When outsourcing your network protection policy to GEN we will implement a protection policy in one of the following classes.
Class 5:
A Firewalled environment with one or more services NAT'ed through the firewall, and/or routed in a public subnet. This type of environment presents numerous risk factors since both the network infrastructure and service providers require continuous security maintenance. This class of network protection would not be covered by any GEN Protection certification although we can enrol the site in our penetration testing programmes. Providing direct access to your network in this class would bring the entire infrastructure into scope for PCI and qualification would be highly unlikely.
Class 4:
A Firewalled environment with one of more services isolated from the LAN and routed on a public subnet. This type of environment presents numerous risk factors for the routed service providers, which will require continuous security maintenance. Provision of GEN-BSS would help to mitigate some risks, but there will always be primary infection vectors. This class of network protection would be covered by LAN certification and qualifies for service level agreements on LAN based infrastructure, and routed infrastructure on separate agreements. The routed subnet would be in scope for PCI and qualification would be difficult.
Class 3:
A Firewalled environment with full or cone NAT and no services directly accessible from the Internet. This type of environment provides a good level of protection especially when combined with GEN-SPI and GEN-BSS protection services. This class of network qualifies for GEN protection certification with mandatory penetration testing, as well as Service level Agreements. Remote access to services can be provided via proxied VLAN/VPN Services such as GEN-SAS or GEN-L2P. PCI Compliance would be likely via SAQ-D.
Class 2:
A Double Firewalled SPI environment with full NAT and a transparent or visible HTTP Proxy. Additionally ESP may be enabled to further enhance network protection. GEN-SPI is deployed by default and GEN-BSS is highly recommended. This class of network qualifies for GEN protection certification with mandatory penetration testing, as well as Service level Agreements. Remote access to services can be provided via proxied VLAN/VPN Services such as GEN-SAS or GEN-L2P. PCI Compliance would be likely via SAQ-D.
Class 1:
A Fully Class 1 SPI Firewalled environment with single NAT via HTTP Proxy and Military Grade IPS. GEN-BSS should be deployed by default and covered by a Service Level 10 or greater agreement. This class of network is certified by default and has mandatory penetration testing. Remote access to services can be provided by TPM (third party Mirroring) via GENRACK-D or similar services.
When introducing changes which may effect protection certification, a re-certification programme should be triggered to ensure the customer's coverage is uninterrupted.