Service Description Safecom Customer Connection Version 3.5 2006 Telecom NZ Ltd Commercial in Confidence
CONTENTS 1 INTRODUCTION...3 2 SERVICE DEFINITION...3 2.1 SERVICE OVERVIEW... 3 2.2 SERVICE FEATURES... 4 2.3 SERVICE OPTIONS... 5 2.4 SERVICE IMPLEMENTATION... 6 3 STANDARD FEES AND INVOICING...8 3.1 STANDARD CUSTOMER CONNECTION... 8 3.2 OPTIONAL COMPONENTS... 8 3.3 EXCLUSIONS... 8 2006 Telecom NZ Ltd Page 2 Commercial in Confidence
1 INTRODUCTION This document forms part of the Safecom Service Specification which defines the Safecom suite of services and principles. The purpose of this document is to provide a detailed service description for the Safecom Customer Connection service, whereby the overarching Safecom Service Specification document applies and this document describes information specific to this service. If you require further technical information, please contact your account manager. 2 SERVICE DEFINITION 2.1 SERVICE OVERVIEW To enable customers to use Safecom services, there needs to be a secure connection between the internal Customer Network and Gen-i s Service Delivery Platform. The service that provides this is the Customer Connection Service which is a pre-requisite service for all other Safecom services. Safecom requires customers to use IP (Internet Protocol) as defined by the IETF (Internet Engineering Task Force) RFC 791. This standard defines the method of communication between host systems using IP, the standard for communication across the Internet. The following diagram outlines the key components of the service and its boundaries: Safecom Connectivity this is the Telecom connection, address translation and routes which are required to link the Customer Network into the Gen-i Service Delivery Platform for access to Safecom Services. Security Infrastructure these comprise multiple layers of firewalls providing specific and appropriate security levels and policies for each layer. By default, all application traffic to and from the Customer Network is blocked until additional Safecom services are provisioned. Intrusion Detection Systems (IDS) detect real-time attacks by hostile users and alert the Safecom Security Operations Centre (SOC). Safecom Base Infrastructure the base infrastructure for Safecom services provides administrative tools for selfadministration of users, services and reporting and maps into the SOC for management, monitoring and helpdesk support. CUSTOMERS INTERNAL NETWORK Customer Network SERVICE BOUNDARY SECURITY BOUNDARY Telecom Network Private Connection Safecom Connectivity Gen-i SERVICE DOMAIN Network Interface Layer Firewall Systems IDS Gen-i Service Delivery Platform Safecom Base Infrastructure Security Operations Centre Managemt & Monitoring Helpdesk Security Infrastructure Safecom Services BLOCKED IDS Firewall Systems SERVICE SECURITY BOUNDARY BOUNDARY External Networks: Remote Branches Partners Internet External Networks Public Users Remote VPN Users Customer Premises Equipment Terminates network connection Boundary between customer's internal network and Telecom network Network Connection High speed IP connection Dedicated or integrated with existing IP-VPN solution Safecom Services Centralised security services 24x7 Security Operations Centre Strong Protection from external threats Safecom Customer Connection Service Internet: Global IP network Hostile - high threat environment Transport for communications from External Networks and Remote Users FIGURE 1: SAFECOM CUSTOMER CONNECTION SERVICE 2006 Telecom NZ Ltd Page 3 Commercial in Confidence
The main security threats addressed by the Safecom Customer Connection service are: Attacks on Customer Network computer systems from the Internet devices within the Customer Network are not visible from the Internet, therefore, are difficult to attack directly. Addresses of devices will be translated, and all access controlled by the Safecom Firewall Systems. Users hosting hidden web sites on the internal Customer Network as Safecom does not provide direct inbound access from the Internet, it is not possible for a user to host a hidden website on the customer s network. 2.2 SERVICE FEATURES This Safecom Customer Connection service includes the following features: Safecom Connectivity Termination of the Telecom Network Circuit each customer will require a Telecom network connection to Safecom. It typically includes Customer Premises Equipment (CPE) such as a router at the customer site, network access connection and Virtual Circuit or connection to Safecom. This is terminated within Safecom at the Network Interface Layer. Network Address Translation Management (NAT) as customers often utilise private IP addressing within their internal networks, it is necessary to implement network address translation. This ensures that there are no conflicts of addressing within Safecom. The allocation of NAT address ranges is managed by the Safecom implementation team. Firewall and Intrusion Detection Systems These systems define the secure interface between the Customer Network and the Security Infrastructure including: Firewall Port a firewall port is dedicated to each customer and is used to enforce firewall policies to control all traffic that passes in and out of the port. Segmentation and security is maintained between the customer and other Safecom customers. The bandwidth of this port will be limited to the capacity purchased by the customer. Multi-layer Protection the Customer Network and all interfaces to Safecom are protected by firewalls, which provide a very high level of control and monitoring. Safecom provides multiple layers of Security Infrastructure, with each layer including firewall and intrusion detection systems. All layers are monitored to detect suspicious activity and alert where action is required. Intrusion Detection in Safecom, IDS are used in various locations to detect and alert on suspicious activity. The IDS alerts are managed by the Safecom Management Systems, which escalate alerts to the Security Operations Centre (SOC). Safecom Base Infrastructure Firewall Policies the default security policy blocks all direct inbound and outbound traffic to and from the Internet or external networks. When additional Safecom services are implemented, these policies are modified to allow specific communication between the Customer Network and the selected service. Safecom User Database the Safecom user database is central to the Safecom security model. This database holds profiles for each user, defining the Safecom services the user is authorised to access. While there are no users for the Safecom Customer Connection service itself, the user database container for this service includes a customer administrative user who is able to provision users for any implemented Safecom services using the Safecom Administration system. Safecom Administration system this web portal provides the ability for customers to administer their own users profiles in the Safecom user database. Users with administrative permissions are able to access the restricted website, add user accounts, delete users or modify user profiles. Reporting the Safecom Online Reporting system provides information on the traffic patterns through the customer connection for some core and optional services. This includes the data sent and received for those services as well as total throughout each day. Overall Security Infrastructure and monitoring all of the Safecom services are provided on hardened systems, managed and monitored 24 hours x 7 days per week, 365 days per year. Helpdesk Safecom support is provided by the Security Operations Centre (SOC), who is available to provide 2nd and 3rd level assistance to customer helpdesks as required. This includes testing and monitoring access through the Safecom systems. 2006 Telecom NZ Ltd Page 4 Commercial in Confidence
Exclusions This service does not provide: Other Safecom Services Safecom provides a suite of services such as Secure Internet Browsing and Secure Mail Relay which function over the Safecom Customer Connection service. Where the customer requires applications which fall outside of the available service standards, the Restricted Inbound/Outbound services can be considered. Examples of this include outbound FTP, virus pattern updates, DNS forwarding or certificate authority services. Direct Communication from the Internet to the Customer Network this includes applications and protocols such as real audio, streaming video and chat which can open security risks and are not supported by Safecom. 2.3 SERVICE OPTIONS The following option exists for the Safecom Connectivity component: IPsec Encryption - this option allows for encryption over the connection from the Customer Network to Safecom. Safecom IPSEC Encryption is the provision of IPSEC (3DES encryption) across the Customer Connection specifically from the CPE (router) to the Safecom network interface termination point. To enable this functionality, the connecting router at the edge of the Customer Network is required to comply with Safecom IPSEC connectivity software with appropriate memory as defined by the router supplier. 2006 Telecom NZ Ltd Page 5 Commercial in Confidence
2.4 SERVICE IMPLEMENTATION This section of the service description provides information on the provisioning process for the Safecom Customer Connection, and the steps involved. The overarching Safecom Service Specification should be reviewed as this table is specific to the Customer Connection service. As this service provides the interface between the customer s network and Safecom, it is required to be provisioned before any other Safecom service is provisioned. The Safecom implementation team will manage the provisioning process, and work with customer technical staff until the Safecom services are available and working for end users. Following is an outline of a typical implementation of this service: Implementation Team Responsibilities Customer Responsibilities Pre-Sales Scope pre-implementation work and estimate costs. Complete Design Proposal (if applicable) Provide accurate information for business and technical requirements. Contract, Technical Specification & Statement of Work Prepare Safecom Contract. Design Engineer completes the Safecom Customer Connection service section of the Technical Specification. Complete Statement of Work. Sign Safecom Contract. Develop a test plan to set the criteria for successful implementation of all functionality. Agree and signoff Statement of Work. Establish Connection to Safecom This involves provisioning a network connection between the Customer Network and Safecom. The Safecom Implementation team will work with the Telecom Network implementation group to coordinate the provisioning of these components. This usually includes the following components: Ensure skilled technical expertise is available to assist the Safecom engineer during the integration phases. Customer Premises Equipment this is the router which terminates the network connection from Safecom to the customer network. This is typically the demarcation point between the customer s internal network and Safecom. Telecom Access Connection the capacity of this connection will vary depending on customer requirements. Virtual Circuit such as a Frame Relay PVC or MPLS VLAN connection between the customer premises equipment and Safecom. Configure Safecom Network Interface This involves terminating the PVC and establishing the routing configuration to establish the connection to the Safecom Firewall port. Configure Routes and End-User Devices To establish routes for Safecom addresses, the customer s internal network should be configured to direct all end-user devices traffic destined for the Safecom servers (146.171.16.x) to the router (CPE) terminating the connection to Safecom. In most cases this is done by configuring specific routes for each server on the CPE. Configure Safecom Firewall Port This involves setting up the Safecom Firewall infrastructure to allow communication between the customer s internal network and the Safecom Secure Infrastructure. 2006 Telecom NZ Ltd Page 6 Commercial in Confidence
Test This involves testing communication from within the Customer Network to the Safecom Infrastructure. As setup of any additional Safecom Services is completed, testing to the Internet is conducted. The Safecom Implementation Engineer will assist the customer s technical person with configuration of a workstation and remote testing issues. The customer s technical person will work with the Safecom Implementation Engineer to test the service from the customer s site. This includes: Providing skills to diagnose integration issues that arise within the customer s environment. Testing all services according to test plan. Integration Completion Work with customer to ensure all requirements in the Statement of Work are met. Sign off Safecom solution to acknowledge delivery of functionality as agreed. Handover to SOC (Security Operations Centre) Ensure customer is aware that the services are in production and are aware of SOC s problem management and change control processes. Ensure support processes are communicated to all relevant internal parties. Each of the above stages includes discussions between the Safecom Implementation Engineer and the customer technical contact, as well as testing and sign-off processes. Safecom DNS As most Safecom Services provide name resolution for Internet domain names, the DNS systems in Safecom are not usually provided as a service to customers. 2006 Telecom NZ Ltd Page 7 Commercial in Confidence
3 STANDARD FEES AND INVOICING The actual costs for the services provided in Safecom are detailed in the Safecom Price Schedule. In addition to the Safecom Service Specification fee information provided, the following information pertains to the Safecom Customer Connection service specifically. 3.1 STANDARD CUSTOMER CONNECTION ONE-OFF INSTALLATION FEES Installation fees include the cost of the initial configuration of Safecom Connectivity, Firewall and Intrusion Detection Systems and the Safecom Base Infrastructure components to allow customers to access additional Safecom services. This also includes liaising with customers regarding configuration of the Customer Network to connect to Safecom and testing. FIXED MONTHLY FEES The monthly fees cover the on-going use of Customer Connection service: Firewall port fees will vary per customer depending on the bandwidth required, starting at 512KBps up to 10MBps. Firewall port bandwidths are defined as the committed rate that will be provided. Firewall port speed chosen should match the committed information rate of the connection between the Customer Network and Safecom. Firewall ports will allow burst above the bandwidth, any burst over the committed bandwidth is dependant on current capacity. 3.2 OPTIONAL COMPONENTS The Safecom IPSEC Encryption option is priced separately to the standard Customer Connection service price. ONE-OFF INSTALLATION FEES This includes the initial configuration of IPSEC on the customer connection and testing with the customers. FIXED MONTHLY FEES: This includes the ongoing fee for providing this service option. 3.3 EXCLUSIONS The fees for other Safecom services such as Secure Internet Browsing, Secure Mail Relay and Secure Remote Access are detailed in separate service descriptions. Currently the Safecom Customer Connection fee does not include: Telecom Lanlink Network Charges such as: o o o Customer Premises Equipment (CPE) this is typically a managed router service provided by Lanlink. Access Circuit this is the connection between the CPE and the Telecom network at the customer site. Connection this is connection between the customer premises router and Safecom. 2006 Telecom NZ Ltd Page 8 Commercial in Confidence