Sprint Managed Security Services Pre-Installation Questionnaire

Sprint Managed Security Services -- Pre-Installation Questionnaire

The Sprint Managed Security Services Pre-Installation Questionnaire is a tool used by Sprint’s Managed Security Services Security Engineer during the Design & Implementation service. This tool facilitates the gathering of the customer’s security requirements and knowledge of the customer's existing network topology in the Managed Security Services design process. The end result of the design process is a detailed Statement of Work (SOW) which includes the documentation of the customer’s security requirements, existing network topology, a detailed security plan, and configuration parameters of the security systems contained in that design.

The Sprint Managed Security Design & Implementation service is a comprehensive service that ensures that the required security systems are properly designed and implemented and that the network and security design provides the best possible protection from external network threats. The service includes the following work:

• Sprint gathers and reviews the customer Managed Security requirements. These requirements will be provided to Sprint through the use of this document and customer meetings.

• Sprint develops a detailed Customer Statement of Work (SOW). This SOW defines the customer’s network environment and any unique situations not addressed in this document. Since all customer network and security requirements are unique, there is no single network design that can be applied to every customer.

• A Sprint Security Engineer travels to the customer site as needed (any travel expense is included in the standard service fee) to review the Statement of Work with the customer

• The customer and Sprint approve the Final Statement of Work.

• Sprint procures and stages all software and hardware (provided by Sprint).

• Sprint Engineers install security system(s) at customer site(s) (on-site installation is included in the standard implementation service fee per system).

• The security system(s) are configured and enabled by Sprint Managed Security Implementation Engineer.
• Acceptance testing is done to ensure all requirements are met.

• Security System Management is turned over to Sprint Managed Security Operations Center if Sprint Managed and to the customer if Customer Managed.

During the Implementation phase of Design & Implementation Service, the customer has the following responsibilities:

• The network topology must be configured per approved Statement of Work (SOW). The implementation may be delayed and additional charges may be incurred by the customer if the network topology has changed from the agreed upon SOW.
• A primary and secondary point of contact must be provided to work with Sprint during the implementation process. This point of contact must be available to work closely with Sprint during the installation process. The point of contact is identified in the SOW.
• Access to the area where security system hardware is installed must be available to Sprint personnel or their representatives during scheduled times. The assigned primary or secondary point of contact should provide this access.
• The customer is responsible for providing the proper environment for the security system hardware and software, this includes conditioned power, proper air conditioning, and physical security controls.
• Prior to the installation, the customer must secure the necessary network connections, including cables, hubs, and the protected power source. These connections must be in place prior to the installation date or Sprint cannot assure installation and the customer may incur charges for another installation.

Please complete this form and fax it to the Managed Security Services Project Manager, Sprint Corporate Security X or mail it to:

X

A conference call will be scheduled to review this document by the Sprint Managed Security Services Design Engineer. Should additional information be needed, an on-site meeting will be held to finalize the security design.

If you need help answering any of these questions, please contact your Sprint Account Team or Sprint Corporate Security

TelephoneX

NoteX.

Section 1: Customer Information

Customer Name:

Address:

City:

State:Zip Code:

Country:

Sprint Network Engineer / Sprint Account Manager
Name: / Name:
Phone: / Phone:
Pager: / Pager:
FAX: / FAX:
Office Address: / Office Address:
Email: / Email:
Customer Firewall System POC / Backup Customer Firewall System POC
Name: / Name:
Phone: / Phone:
Pager: / Pager:
FAX: / FAX:
Office Address: / Office Address:
Email: / Email:
Workstation OS*: / Workstation OS*:

*Workstation OS is needed to provide Change Management software. Change Management software will be provided at the time of Managed Security Services installation.

Firewall Shipping Location (This will be the location that the firewall hardware will be shipped to. Please include a point of contact)
Shipping Address:
Room #:
Attention to:
Telephone #:
Firewall Installation Location (This will be the permanent location that the firewall system will be installed. (Please provide a point of contact that will be available on-site during the implementation process.)
Installation Address:
Room #:
POC:
Telephone #:
* It is the customer’s responsibility to have the proper network connections in place prior to firewall installation

Section 2: Network Topology and Configuration

What is the number of IP enabled hosts on your network?
<100 101-250 >250
Please provide a list of all IP subnets used on all LAN segments. Provide the default gateways for each subnet. The default gateways should be from the proposed location of the firewall.
LAN IP Subnet / LAN Subnet
Mask / Default Gateway
Do you have a firewall on your network now?
Yes No Manufacturer and version ______
If yes, will this firewall be replaced by the Sprint provided firewall?
Yes No
Will the firewall be managed over a Sprint Provided Transport?
Yes No Who is the Internet Service Provider ______
Please provide a detailed diagram of all connectivity points to the network that you want to protect with the firewall. This includes all dial-in, SLIP/PPP, frame relay, remote bridges, etc. Include the anticipated placement of the firewall component(s). ( Please attach diagram to form if more space is needed)
What kind of network hardware/ethernet media will be used to connect the system to your network?
Local Area Side(s)AUI 10baseT 100BaseT BNC FDDI  Token Ring  Other:
Wide Area Side(s) AUI 10baseT 100BaseT BNC FDDI  Token Ring  Other:
What is the speed of your dedicated Internet connection (if applicable)?

X

What is the speed of any other dedicated circuit that pertains to this project (if applicable)?


The next four pages contain standard firewall topology drawings. Please select the drawing that best suits your requirements and fill out the appropriate information.

Firewall Topology for Customer with Internet/Intranet/Local LAN Segment

X

X / X.
Host name of Internet interface of firewall: / Host name of Intranet interface of firewall:
IP Address Internet interface of firewall: / IP Address Intranet interface of firewall:
Subnet Mask: / Subnet Mask:
What is the "Customer Secure LAN Segment" IP address of your firewall to be?
Host name of LAN 1 interface of firewall:
IP Address LAN 1 interface of firewall:
Subnet Mask:

Firewall Topology for Customer with Internet/Intranet/DMZ/Local LAN Segment

X

What is the "Internet" IP address of your firewall to be? *Sprint provided address space. / X
Host name of Internet interface of firewall: / Host name of Intranet interface of firewall:
IP Address Internet interface of firewall: / IP Address Intranet interface of firewall:
Subnet Mask: / Subnet Mask:
What is the "Customer Secure LAN Segment" IP address of your firewall to be? / What is the "Customer DMZ Ethernet Segment" IP address of your firewall to be?
Host name of LAN 1 interface of firewall: / Host name of LAN 2 interface of firewall:
IP Address LAN 1 interface of firewall: / IP Address LAN 2 interface of firewall:
Subnet Mask: / Subnet Mask:

X

X

X
Host name of Internet interface of firewall:
IP Address Internet interface of firewall:
Subnet Mask:
What is the "Customer Secure LAN Segment" IP address of your firewall to be? / What is the "Customer DMZ Ethernet Segment" IP address of your firewall to be?
Host name of LAN 1 interface of firewall: / Host name of LAN 2 interface of firewall:
IP Address LAN 1 interface of firewall: / IP Address LAN 2 interface of firewall:
Subnet Mask: / Subnet Mask:

X

X

X / What is the "Customer Secure LAN Segment" IP address of your firewall to be?
Host name of Internet interface of firewall: / Host name of LAN 1 interface of firewall:
IP Address Internet interface of firewall: / IP Address LAN 1 interface of firewall:
Subnet Mask: / Subnet Mask:

DNS Information

If you currently have a domain name registered with the Internic, please list below the domain name and the name of the company that is providing you primary and/or secondary domain name services.
Domain Name: DNS Provider:
If your current DNS Provider is not Sprint do you plan to have Sprint provide your domain name services?
 Yes  No
*The Internic requires a change template to be submitted by the registered DNS POC prior to any DNS changes.
If you do not currently have a domain name registered with the Internic, what is the DNS domain name that you would like to use?
Domain Name:
* Sprint will register the domain name on behalf of the customer during the provisioning of the dedicated Sprintlink circuit.
Do you have an internal DNS server that is used and has a populated or semi-populated DNS?
 Yes  No (If yes, please provide the host information by attaching a print out of this file)
If you want to serve primary external DNS for your domain, do you have another external system (such as your service provider) that is willing to act as a secondary?
 Yes  No (If yes, enter address information in the table below)
Do you require that internal DNS information be hidden from external (unsecure) networks?
 Yes  No (If yes, enter address information in the table below)

DNS Information (continued)

DNS Systems
IP Address / Host Name / Do you have admin access to this system? / Comments
Current
Primary External DNS
Secondary External DNS
Primary Internal DNS
Secondary Internal DNS
Planned
Primary Internal DNS
Primary External DNS
Secondary External DNS

Section 3.0 : Security Requirements & Policy Definition

Permitted lnbound Services

Please provide information on all IP services that will be permitted through the firewall to internal servers:

* An Entity can be a subnet or specific host. The external entity can be ALL to unrestricted host access. Please list hostnames and IP Addresses if possible.

Type of
Service / Port
Number / Permitted from which External Entities to which Internal Entities* / Authentication Required?
Mail(SMTP) / 25 / FROM TO
HTTP / 80 / FROM TO
FROM TO
FROM TO
FROM TO
FTP / 21 / FROM TO
FROM TO
FROM TO
FROM TO
Telnet / 23 / FROM TO
FROM TO
FROM TO
FROM TO
FROM TO
FROM TO
FROM TO
FROM TO

Permitted Outbound Services

Please provide information on all IP services that will be permitted through the firewall to external servers:

* An Entity can be a subnet or specific host. The external entity can be ALL to unrestricted host access.

Type of
Service / Port
Number / Permitted from which Internal Entities to which External Entities* / Authentication Required?
http / 80 / FROM TO
FROM TO
FROM TO
FROM TO
http-ftp / 21 / FROM TO
FROM TO
FROM TO
FROM TO
http-https / FROM TO
FROM TO
FROM TO
Telnet / 23 / FROM TO
FROM TO
FROM TO
FROM TO
Realaudio / 8080 / FROM TO
FROM TO
FROM TO
FROM TO
ftp / 21 / FROM TO
FROM TO
FROM TO
FROM TO
ftp-put only / FROM TO
FROM TO
FROM TO
ftp-get only / FROM TO
FROM TO
FROM TO
smtp / FROM TO
FROM TO
FROM TO
FROM TO

Authentication

What form of authentication will be used for remote access to the company's resources?
 Standard username/password  SecurID ACE  TACACS+  Radius  None

By default all access through the firewall is denied. Specific setup configuration to allow internal access to hosts inside the firewall and external access to the Internet must be configured.

For each of the following services, describe whether or not access is desired to connect one side of the firewall with the other. For each service where access is to be allowed, Indicate whether strong authentication will be required to access the network. Strong authentication refers to the use of either hardware or software means to provide single-use passwords or reusable passwords.

Service / Intranet to LAN / Internet to LAN / LAN to Internet
Permitted? / Strong Auth?
SecurID/Password / Permitted / Strong Auth?
SecurID/Password / Permitted / Strong Auth?
SecuID/Password
TELNET
FTP
FTP-PUT
FTP-GET
HTTP (WWW)
NNTP
HTTP-FTP
HTTP-GOPHER
HTTP-HTTPS
REALAUDIO

Username and Passwords

X

Users Name / Login Name* / Password / Authentication Type / Firewall User Group

SMTP Mail Configuration

Do you have a central Email hub that should receive all mail for in? If so, provide its address.
IP Address of Mail Hub:
Host name of Mail Hub:
Please describe how you envision Email entering and leaving your network.
Should all outgoing Email from your domain have a sender address of in?
Note: this option only makes sense if there is a central hub for in
 Yes  No
Are there any special mail gateway systems internally that the firewall should “know” about? eg; if you wish to set up virtual Email domains such as in or in, please list special domains or interconnections that you may require.

HTTP Service Information

Will you be using a HTTP Server?
Yes No If yes, will the HTTP Server be located on the:
Secure Customer Segment DMZ Segment Outside the firewall
HTTP Server Name______HTTP Server IP Address ______

(continued next page)

If it is determined that a X firewall best suits your security needs you have the option to use X X
Will you want to restrict access to URL's using X X product? (additional fee)
Yes No
If so, what types of locations:
violence/profanity alcohol/beer/wine full nudity partial nudity militant/extremist
gross depictions  questionable/illegal/gambling  racism/ethnic impropriety
drugs/drug culture  satanic/cult sex education  sexual acts sports  search engines
If it is determined that a X firewall best suits your security needs you have the option to use the X to filter what sites users are allowed to access.
Will you want to restrict access to URL's using X on a X Firewall? (X)
Yes No
URL filter categories,
Category definitions may be found at
Sexuality 1 Sexuality 2  Adult Entertainment  Personal/Dating Alternative Journals
Games  Drugs  Alcohol/Tobacco  Racism/Hate  Militancy
Weapons  Hacking  Violence  Activist Groups  Illegal
Cult/New Age  Tasteless Web Chat  Abortion Advocacy
Religion  Politics  Job Search  Sports  Gay Lifestyles
Shopping  Travel  Vehicles  Entertainment  Gambling

News Server Configuration

If you currently run USENET news on your network (with an internal NNTP server), please answer the following:

Do you plan to gateway USENET NNTP traffic through the firewall?
 Yes  No
If yes, please provide:
IP Address of internal news server:
Host name of internal news server:
IP Address of upstream news server:
Host name of upstream news server:

Firewall Administration (Sprint Managed Customers Only)

What standard maintenance window can we use?
How would you like to be notified on critical issues?
Time Period ______Method of Notification ______
How would you like to be notified on non-critical issues?
Time Period______Method of Notification ______

Final Notes

We would like your firewall installation to be as smooth as possible. If there are any other factors or special concerns to be aware of, please describe them here.(e.g., X special standards, etc.)

Revision 1.0 Feb 10 1998

1