Internet Traffic Standard T1-303-PR1

1.0 Purpose and Scope

1.1 This standard defines the approved method for providing access to the Internet from AECOM networks and
IT devices. Internet access may only be provided and maintained while fully complying with this standard.

1.2 All AECOM facilities, regardless of geographic location, must comply with this standard. Any exceptions to
this standard will require a written business justification and written approval from the Chief Information
Security Officer (CISO).

2.0 Terms and Definitions

2.1 De-Militarized Zone (DMZ): De-Militarized Zone is a physical or logical network that contains and exposes
an organization's external services, such as web servers, emails servers or FTP servers, to a larger,
untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an
organization's Local Area Network (LAN).

2.2 Ingress: The flow of data through a firewall from outside the AECOM private network to a destination inside
the private network.

2.3 Egress: The flow of data through a firewall from the AECOM private network to a destination outside of the
private network.

2.4 Global Network and Telecom Team (Network Team): The AECOM team which has responsibility for
management of firewalls, IT networks and various IT network devices.

2.5 Information Security Team: The AECOM team which develops security requirements for the AECOM
network.

2.6 Perimeter Device: A network device, such as a router or firewall that connects the private AECOM network
to an external network such as the Internet.

2.7 Point of Presence: An Internet Point of Presence (POP) is an access point to the Internet. It is a physical
location that may house servers, routers, firewalls and other pieces of perimeter equipment to ensure a
secure means of access.

2.8 Port: A port is an application-specific software address serving as a communications endpoint used by the
Internet Protocol Suite, especially the Transmission Control Protocol (TCP) and User Datagram Protocol
(UDP).

2.9 Protocol: A protocol is a convention or standard that controls or enables the connection, communication,
and data transfer between computers.

2.10 Security Operations Center (SOC): The Security Operations Center is the AECOM information security
team responsible for certain information security functions such as monitoring and incident response.

2.11 Split-Tunnel: Remote offices may be connected to the AECOM Wide Area Network (WAN) using a private
tunnel through the Internet. A split tunnel may allow the remote office to leverage the private tunnel to
access the Internet and bypass controls enforced on the WAN Internet Point of Presence (POP).

Internet Traffic Standard (T1-303-PR1)

Revision 0 July 2016
PRINTED COPIES ARE UNCONTROLLED. CONTROLLED COPY IS AVAILABLE ON COMPANY INTRANET. Page 1 of 4

© 2016 AECOM Restricted

3.0 References
None

4.0 Standard

4.1 All AECOM facilities must access the Internet via approved AECOM Internet Points of Presence (POP). This
will ensure that network traffic entering or leaving AECOM can be properly scrutinized for unauthorized
behavior.

4.2 All POPs must be authorized by the CISO or delegate.

4.3 All Internet POPs will be installed, configured and maintained by the Network Team. Under no
rd
circumstances may any other AECOM worker, contractor, vendor, client or 3 party connect any device(s) to
the AECOM network in order to provide Internet access without prior authorization of the Network Team and
the CISO.

4.4 All POPs must include security controls which are selected, approved, maintained and monitored as
designated by the Network Team and Information Security Team.

4.5 All Internet POPs must have a firewall which is approved by the Network Team and Information Security
Team. The firewall must be centrally managed by the Network Team or a vendor authorized by the Network
Team.

4.6 All Internet egress traffic must pass through a web filter capable of blocking malicious traffic and access to
prohibited sites.
4.7 Unless specifically approved by the CISO or delegate, Split-Tunnelling will not be permitted.
4.8 Logging and monitoring of all perimeter devices and DMZ networks must be conducted as directed by the
SOC team. Exceptions must be approved by the CISO.
4.9 The Information Security team will be responsible for creating and maintaining an up-to-date list of approved
ports and protocols for ingress and egress traffic.
4.10 All devices configured to perform Internet ingress/egress must use only the ports and protocols approved by
the Information Security team.
4.11 If an Internet-related topic surfaces for which guidance has not been previously drafted, all decisions in that
regard will be made collaboratively by the Network Team and Information Security Team and must be
approved by the CISO. The outcome of those decisions will then be documented as part of this
standard.
4.12 Any exceptions to this standard will require a written business justification and written approval from the
Chief Information Security Officer.

4.13 Inbound Traffic

4.13.1 All traffic entering AECOM Internet Points of Presence must be directed to servers within approved
AECOM De-Militarized Zones (DMZ) networks.

4.13.2 Under no circumstances will any traffic originating from the Internet be allowed to enter the AECOM
internal network with the exception of authorized, encrypted VPN traffic. See Appendix A for a list
of approved ports for traffic destined to hosts within AECOM DMZs.

Internet Traffic Standard (T1-303-PR1)

Revision 0 July 2016
PRINTED COPIES ARE UNCONTROLLED. CONTROLLED COPY IS AVAILABLE ON COMPANY INTRANET. Page 2 of 4

© 2016 AECOM Restricted

 4.13.3 Access-Lists for inbound traffic MUST include the destination IP address / port within the DMZ of
the host to which the traffic is destined. In the case where traffic is only permitted from specific
sources, the source IP address / port must also be included.

4.14 Requesting a Port to be Opened at the Firewall

4.14.1 When requesting to have a port opened on any firewall, a formal change request must be
submitted to the Network Team. The request must be approved by the Network Team and the
Information Security Team and processed through the AECOM Change Management System.
4.14.2 If approved, identifying comments must be placed in the access-list prior to the entry indicating the
applicable Change Order number and date of entry. All ports not part of the standard set will be
reviewed on a 6-month basis by the Network Team, and if no longer required will be removed from
the access-list.
4.14.3 When possible, exceptions to the standard set of ports must include the source and destination IP
address and port.

5.0 Records
None

6.0 Attachments
6.1 Appendix A: Allowed TCP/IP ports for inbound connections

Internet Traffic Standard (T1-303-PR1)

Revision 0 July 2016
PRINTED COPIES ARE UNCONTROLLED. CONTROLLED COPY IS AVAILABLE ON COMPANY INTRANET. Page 3 of 4

© 2016 AECOM Restricted

 Appendix A

Allowed TCP/IP ports for inbound connections

Protocol Port Application Comments

TCP 25 SMTP Traffic is allowed ONLY from specific hosts and is

directed to a specific SMTP gateway

TCP 20 FTP-Data Traffic is allowed only to specific FTP hosts

TCP 21 FTP Traffic is allowed only to specific FTP hosts

TCP 80 HTTP Traffic is allowed only to specific HTTP hosts

TCP 443 HTTPS Traffic is allowed only to specific HTTP hosts

TCP 22 SSH Traffic allowed ONLY to SSH termination devices

(Juniper, Cisco ASA, etc). Specific Source
addresses must be specified on all SSH ACLs.

TCP 577 IPass Roam Traffic allowed ONLY from specific hosts and is
directed to the Roam server

IPSEC Multi VPN Traffic is allowed ONLY to specific VPN termination

devices which provide access to the internal
network.

Internet Traffic Standard (T1-303-PR1)

Revision 0 July 2016
PRINTED COPIES ARE UNCONTROLLED. CONTROLLED COPY IS AVAILABLE ON COMPANY INTRANET. Page 4 of 4

© 2016 AECOM Restricted