Purpose of gateways
Gateways act as information flow control mechanisms at the network layer and may also control information at the higher layers of the Open System Interconnect (OSI) model.
This section describes the security controls applicable to all gateways. Additional areas of these guidelines should also be consulted depending on the type of gateway deployed:
- For connections between different security domains, where at least one system is SECRET or higher, see the Cross Domain Solutions section of these guidelines.
- For devices used to control data flow in bi-directional gateways, see the firewalls section of these guidelines.
- For all gateways, see the Guidelines for Data Transfers and Content Filtering.
Applying the security controls
In all cases, gateways assumes the highest sensitivity or classification of the connected security domains.
Gateway architecture and configuration
Gateways are necessary to control data flows between security domains and prevent unauthorised access from external networks. Given the criticality of gateways in controlling the flow of information between security domains, any failure, particularly at higher classifications, may have serious consequences. As such, robust mechanisms for alerting personnel to situations that may cause cyber security incidents are especially important for gateways.
Security Control: 0628; Revision: 5; Updated: Mar-19; Applicability: O, P, S, TS
All systems are protected from systems in other security domains by one or more gateways.
Security Control: 1192; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.
Security Control: 0631; Revision: 5; Updated: Jun-19; Applicability: O, P, S, TS
- are the only communications paths into and out of internal networks
- allow only explicitly authorised connections
- are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
- are protected by authentication, logging and auditing of all physical and logical access to gateway components
- have all security controls tested to verify their effectiveness after any changes to their configuration.
Security Control: 1427; Revision: 2; Updated: Jun-19; Applicability: O, P, S, TS
Gateways implement ingress traffic filtering to detect and prevent Internet Protocol (IP) source address spoofing.
Implementing logging and alerting capabilities for gateways can assist in detecting cyber security incidents, attempted intrusions and unusual usage patterns. In addition, storing event logs on a separate secure log server increases the difficulty for an adversary to delete logging information in order to destroy evidence of a targeted cyber intrusion.
Security Control: 0634; Revision: 7; Updated: Jun-19; Applicability: O, P, S, TS
All gateways connecting networks in different security domains are operated such that they:
- log network traffic permitted through the gateway
- log network traffic attempting to leave the gateway
- are configured to save event logs to a secure logging facility
- provide real-time alerts for any cyber security incidents, attempted intrusions and unusual usage patterns.
Demilitarised zones are used to prevent direct access to information and services on internal networks. Organisations that require certain information and services to be accessed from the Internet can place them in the less trusted demilitarised zone instead of on internal networks.
Security Control: 0637; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones.
Gateway security risk assessment
Performing a security risk assessment on the gateway architecture and the proposed configuration before implementation allows for the early identification and mitigation of security risks to the gateway environment and connected systems. In addition, gateways can connect networks in different security domains, including across administrative and organisational boundaries. By understanding and formally accepting security risks from all other networks before gateways are implemented, system owners can make informed decisions about changes to their gateway environment.
Security Control: 0598; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
A security risk assessment is performed on gateways and their configuration before their implementation.
Security Control: 1519; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
A security risk assessment is performed on all systems before they are connected to a gateway.
Security Control: 0605; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
All system owners of systems connected via a gateway understand and accept security risks associated with the gateway and any connected security domains, including those connected via a cascaded connection.
Security Control: 1041; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
The security architecture of a gateway, and security risks associated with all connected security domains, including those connected via a cascaded connection, is reviewed at least annually.
Gateway configuration control
Changes that could introduce security vulnerabilities or change security risks in a gateway should be appropriately considered and documented before being implemented.
Security Control: 0624; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Any associated security risk assessments are updated before changes are made to a gateway to ensure all relevant security risks have been documented and accepted.
Security Control: 0625; Revision: 5; Updated: Aug-19; Applicability: O, P, S, TS
All changes to a gateway architecture are considered prior to implementation, documented and assessed in accordance with the organisation’s change management process and supporting change management procedures.
Testing security controls on gateways assists with understanding its security posture by determining the effectiveness of security controls. An adversary may be aware of regular testing activities. Therefore, performing testing at irregular intervals will reduce the likelihood that an adversary could exploit regular testing activities.
Security Control: 1037; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls.
Administrator privileges should be minimised and roles should be separated (e.g. separate network administration and security policy configuration roles) to minimise security risks posed by a malicious user with privileged access to a gateway.
Providing system administrators with formal training will ensure they are fully aware of, and accept, their roles and responsibilities regarding the management of gateways. Formal training could be through commercial providers, or simply through Standard Operating Procedures or reference documents bound by a formal agreement.
The system owner of the highest security domain of connected security domains is responsible for protecting the most sensitive information, and as such is best placed to manage any shared components of gateways. However, in cases where multiple security domains from different organisations are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected organisations.
Security Control: 0611; Revision: 4; Updated: Mar-19; Applicability: O, P, S, TS
Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely.
Security Control: 0612; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
System administrators are formally trained to manage gateways.
Security Control: 1520; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway.
Security Control: 0613; Revision: 4; Updated: Sep-18; Applicability: S, TS
All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals.
Security Control: 0616; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Roles for the administration of gateways are separated.
Security Control: 0629; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party.
Shared ownership of gateways
As changes to a security domain connected to a gateway potentially affects the security posture of other connected security domains, system owners should formally agree to be active information stakeholders in other security domains to which they are connected via a gateway.
Security Control: 0607; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS
Once connectivity is established, system owners become information stakeholders for all connected security domains.
Ensuring users and services are authenticated by gateways can reduce the likelihood of unauthorised access and provides an auditing capability to support the investigation of cyber security incidents.
Security Control: 0619; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Users and services accessing networks through gateways are authenticated.
Security Control: 0620; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Only users and services authenticated and authorised to a gateway can use the gateway.
Security Control: 1039; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Multi-factor authentication is used for access to gateways.
ICT equipment authentication
Authenticating ICT equipment to networks accessed through gateways assists in preventing unauthorised ICT equipment connecting to a network. For example, by using 802.1X.
Security Control: 0622; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
ICT equipment accessing networks through gateways is authenticated.
Further information on topics covered in this section can be found in the following cyber security guidelines:
- Guidelines for Cyber Security Incidents
- Guidelines for Physical Security
- Guidelines for Evaluated Products
- Guidelines for ICT Equipment Management
- Guidelines for System Hardening
- Guidelines for System Management
- Guidelines for System Monitoring
- Guidelines for Network Management
- Guidelines for Data Transfers and Content Filtering.
Further information on preventing IP source address spoofing can be found in Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing at https://tools.ietf.org/html/bcp38.