When you do see WAN-specific standards, they address WAN management, Domain Name System (DNS), router security, protocols, and web services. The standards might call out specific security requirements for WAN devices such as routers, switches, and wireless devices.

A WAN controls standard might include the following statements:

• The IS department shall approve all access points to the WAN.
• The IS department shall approve all physical and logical connections to the WAN that provide access to individuals or groups.
• The IS department shall approve all WAN-related address changes and configurations.
• Employees who plan to connect to the organization’s network must first sign an agreement to abide by the requirements outlined in the WAN Security Standard.

The business executive is often disconnected from the details of security management and any substantive discussion of the WAN. These more technical discussions have been limited in the past to a small group of skilled and technically savvy professionals. However, the increase in security breaches has gotten management’s attention. As threats become more prevalent and the infrastructure more complex, a data-level discussion has emerged within the business. “Where is my data?” is the question more and more executives are asking. This question impacts all domains, including the WAN domain. Increasingly, WAN domain policies will include what data may be sent outside the organization’s private network. The WAN standards–related questions include:

• What types of connections are required?
• What types of data are allowed to use these connections?
• Who can authorize the creation of a WAN connection?
• Who can authorize the permit to send data outside the network?

Others standards related to the WAN domain may include:

• WAN Router Security Standard—Describes the family of controls needed to secure the connection from the WAN router to the internal network.
• Web Services Standard—Describes which controls are needed for use of web services from external partnerships and suppliers. This may include the use of web services security (Security Assertion Markup Language [SAML], Extensible Markup Language [XML] message integrity and confidentiality) and controls over the web services gateway device(s).

The lines between baseline and control standards can blur in the WAN domain. The reason is that the topics tend to focus on specific technology solutions such as routers, protocols, and web services. Many organizations tend to focus on a small set of network vendors such as Cisco Systems or Juniper Networks. Because the standards are often written with these technologies in mind, you can find a convergence of control and baseline standards in one document versus two.

Procedures in this domain tend to focus on configuration and maintenance of the WAN. This may include specific configuration procedures for WAN devices such as routers and firewalls.

These procedures track closely to change management procedures found in the LAN-to-WAN domain. For most organizations, the network team working on the LAN will be the same network team working on the WAN. As a result, you find the same procedures being used for LANs and WANs.

The Domain Name System (DNS) is the commonly used method of assigning meaningful website names on the Internet. It can also be used to assign meaningful names to any device on a private or public network. Conceptually, think of it as the difference between going to 123 Main St. and going to John’s house. In the Internet world, all devices have IP addresses (i.e., 123 Main St.), but it’s much easier and faster to remember a DNS name assigned to a website (i.e., John’s house). A DNS control procedure might be included in the WAN standard. This standard describes the requirements for obtaining and assigning a domain name for use by external parties. Approvals can be used to track domains and often include:

• An explanation of how the domain will be used
• A justification for using a new domain name
• The server name and IP address where the DNS will be registered
• Information on who will administer the domain name
• The date of last vulnerability scan on the targeted server(s)

Web services are an example of a WAN guideline. It describes when and how web services may be used. DNS management guidelines are another example that offers recommendations on the use of DNS within the LAN and WAN environments.