Secure Internet Gateway (SIG)

Secure Internet Gateway – fast, secure, affordable

 

A Secure Internet Gateway (SIG) provides safe access to the internet anywhere users go. With all traffic flowing through a SIG first, regardless of location, it provides the first line of defence and inspection. A SIG brings together remote employees, branch offices, cloud data centres and applications under secure network management that goes beyond the traditional web gateway or firewall. A SIG provides security, monitoring and logging up and down the stack from ports and IPs to people and places.

Leveraging our high speed connections to the public Internet and government Vault’s SIG offering is designed to also provide a secure connection between public and sensitive networks. Gateways act as information flow control mechanisms at the network layer and may also control information at the higher layers of the Open System Interconnect (OSI) model.

Features Overview

  • Protection across all ports and protocols with strict deny by default
  • Protect devices on corporate networks
  • Roaming devices offered the same protection
  • Multi-factor authentication
  • Devices authentication
  • Web filtering
  • TLS Proxying
  • Data Leak Prevention (DLP)
  • Policy Profiles for popular applications (e.g. MS Office)
  • 24/7 monitoring from SCEC Zone 5 level Secure Operations Centre (SOC)
  • Callbacks by malware, phishing and ransomware can be blocked
  • DNS request insights and blocking
  • Insights broken down by user and/or device
  • Separate secure logging server
  • ACSC ISM compliance
  • High Availability (HA)
  • Security cleared engineers
  • Regular audits and reviews

Secure Connectivity 

In addition to connecting to Vault’s cloud services Vault’s SIG can be used to connect and secure public clouds, at no additional charge. Wherever your workload is you can route through the SIG to protect and monitor.

Secure Operations Centre

Vault’s SIG is logged and monitored with purpose built powerful data analytics tools 24/7, every second of the year. We take security seriously so this is orchestrated from our Security Operations Centre that is built to meet the highest security standards, just like our cloud. The SCEC Zone 5 standard includes:

 

  • Air-locked windowless rooms
  • Minimal penetrations, treated to SCEC Zone 5 requirements
  • Acoustically rated, ballistics resistant, 14 layer thick walls
  • Strict access controls

 

ACSC Certified gateway architecture and configuration

Gateways are necessary to control data flows between security domains and prevent unauthorised access from external networks. Given the criticality of gateways in controlling the flow of information between security domains, any failure, particularly at higher classifications, may have serious consequences. As such, constant monitoring and robust mechanisms for alerting personnel to situations that may cause cyber security incidents are especially important.

Gateway operation

Our gateways provide logging and auditing capability to help detect cyber security incidents, including attempted network intrusions. This enables you to implement counter-measures to reduce the likelihood and consequence of future network intrusion attempts.

Event logs are stored on a separate secure log server increasing the difficulty for an adversary attempting to delete logging information or destroy evidence.


Vault’s SIG is built for government, compliant and certified to all ACSC controls in the Information Security Manual.

 

  • All systems are protected from systems in other security domains by one or more gateways.
  • All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model.
  • are the only communications paths into and out of internal networks
  • by default, deny all connections into and out of the network
  • allow only explicitly authorised connections
  • apply the guidance in the Guidelines for data transfers and content filtering
  • are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network)
  • provide sufficient logging and audit capabilities to detect cyber security incidents, attempted intrusions and overuse/unusual usage patterns
  • provide real-time alerts.
  • All gateways connecting networks in different security domains are operated and maintained such that they:
  1. filter all network traffic attempting to enter the gateway and log subsequently permitted traffic
  2. log network traffic attempting to leave the gateway
  3. are configured to save event logs to a separate secure log server
  4. are protected by authentication, logging and auditing of all physical and logical access to gateway components
  5. have all security controls tested to verify their effectiveness after any changes to their configuration.
  • Demilitarised zones are used to broker access to services accessed by external entities, and mechanisms are applied to mediate internal and external access to less-trusted services hosted in these demilitarised zones.
  • A security risk assessment is performed on gateways and their configuration before their implementation.
  • A security risk assessment is performed on all systems before they are connected to a gateway.
  • All system owners of systems connected via a gateway understand and accept security risks associated with the gateway and any connected security domains, including those connected via a cascaded connection.
  • The security architecture of a gateway, and security risks associated with all connected security domains, including those connected via a cascaded connection, is reviewed at least annually.
  • Any associated security risk assessments are updated before changes are made to a gateway to ensure all relevant security risks have been documented and accepted.
  • All changes to a gateway architecture are considered prior to implementation, documented and assessed in accordance with the organisation’s change management process.
  • Gateways are subject to rigorous testing, performed at irregular intervals no more than six months apart, to determine the strength of security controls.
  • All users are trained on the secure use of gateways before access to systems connected to a gateway is granted.
  • Access to gateway administration functions is limited to the minimum roles and privileges to support the gateway securely.
  • System administrators are formally trained to manage gateways.
  • All system administrators of gateways are cleared to access the highest level of information communicated or processed by the gateway.
  • All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals.
  • Roles for the administration of gateways are separated.
  • For gateways between networks in different security domains, a formal arrangement exists whereby any shared components are managed by the system managers of the highest security domain or by a mutually agreed third party.
  • Once connectivity is established, system owners become information stakeholders for all connected security domains.
  • Users and services accessing networks through gateways are authenticated.
  • Only users and services authenticated and authorised to a gateway can use the gateway.
  • Multi-factor authentication is used for access to gateways.
  • ICT equipment accessing networks through gateways is authenticated.

Sign up to our portal to learn more, or get in touch by phone or email