify Service Level Monitoring Notification

COMCAST ENTERPRISE SERVICES PRODUCT-SPECIFIC ATTACHMENT SOFTWARE-DEFINED WIDE AREA NETWORKING (SD-WAN)

TELSTRA CLOUD SERVICES CLOUD INFRASTRUCTURE VIRTUAL SERVER (DEDICATED) GEN2 PRICING GUIDE AUSTRALIA

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICES (CCS)) AT&T VPN ACCESS ATTACHMENT

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICES (CCS)) AT&T VPN ACCESS ATTACHMENT

BT Compute Protect Schedule to the General Terms

NEOBROADBAND LTE SERVICE SCHEDULE


WHITE PAPER- Managed Services Security Practices

SD-WAN. Managed Services. Expereo SD-WAN Managed Services Overview.

Service Activation of AT&T NetBond

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Network Service Description

Schedule 2e. Schedule 2E Additional Terms for Carrier Ethernet Services Eng Lang v page 1 of 11

XO SITE SECURITY SERVICES

Service Activation for AT&T NetBond For AT&T Control Center

BT Assure Cloud Identity Annex to the General Service Schedule

Managed Internet Service (MIS) gives you these features:

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

GÉANT L3VPN Service Description. Multi-point, VPN services for NRENs

Security Annex for Firewalls Additional Terms for Firewall Service

Information Security Controls Policy

OUR CUSTOMER TERMS M2M VPN SOLUTION

Network Services Internet VPN

Connection Requirements Specification. GEC Hub

AT&T NetBond Service Activation Onboarding Guide

Secure Managed Firewall

IBM Security Intelligence on Cloud

Managed Services Rely on us to manage your business services

C L O U D V O I C E Y E A L I N K S I P - C P 8 6 0

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) FRAME RELAY ATTACHMENT

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) FRAME RELAY ATTACHMENT

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Network Security Policy

Choosing a WAN Solution IP VPN vs. Frame Relay or ATM

Deployments and Network Topologies

MyCloud Computing Business computing in the cloud, ready to go in minutes

VERIZON SELECT SERVICES INC. Page 1. SECTION 13 - EXHIBIT M - Network-Based IP VPN SERVICE

Network Services BT Internet Connect

Thomson Reuters. FCN Services

E FAX - PRODUCT SPECIFICATION

SERVICE DEFINITION SECURE ZONE GATEWAY G-CLOUD 8. Classification: Open

AT&T NetBond User Guide

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

End User Terminal Service

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

NSG100 Nebula Cloud Managed Security Gateway

So Your Customer Wants a VPN. Howard C. Berkowitz

IBM Case Manager on Cloud

CLOUD GATEWAY USER GUIDE

Schedule document N4MDM. PUBLIC Node4 limited 31/11/2018. Node4 Limited Millennium Way Pride Park Derby DE24 8HZ

SCHEDULE DOCUMENT N4MDM PUBLIC NODE4 LIMITED 13/07/2017. Node4 Limited Millennium Way Pride Park Derby DE24 8HZ

ABOUT THIS SECTION...

SoftLayer Security and Compliance:

ADVANCED CUSTOMER SERVICES ORACLE TRANSITION SERVICE EXHIBIT

Education Network Security

BT IP Connect Global Schedule to the General Terms

Reaping the Full Benefits of a Hybrid Network

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICES (CCS)) PERMANENT VIRTUAL CIRCUIT ATTACHMENT

AT&T NetBond for SoftLayer

Xrio UBM Quick Start Guide

zsah Cloud Offering Security FAQ In partnership with Clearswift

Network Services BT MPLS (Marketed as IP Connect Global)

BT IP Connect Global Schedule to the General Terms

Canada Life Cyber Security Statement 2018

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT

J Detail Billing File Services Type Telecommunications Services Communications Transport IP Based Optical. Circuit Switched Data.

Network Services Enterprise Broadband

SERVICE DESCRIPTION DEDICATED SERVER

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Spectrum Enterprise SIP Trunking Service Vertical TM Wave IP500TM / Wave IP2500 TM Release 4.0, 4.5 IP PBX Configuration Guide

V I R G I N M E D I A B U S I N E S S C L O U D V O I C E

COMPUTER NETWORK SECURITY

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Reliable, fast data connectivity

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Module Overview. works Identify NAP enforcement options Identify scenarios for NAP usage

Barracuda Link Balancer

PRIVATE MOBILE CONNECTION (formerly COMMERCIAL CONNECTIVITY SERVICE (CCS)) CUSTOM APN ATTACHMENT

Security

Transcription:

Service Description Safecom Customer Connection Version 3.5 2006 Telecom NZ Ltd Commercial in Confidence

CONTENTS 1 INTRODUCTION...3 2 SERVICE DEFINITION...3 2.1 SERVICE OVERVIEW... 3 2.2 SERVICE FEATURES... 4 2.3 SERVICE OPTIONS... 5 2.4 SERVICE IMPLEMENTATION... 6 3 STANDARD FEES AND INVOICING...8 3.1 STANDARD CUSTOMER CONNECTION... 8 3.2 OPTIONAL COMPONENTS... 8 3.3 EXCLUSIONS... 8 2006 Telecom NZ Ltd Page 2 Commercial in Confidence

1 INTRODUCTION This document forms part of the Safecom Service Specification which defines the Safecom suite of services and principles. The purpose of this document is to provide a detailed service description for the Safecom Customer Connection service, whereby the overarching Safecom Service Specification document applies and this document describes information specific to this service. If you require further technical information, please contact your account manager. 2 SERVICE DEFINITION 2.1 SERVICE OVERVIEW To enable customers to use Safecom services, there needs to be a secure connection between the internal Customer Network and Gen-i s Service Delivery Platform. The service that provides this is the Customer Connection Service which is a pre-requisite service for all other Safecom services. Safecom requires customers to use IP (Internet Protocol) as defined by the IETF (Internet Engineering Task Force) RFC 791. This standard defines the method of communication between host systems using IP, the standard for communication across the Internet. The following diagram outlines the key components of the service and its boundaries: Safecom Connectivity this is the Telecom connection, address translation and routes which are required to link the Customer Network into the Gen-i Service Delivery Platform for access to Safecom Services. Security Infrastructure these comprise multiple layers of firewalls providing specific and appropriate security levels and policies for each layer. By default, all application traffic to and from the Customer Network is blocked until additional Safecom services are provisioned. Intrusion Detection Systems (IDS) detect real-time attacks by hostile users and alert the Safecom Security Operations Centre (SOC). Safecom Base Infrastructure the base infrastructure for Safecom services provides administrative tools for selfadministration of users, services and reporting and maps into the SOC for management, monitoring and helpdesk support. CUSTOMERS INTERNAL NETWORK Customer Network SERVICE BOUNDARY SECURITY BOUNDARY Telecom Network Private Connection Safecom Connectivity Gen-i SERVICE DOMAIN Network Interface Layer Firewall Systems IDS Gen-i Service Delivery Platform Safecom Base Infrastructure Security Operations Centre Managemt & Monitoring Helpdesk Security Infrastructure Safecom Services BLOCKED IDS Firewall Systems SERVICE SECURITY BOUNDARY BOUNDARY External Networks: Remote Branches Partners Internet External Networks Public Users Remote VPN Users Customer Premises Equipment Terminates network connection Boundary between customer's internal network and Telecom network Network Connection High speed IP connection Dedicated or integrated with existing IP-VPN solution Safecom Services Centralised security services 24x7 Security Operations Centre Strong Protection from external threats Safecom Customer Connection Service Internet: Global IP network Hostile - high threat environment Transport for communications from External Networks and Remote Users FIGURE 1: SAFECOM CUSTOMER CONNECTION SERVICE 2006 Telecom NZ Ltd Page 3 Commercial in Confidence

The main security threats addressed by the Safecom Customer Connection service are: Attacks on Customer Network computer systems from the Internet devices within the Customer Network are not visible from the Internet, therefore, are difficult to attack directly. Addresses of devices will be translated, and all access controlled by the Safecom Firewall Systems. Users hosting hidden web sites on the internal Customer Network as Safecom does not provide direct inbound access from the Internet, it is not possible for a user to host a hidden website on the customer s network. 2.2 SERVICE FEATURES This Safecom Customer Connection service includes the following features: Safecom Connectivity Termination of the Telecom Network Circuit each customer will require a Telecom network connection to Safecom. It typically includes Customer Premises Equipment (CPE) such as a router at the customer site, network access connection and Virtual Circuit or connection to Safecom. This is terminated within Safecom at the Network Interface Layer. Network Address Translation Management (NAT) as customers often utilise private IP addressing within their internal networks, it is necessary to implement network address translation. This ensures that there are no conflicts of addressing within Safecom. The allocation of NAT address ranges is managed by the Safecom implementation team. Firewall and Intrusion Detection Systems These systems define the secure interface between the Customer Network and the Security Infrastructure including: Firewall Port a firewall port is dedicated to each customer and is used to enforce firewall policies to control all traffic that passes in and out of the port. Segmentation and security is maintained between the customer and other Safecom customers. The bandwidth of this port will be limited to the capacity purchased by the customer. Multi-layer Protection the Customer Network and all interfaces to Safecom are protected by firewalls, which provide a very high level of control and monitoring. Safecom provides multiple layers of Security Infrastructure, with each layer including firewall and intrusion detection systems. All layers are monitored to detect suspicious activity and alert where action is required. Intrusion Detection in Safecom, IDS are used in various locations to detect and alert on suspicious activity. The IDS alerts are managed by the Safecom Management Systems, which escalate alerts to the Security Operations Centre (SOC). Safecom Base Infrastructure Firewall Policies the default security policy blocks all direct inbound and outbound traffic to and from the Internet or external networks. When additional Safecom services are implemented, these policies are modified to allow specific communication between the Customer Network and the selected service. Safecom User Database the Safecom user database is central to the Safecom security model. This database holds profiles for each user, defining the Safecom services the user is authorised to access. While there are no users for the Safecom Customer Connection service itself, the user database container for this service includes a customer administrative user who is able to provision users for any implemented Safecom services using the Safecom Administration system. Safecom Administration system this web portal provides the ability for customers to administer their own users profiles in the Safecom user database. Users with administrative permissions are able to access the restricted website, add user accounts, delete users or modify user profiles. Reporting the Safecom Online Reporting system provides information on the traffic patterns through the customer connection for some core and optional services. This includes the data sent and received for those services as well as total throughout each day. Overall Security Infrastructure and monitoring all of the Safecom services are provided on hardened systems, managed and monitored 24 hours x 7 days per week, 365 days per year. Helpdesk Safecom support is provided by the Security Operations Centre (SOC), who is available to provide 2nd and 3rd level assistance to customer helpdesks as required. This includes testing and monitoring access through the Safecom systems. 2006 Telecom NZ Ltd Page 4 Commercial in Confidence

Exclusions This service does not provide: Other Safecom Services Safecom provides a suite of services such as Secure Internet Browsing and Secure Mail Relay which function over the Safecom Customer Connection service. Where the customer requires applications which fall outside of the available service standards, the Restricted Inbound/Outbound services can be considered. Examples of this include outbound FTP, virus pattern updates, DNS forwarding or certificate authority services. Direct Communication from the Internet to the Customer Network this includes applications and protocols such as real audio, streaming video and chat which can open security risks and are not supported by Safecom. 2.3 SERVICE OPTIONS The following option exists for the Safecom Connectivity component: IPsec Encryption - this option allows for encryption over the connection from the Customer Network to Safecom. Safecom IPSEC Encryption is the provision of IPSEC (3DES encryption) across the Customer Connection specifically from the CPE (router) to the Safecom network interface termination point. To enable this functionality, the connecting router at the edge of the Customer Network is required to comply with Safecom IPSEC connectivity software with appropriate memory as defined by the router supplier. 2006 Telecom NZ Ltd Page 5 Commercial in Confidence

2.4 SERVICE IMPLEMENTATION This section of the service description provides information on the provisioning process for the Safecom Customer Connection, and the steps involved. The overarching Safecom Service Specification should be reviewed as this table is specific to the Customer Connection service. As this service provides the interface between the customer s network and Safecom, it is required to be provisioned before any other Safecom service is provisioned. The Safecom implementation team will manage the provisioning process, and work with customer technical staff until the Safecom services are available and working for end users. Following is an outline of a typical implementation of this service: Implementation Team Responsibilities Customer Responsibilities Pre-Sales Scope pre-implementation work and estimate costs. Complete Design Proposal (if applicable) Provide accurate information for business and technical requirements. Contract, Technical Specification & Statement of Work Prepare Safecom Contract. Design Engineer completes the Safecom Customer Connection service section of the Technical Specification. Complete Statement of Work. Sign Safecom Contract. Develop a test plan to set the criteria for successful implementation of all functionality. Agree and signoff Statement of Work. Establish Connection to Safecom This involves provisioning a network connection between the Customer Network and Safecom. The Safecom Implementation team will work with the Telecom Network implementation group to coordinate the provisioning of these components. This usually includes the following components: Ensure skilled technical expertise is available to assist the Safecom engineer during the integration phases. Customer Premises Equipment this is the router which terminates the network connection from Safecom to the customer network. This is typically the demarcation point between the customer s internal network and Safecom. Telecom Access Connection the capacity of this connection will vary depending on customer requirements. Virtual Circuit such as a Frame Relay PVC or MPLS VLAN connection between the customer premises equipment and Safecom. Configure Safecom Network Interface This involves terminating the PVC and establishing the routing configuration to establish the connection to the Safecom Firewall port. Configure Routes and End-User Devices To establish routes for Safecom addresses, the customer s internal network should be configured to direct all end-user devices traffic destined for the Safecom servers (146.171.16.x) to the router (CPE) terminating the connection to Safecom. In most cases this is done by configuring specific routes for each server on the CPE. Configure Safecom Firewall Port This involves setting up the Safecom Firewall infrastructure to allow communication between the customer s internal network and the Safecom Secure Infrastructure. 2006 Telecom NZ Ltd Page 6 Commercial in Confidence

Test This involves testing communication from within the Customer Network to the Safecom Infrastructure. As setup of any additional Safecom Services is completed, testing to the Internet is conducted. The Safecom Implementation Engineer will assist the customer s technical person with configuration of a workstation and remote testing issues. The customer s technical person will work with the Safecom Implementation Engineer to test the service from the customer s site. This includes: Providing skills to diagnose integration issues that arise within the customer s environment. Testing all services according to test plan. Integration Completion Work with customer to ensure all requirements in the Statement of Work are met. Sign off Safecom solution to acknowledge delivery of functionality as agreed. Handover to SOC (Security Operations Centre) Ensure customer is aware that the services are in production and are aware of SOC s problem management and change control processes. Ensure support processes are communicated to all relevant internal parties. Each of the above stages includes discussions between the Safecom Implementation Engineer and the customer technical contact, as well as testing and sign-off processes. Safecom DNS As most Safecom Services provide name resolution for Internet domain names, the DNS systems in Safecom are not usually provided as a service to customers. 2006 Telecom NZ Ltd Page 7 Commercial in Confidence

3 STANDARD FEES AND INVOICING The actual costs for the services provided in Safecom are detailed in the Safecom Price Schedule. In addition to the Safecom Service Specification fee information provided, the following information pertains to the Safecom Customer Connection service specifically. 3.1 STANDARD CUSTOMER CONNECTION ONE-OFF INSTALLATION FEES Installation fees include the cost of the initial configuration of Safecom Connectivity, Firewall and Intrusion Detection Systems and the Safecom Base Infrastructure components to allow customers to access additional Safecom services. This also includes liaising with customers regarding configuration of the Customer Network to connect to Safecom and testing. FIXED MONTHLY FEES The monthly fees cover the on-going use of Customer Connection service: Firewall port fees will vary per customer depending on the bandwidth required, starting at 512KBps up to 10MBps. Firewall port bandwidths are defined as the committed rate that will be provided. Firewall port speed chosen should match the committed information rate of the connection between the Customer Network and Safecom. Firewall ports will allow burst above the bandwidth, any burst over the committed bandwidth is dependant on current capacity. 3.2 OPTIONAL COMPONENTS The Safecom IPSEC Encryption option is priced separately to the standard Customer Connection service price. ONE-OFF INSTALLATION FEES This includes the initial configuration of IPSEC on the customer connection and testing with the customers. FIXED MONTHLY FEES: This includes the ongoing fee for providing this service option. 3.3 EXCLUSIONS The fees for other Safecom services such as Secure Internet Browsing, Secure Mail Relay and Secure Remote Access are detailed in separate service descriptions. Currently the Safecom Customer Connection fee does not include: Telecom Lanlink Network Charges such as: o o o Customer Premises Equipment (CPE) this is typically a managed router service provided by Lanlink. Access Circuit this is the connection between the CPE and the Telecom network at the customer site. Connection this is connection between the customer premises router and Safecom. 2006 Telecom NZ Ltd Page 8 Commercial in Confidence

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback