The industry has well-defined standards that require access control to the Internet. As such, the standards tend to be specific about technologies and architecture choices. For example, these standards often require the use of an Internet proxy and specific demilitarized zone (DMZ) architecture.

A content filtering standard can be an effective method of reducing malware attacks. This is achieved by blocking sites known to have malware. This also means blocking sites employees may wish to access. In short, a content filtering standard describes which websites an employee is allowed to access from a company-owned device. The purpose and objective of the filtering needs to be well explained to gain employee support. The standard typically will not list specific sites, but rather types of sites, such as email, gambling, adult material, or political activist websites.

Here are several additional examples of policies that deal with LAN-to-WAN connectivity and filtering:

• External Information System Services Connect Standard—Requires that providers of external services establish a secure connection. This standard applies to all external parties such as business partners and outsourced providers. It also establishes service level agreements and sets forth how to measure and report security control compliance.
• DMZ Control Standard—Establishes the controls for publicly accessible devices to place them in a DMZ. DMZs are critical because, by definition, outside users can access them rather easily.
• User Internet Proxy Standard—Establishes controls for using an Internet access proxy (a user proxy) for all inbound and outbound Internet traffic.

A LAN-to-WAN domain baseline standard focuses on perimeter devices that separate the WAN from the LAN. The following are some examples:

• Content-Blocking Tools Configuration Standard—Requirements that describe what types of web content should be blocked and how updates are approved. Most organizations have at least some content they should block.
• Intrusion Detection and Prevention Tools Configuration Standard—Requirements for each product with particular emphasis on those places in the DMZ. Keep in mind that IDS/IPS can also be used within the network, as well as in the DMZ.
• Proxy Server Configuration Standard—Requirements for maintaining the access control list (ACL) for the device that controls access to the Internet from the LAN.
• Firewall Configuration Standard—Describes DMZ and firewall architecture.

Many of the same procedures’ issues exist between domains such as configuration and patch management. In the case of WAN-to-LAN connectivity, there is a greater emphasis on managing changes and detecting and responding to network attacks. For example, you can view the DMZ as the “front door” to your private network. Changes to configuration in this domain can have a serious impact on the publicly facing website or the ability to prevent an intrustion. It is not uncommon to see procedures in this domain require senior-level approval and extensive testing before changes are applied.

Guidelines in this domain are useful for individuals who must determine how much Internet access should be permitted. Controls and baselines create crisp lines on minimum standards. The guidelines establish additional choices while balancing the additional risk. The following guideline documents are examples:

• DMZ Guidelines—Recommend additional services to be placed in the DMZ and, depending on those services, additional security requirements
• Intrusion Detection and Prevention Systems Guidelines—Recommend how to design an IDS system of sensors, collection stations, and alert mechanisms to eliminate or reduce false positives
• Content-Filtering Guidelines—Recommend content-filtering options, ways to maintain the list of banned sites, and ways to request access to blocked sites when needed