Schedule 2s
Additional terms for Security Services
1. Security Service Description
This Schedule describes the additional terms and conditions applicable to the following Interoute Services:
3.
Security Services Fault Management Categories ............................................................................... 3
4.
DDoS Protection Service ..................................................................................................................... 4
5.
Email Filtering (non-hardware based) Services ................................................................................. 7
6.
Web Content Filtering (non-hardware based) Services..................................................................... 9
7.
Firewall Service ................................................................................................................................... 9
8.
Roaming IPsec/SSL Access ................................................................................................................ 12
9.
Roaming iPASS .................................................................................................................................. 13
10.
DMZ Service .................................................................................................................................. 13
11.
Managed Authentication Service................................................................................................. 15
12.
Web Content Filtering Service (hardware based) ....................................................................... 16
13.
IPS Service ..................................................................................................................................... 16
These Services can be acquired by the Customer as supplemental to other Services. The Charges for Security
Services will be set out in the applicable Purchase Order.
2. Definitions
In this Schedule, capitalised terms shall have the meaning ascribed to them below:
“2FA or Two-Factor Authentication Service” means the Deliverables and Services;
“2AP or 2FA Administration Portal” means an Internet portal that allows the Administrator, through a web
browser, to perform administrative functions including, but not limited to, assigning and de-assigning Devices to
End Users;
“Administrator” means any person the Customer designates to use 2AP to provision and support the End Users
and Devices purchased by the Customer;
“A-PoP or Authentication Point of Presence” means the designated part of the Interoute Network that
communicates with the Customer’s Authentication Node;
“Authentication Node” means any item of Customer Equipment that is configured to receive access requests from
End Users and to forward same along with the End Users’ credentials to 2FA for verification;
“Authentication Service” means an internet based service that validates the credentials of End Users passed to by
the Authentication Node;
“Black Holing” means discarding all data destined for a particular IP Address so that it does not disrupt the flow of
data to other IP Addresses;
“Critical Incident” is a Incident without which there will be a serious business impact to the Customer’s online
operation;
“Customer” the third party that Interoute directly sells service to;
“Customer Token Pool” means the inventory of Devices allocated to Customer and which the Administrator can
assign to End Users to be used by End Users for authentication;
“Customer Service Manual” means the manual that Interoute issues to the customer at the time of the service
being activated and handed over to the customer. The Customer service manual details the methods that
Interoute employs to support the service and the customer;
“Deliverable” means Hardware Devices and Software Devices;
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 1 of 20
Schedule 2s
Additional terms for Security Services
"Device(s)” means Hardware Devices and Software Devices;
“DDoS or Distributed Denial of Service” means a form of electronic attack involving multiple computers, which
send repeated requests to a server (web site) generating false traffic and rendering it inaccessible to valid users;
"End User" means anyone who uses an Interoute Service using the Customer’s access details;
“Event Log” means a log file which stores information about several events for future analysis;
“Fault” means an incident that would prevent the use (full or partial) of the Service;
“Firewall Policy” means the document provided to Interoute which states the Customer required rules for
Interoute to implement in the Firewall Service;
“Firewall Service” means an optional feature of the IP VPN, Internet or Hosting Service ordered on the applicable
Purchase Order comprising Internet Access and a Managed Firewall co-located within one of the Interoute Core IP
Nodes;
"Hardware Device(s)” means hardware tokens which may incorporate firmware (such as a key-fob token);
“Hub, The” means Interoutes online web portal (www.interoute.com/hub), a utility that Interoutes customers can
access to review the product they purchase from Interoute.
“IP Address” means the identifying number of a computer attached to the Internet. Every computer must have a
unique IP Address. IP Addresses are written as four sets of numbers separated by full stops: for example
123.345.63.2;
“IP Customers” means Customers who purchase Internet, VPN, Hosting, Managed or Unmanaged CPE or any other
Service type that relies upon the IP Protocol suite as its transport mechanism;
“IPS Appliance” means a physical device or a virtual device, systems, cabling and facilities provided by Interoute in
order to make the Managed IPS Service available to the Customer;
“IPS Detection Engine” means a feature of the IPS Service that is resident on the IPS Appliance purchased as part
of the IP Service;
“IPS Policy” means the document provided by the Customer to Interoute that states the Customer required rules
for Interoute to implement for the IPS Service;
“IPS Service” means an Intrusion Prevention Service for the supply and operation of IPS Appliance and IPS
Detection Engines and any corresponding Licensed Software and implementation of Customer’s IPS Policy within
an Interoute Co-Location facility or a Site;
“MAE” means Metropolitan Area Exchange;
“Managed CPE Firewall” means an optional feature of the Internet Access Service ordered on the applicable
Purchase Order comprising Internet Access and a Managed Firewall Service;
“Managed Firewall Equipment” means the Equipment, systems, cabling and facilities provided by Interoute in
order to make the Managed Firewall Service available to the Customer;
“Managed Firewall Service” means the optional feature of the Internet Service for the supply and operation of
Managed Firewall Equipment and Service and any corresponding Licensed Software and implementation of
Customer’s Firewall Policy within an Interoute Co-Location facility or a Site;
“Managed Object” means a Customer specific profile configured on Interoute’s DDoS Protection Service detailing
the IP addresses or autonomous system number to be protected by the Service.
“MAP” or MAS Administration Portal” means an Internet portal that allows the Administrator, through a web
browser, to perform administrative functions including, but not limited to, assigning and de-assigning Devices to
End Users;
“MAS or Managed Authentication Service” means the Deliverables and Services;
“NAP” means Network Access Point;
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 2 of 20
Schedule 2s
Additional terms for Security Services
“Non-Critical Request” is a request such as a request for information which has no immediate or significant impact
on the running of the Customer online operation;
“Secrets” means passwords, personal identification numbers, question and answer combinations or other
information that must be kept confidential and may be used by either Party to identify End Users or to prevent
anyone other than the End User from using 2FA;
"Secure Items” means Devices and Secrets;
“Software” means (i) Software Devices; and/or (ii) all other software provided by Interoute to Customer;
“Software Devices” means software tokens installed on generic hardware such as a PC, mobile phone or personal
digital assistant; and
“Working Hours” means 9.00 am-5.00 pm GMT on a Working Day in London;
Any other capitalised terms have the meanings set out in Schedule 1 or the applicable Additional Terms.
3.
Security Services Fault Management Categories
Security Incidents / Requests will be classified according to the following matrix:
Category
Definition
Service Affecting faults:
Critical
•
Unprotected Service hard down or Protected/Resilient service with both main and back up
not working (service affecting).
•
Unprotected/Protected/resilient service with severe degradation making service unusable.
•
Interconnect or platform failure.
NOTE: Full access for intrusive testing is assumed/agreed by the customer.
Degradation faults:
•
Degraded service but usable.
•
Major fault type - protected/resilient service working on back up with no impact to
performance.
•
Major fault type - partial loss of service (i.e. calls failing to one country).
•
Major fault type - first time connections.
Major
NOTE: Customer permission is required before intrusive testing is allowed.
Standard
•
Planned testing.
•
Single number failures.
•
Non service affecting threshold alerts (hosting services).
•
Change requests
Table Definitions:
•
Service Affecting (SA) - A Service Affecting Fault means any fault, repair or condition affecting the
applicable Service(s) as logged by Customer or Interoute. It should be remembered that fault restoration
time may be dependant on a third party provider in the case of complete network failure, and hence the
restoration timescales of the service/network provider themselves shall be adhered to. Interoute shall
provide full co-operation in rectifying these types of faults.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 3 of 20
Schedule 2s
Additional terms for Security Services
•
Degradation (DA) - Degradation faults are defined as those faults, which cause a decrease in normal daily
traffic volumes i.e. high incidence of 'Packet Loss' or excessive 'latency'. These faults are defined as NonService Affecting Faults.
•
Non-Service Affecting (NSA) - Non-Service Affecting fault means any issue, repair or condition that does
not cause live disruption to Customer traffic. NSA faults raised outside normal Working Hours can be
deferred until next Working Day for resolution if both Parties agree.
•
SLA Parameters - The Service Levels are agreed in the Service related Additional Terms of the Agreement
between Customer and Interoute. All Service Level measurements are based on the criteria defined in
the Additional Terms. The Target Time to Repair (TTR) is specified in the relevant Additional Terms specific
to each Service.
Interoute reserves the right to decline any direct action to rectify any incident and fault unless the customer has
adhered to the Incident Management and Escalation procedures described in the Customer Service Manual.
4.
DDoS Mitigation Service
a.
The following terms and conditions apply where the Customer has indicated on an applicable Purchase Order
that they require DDoS Mitigation or where Interoute has advised the Customer that DDoS Mitigation is
required for the Service(s) they are purchasing. The Interoute DDoS Mitigation Service offers Customers the
ability to mitigate against DDoS attacks.
b.
Provision Of Service
The DDoS Mitigation Service comprises of the cleaning of the traffic directed towards the Customer’s website
– and includes:
I.
installation and maintenance of the Service on the relevant Equipment;
II.
configuration of a set of pre-defined monitoring parameters as specified by Interoute;
III.
monitoring of agreed parameters and status information via the Event Log.
c.
Monitoring and Detection – It is the Customer’s responsibility to monitor and detect abnormal or unusual
traffic. If any such behaviour is detected, Customer must inform Interoute immediately and request that the
DDoS Mitigation Service is enabled. Following this request, Interoute will work with the Customer to identify
when a DDoS attack is occurring.
d.
Cleaning and Mitigation - When Interoute is notified of an attack, traffic destined for the targeted IP address
or autonomous system number will be redirected by Interoute to its DDoS Mitigation infrastructure, for
inspection. Diverted traffic will be subjected to multiple layers of statistical analysis, active verification and
anomaly recognition to identify malicious sources, reveal abnormal behaviour and discard packets that do not
conform to the normal traffic pattern. Whilst traffic cleaning is underway it is envisaged that an increase in
latency will occur and during such periods Interoute’s standard service performance levels (Service Levels) will
not apply.
e.
Interoute will use reasonable endeavours to ensure that legitimate traffic is received as normally as possible
during an attack, and that the website user experience is affected as little as possible. In an attack,
countermeasures will be deployed by Interoute to ensure disruptions to operations are minimised, and
measures such as “Black Holing” will only be used by Interoute if all other measures have been deemed by
Interoute to have failed or will be likely to fail.
f.
Where Customer reports a Non-Critical Request to reconfigure the DDoS parameters, Interoute will use
reasonable endeavours to re-configure the Service parameters to achieve maximum DDoS Mitigation with
minimum processing overhead and traffic disruption.
g.
Interoute will monitor the Devices used by Interoute to provide this Service (via ICMP and SNMP) and
Interoute will configure them via secure connections.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 4 of 20
Schedule 2s
Additional terms for Security Services
h.
The DDoS Mitigation Service neither offers nor provides:
i.
Load balancing of traffic or of the functionality of any Service, including Security Services
described herein
ii.
Direct access to Interoute’s network security or engineering staff. All initial contact between
the Customer and Interoute must be directed to Interoute’s Customer Service Centre.
iii.
Archival and storage of log files beyond thirty (30) days
iv.
Incident response, forensics and investigations
v.
Legal case preparation, PR incident support
vi.
Security consulting services (e.g. security policy design, security auditing, penetration
testing, contingency/disaster recovery planning, etc)
vii.
Security reporting and analysis
viii.
Permanent filtering or cleaning of traffic
Service Provision requirements
i.
In order to provide the Service, the following requirements apply:
i.
The Customer will not have access to any Equipment or Software required for the Service;
ii.
The Customer must specify the IP Addresses, IP Address ranges or the autonomous system
number for which the Customer desires the DDoS Protection Service to be activated, by
completing a form which Interoute will provide to the Customer
iii.
The Customer must provide Interoute with contact details for the departments and/or
people Interoute are to contact during a DDoS attack.
No Warranty
j.
This Service is designed to Mitigate the Customer and the Customer’s End Users from DDoS attacks. However,
Interoute does not warrant that it shall withstand these attacks on all occasions. Interoute reserve the right to
“Black Hole” any of the Customer traffic as required to protect the Interoute Network or its or its other
customers’ traffic.
Interoute’s DDoS Mitigation supports a maximum throughput of 20Gbps (“Maximum Throughput”). If the
Maximum Throughput is exceeded, the level traffic will be indiscriminately discarded by Interoute’s DDoS
Mitigation Service.
k.
Service Levels
i. Availability
Interoute will use reasonable efforts to ensure that the DDoS Mitigation Service is available to the
Customer 99% of any Monthly Review Period (“Service Availability”).
Percentage Service Availability is calculated per Monthly Review Period using the following formula:
(H-U)
P=
X 100
H
Where:
P is the percentage availability;
U is the total amount of minutes a Customer Service during that Monthly Review
Period for which the Service was unavailable;
H is the total number of minutes in that Monthly Review Period;
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 5 of 20
Schedule 2s
Additional terms for Security Services
Where Service Availability falls below this target during any Monthly Review Period, the Customer
will be entitled to Service Credits as follows:
Unavailability Duration below
target
Service Credits as % of Monthly Recurring Charge
≤ 0.25% below target
5%
≤ 0.75% below target
10%
≤ 1.5% below target
15%
≤ 2.5% below target
20%
≤ 3.5% below target
25%
> 3.5% below target
30%
Interoute will use reasonable endeavours to reach the following Service Levels:
ii. Response Times:
Response Time
Resolution Time
Critical
1 hour
4 hours
Major
4 hours
24 hours
Standard
24 hours
96 hours
Specific Product Responses
Enabling of DDoS Within 1 hour of Customer raising a trouble
Mitigation
ticket with Interoute
i. If the Customer requires any work for the provision of service to be undertaken outside of
normal Working Hours, or the Customer requests Non-Critical Request support beyond the
allocated number per calendar month, Interoute reserve the right to make a charge based
on the applicable professional services rate.
ii. Where Interoute can not resolve a Fault at the time the Customer reported the Fault to the
Customer’s satisfaction then Interoute will ask the Customer to provide a contact telephone
number to enable reports on progress with the Fault clearance to be made.
iii. Interoute will:
I.
provide advice by telephone;
II.
carry out tests and diagnostics on the Service;
III.
work to resolve the Fault within the agreed time period as stated in the table
set out above.
iv. If Interoute responds to and works on a reported Fault and it is subsequently found not to
be a Fault with the Service then a charge will be made based on the applicable rate.
iii. Service Changes
i. Should the Customer require changes to be made to the configuration or operation of the
DDoS Mitigation service once a DDoS Mitigation Service has been installed, the Customer
must contact Interoute via either Telephone, Fax, email or through the Interoute hub.
Configuration and service changes might be carried out free of charge depending on the
classification of the change. The following table shows all potential DDoS Mitigation service
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 6 of 20
Schedule 2s
Additional terms for Security Services
changes and whether they are deemed as chargeable items (Major Changes) or whether
they are included within the scope of the service (Minor Changes):
Types of Modifications
Major Change
Add Managed Object
Minor Change
Modification of a managed object
During the first full calendar month following the Ready for Service Date, the Customer shall be
entitled to request certain reasonable changes (to be determined by Interoute) which will be covered
by a non-recurring Charge.
Where the Customer requests a minor change to be carried out on their IPS Service, and where all of
the relevant information is provided by the Customer to Interoute, Interoute will endeavour to
complete all minor changes within one (1) working days from receiving such requests. As standard,
DDoS Customers are permitted to request up to three (3) minor change requests per calendar month
free of charge. Should a Customer request more than three (3) minor changes during a given month,
Interoute reserves the right to charge a one-off fee.
5.
Email Filtering (non-hardware based) Services
a.
The following terms and conditions apply where the Customer has indicated on a Purchase Order that they
require the Interoute Email Services and/or Web Content Filtering Service. These Services are provided to
Customers through Interoute’s third party supplier. The Email Filtering Service includes Anti-Virus, Malware
protection and Anti-Spam protection..
b.
The terms and conditions for the Email Service are available at www.interoute.com/legal. In addition to these
terms and conditions, Interoute will provide a first line support service to the Customer’s IT department which
shall include: call logging and basic technical trouble shooting. Interoute shall, at its sole discretion determine
what is classed as first line support. All other support shall be provided by Interoute’s third party supplier.
Except as set out in this Agreement, Interoute shall have no further liability in relation to these Services.
c.
Provided that it does not materially diminish the quality and functionality of the Service, Interoute reserves
the right to change its third party supplier of these Services with thirty (30) days notice to the Customer.
d.
Service Levels
i.
Availability
Interoute will use reasonable efforts to ensure that the E-Mail Filtering Service is available to the
Customer 99% of any Monthly Review Period (“Service Availability”).
Percentage Service Availability is calculated per Monthly Review Period using the following formula:
(H-U)
P=
X 100
H
Where:
P is the percentage availability;
U is the total amount of minutes during that Monthly Review Period for which the Service
was unavailable;
H is the total number of minutes in that Monthly Review Period;
Where Service Availability falls below this target during any Monthly Review Period, the Customer
will be entitled to Service Credits as follows:
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 7 of 20
Schedule 2s
Additional terms for Security Services
Unavailability
below target
Duration
Service Credits as % of Monthly Recurring Charge:
≤ 0.25% below target
5%
≤ 0.75% below target
10%
≤ 1.5% below target
15%
≤ 2.5% below target
20%
≤ 3.5% below target
25%
> 3.5% below target
30%
iv. Response Times:
Interoute will use reasonable endeavours to respond to requests within the following timescales in line
with section b above:
Response Time
Resolution Time
Critical
4 hour
24 hours
Major
24 hours
96 hours
Standard
24 hours
96 hours
i. If the Customer requires any work for the provision of service to be undertaken outside of
normal Working Hours, or the Customer requests Non-Critical Request support beyond the
allocated number per calendar month, Interoute reserve the right to make a charge based
on the applicable professional services rate.
ii. Where Interoute can not resolve a Fault at the time the Customer reported the Fault to the
Customer’s satisfaction then Interoute will ask the Customer to provide a contact telephone
number to enable reports on progress with the Fault clearance to be made.
I.
Interoute will provide advice by telephone;
II.
carry out tests and diagnostics on the Service;
III.
work to resolve the Fault within the agreed time period as stated in the table
set out above.
iii. If Interoute responds to and works on a reported Fault and it is subsequently found not to
be a Fault with the Service then a charge will be made based on the applicable rate.
v. Service Changes
Should the Customer require changes to be made to the configuration or operation of the Email
Filtering service once an Email Filtering Service has been installed, the Customer must contact Interoute
via either Telephone, Fax, email or through the Interoute hub. Configuration and service changes might
be carried out free of charge depending on the classification of the change. The following table shows
all potential Email Filtering service changes and whether they are deemed as chargeable items (Major
Changes) or whether they are included within the scope of the service (Minor Changes):
Types of Modifications
Major Change
Add/Remove Users from a Customers
domain(s)
Add/Remove Domain(s)
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 8 of 20
Minor Change
Schedule 2s
Additional terms for Security Services
During the first full calendar month following the Ready for Service Date, the Customer shall be
entitled to request certain reasonable changes (to be determined by Interoute) which will be covered
by a non-recurring Charge.
Where the Customer requests a minor change to be carried out on their Email Filtering Service, and
where all of the relevant information is provided by the Customer to Interoute, Interoute will
endeavour to complete all minor changes within one (1) working day from receiving such requests. As
standard, Email Filtering Customers are permitted to request up to three (3) minor change requests
per calendar month free of charge. Should a Customer request more than three (3) minor changes
during a given month, Interoute reserves the right to charge a one-off fee.
vi. Exclusions
i. Interoute shall not be liable to the Customer for the direct support of End Users of the E-Mail
Filtering Service;
6.
Web Content Filtering (non-hardware based) Services
a.
The following terms and conditions apply where the Customer has indicated on a Purchase Order that they
require the non-hardware based Web Content Filtering Service. These Services are provided to Customers
through Interoute’s third party supplier. The Web Content Filtering Service includes Web Anti Virus, Web Anti
Spyware and Web URL filtering (as defined in the terms and conditions referenced below).
b.
The terms and conditions for the Web Content Filtering Service are available at www.interoute.com/legal. In
addition to these terms and conditions, Interoute will provide a first line support service to the Customer’s IT
department which shall include: call logging and basic technical trouble shooting. Interoute shall, at its sole
discretion determine what is classed as first line support. All other support shall be provided by Interoute’s
third party supplier. Except as set out in this Agreement, Interoute shall have no further liability in relation to
these Services.
c.
Provided that it does not materially diminish the quality and functionality of the Service, Interoute reserves
the right to change its third party supplier of these Services with thirty (30) Days notice to the Customer.
7.
Firewall Service
a.
The following terms and conditions apply where IP Customers have indicated on a Purchase Order that they
require the Firewall Service.
b.
The Firewall Service is provided to IP Customers who require public Internet access delivered through one
central point. The Service offers controlled and mediated public Internet Access through a central
interconnect between the Customer VPN and the public Internet. This feature is known as Firewall. Firewall is
delivered as a central 100Mb/s or 1 Gb/s connection provided in one of Interoute’s facilities. Interoute shall
provision a centrally managed firewall device and security policy for this purpose.
c.
Where the Firewall Service is purchased the Customer agrees and warrants to own, maintain and keep a
Firewall Policy and undertakes to keep Interoute fully informed of the Firewall Policy and to notify Interoute of
any changes to it immediately. Where requested by Interoute, the Customer shall provide a copy of the said
Firewall Policy to Interoute.
d.
The Customer acknowledges and accepts that Interoute shall not be responsible for or liable for any security
breach or failure resulting from the Customer’s Firewall Policy and Interoute shall not be obliged to supply,
advise or comply with the Customer’s Firewall Policy.
e.
Where the Customer has purchased the Firewall Service, the Customer agrees that it has assessed for itself
the suitability of the Firewall Service for its requirements based on the Firewall Policy. Interoute does not
warrant that the Firewall Service will meet such requirements or that the Firewall Service will operate in the
particular circumstances in which it is used by the Customer or that any use will be uninterrupted or error
free.
f.
The Parties acknowledge that it is technically impracticable to provide the Firewall Policy Service free of faults.
However, without prejudice to the generality of the foregoing, Interoute shall endeavour to provide the
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 9 of 20
Schedule 2s
Additional terms for Security Services
Services in accordance with the relevant Service Levels detailed below. Interoute endeavours to carry out
maintenance work, updating, remedy, repair or reconnection of Customer Equipment, and the Services in
accordance with the provisions contained within this Agreement.
g.
Service Levels
i.
Availability for the Firewall Service
Service type used when connecting to the Interoute IP
Network
Target Site Availability
Firewall Service
99.95%
Percentage Site Availability is calculated per Monthly Review Period using the following
formula:
(H-U)
P=
X 100
H
Where:
P is the percentage availability;
U is the total amount of minutes during that Monthly Review Period for which the Service was
unavailable;
H is the total number of minutes in that Monthly Review Period;
Where Site Availability falls below the applicable Target Site Availability during any Monthly Review Period, the
Customer will be entitled to Service Credits as follows:
Service Availability for each applicable Site
during Monthly Review Period falling below
target Availability by
Service Credits as % of the applicable Site
Monthly Charge
Up to 1%
5%
Up to 2%
10%
Up to 3%
15%
More than 3%
20%
Service Credits are the sole and exclusive remedy for any cause of action arising out of the failure of the Firewall
Service.
ii.
Response Times:
Interoute will use reasonable endeavours to respond to requests within the following timescales:
Response Time
Resolution Time
Critical
1 hour
4 hours
Major
2 hours
8 hours
Standard
6 hours
24 hours
i. If the Customer requires any work for the provision of service to be undertaken outside of
normal Working Hours, or the Customer requests Non-Critical Request support beyond the
allocated number per calendar month, Interoute reserve the right to make a charge based
on the applicable professional services rate.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 10 of 20
Schedule 2s
Additional terms for Security Services
ii. Where Interoute can not resolve a Fault at the time the Customer reported the Fault to the
Customer’s satisfaction then Interoute will ask the Customer to provide a contact telephone
number to enable reports on progress with the Fault clearance to be made.
i. Interoute will provide advice by telephone;
ii. carry out tests and diagnostics on the Service;
iii. work to resolve the Fault within the agreed time period as stated in the table
set out above.
iii. If Interoute responds to and works on a reported Fault and it is subsequently found not to
be a Fault with the Service then a charge will be made based on the applicable rate.
iii.
Service Changes
Should the Customer require changes to be made to the configuration or operation of the Firewall
service once an Firewall Service has been installed, the Customer must contact Interoute via either
Telephone, Fax, email or through the Interoute hub. Configuration and service changes might be
carried out free of charge depending on the classification of the change. The following table shows all
potential Firewall service changes and whether they are deemed as chargeable items (Major
Changes) or whether they are included within the scope of the Service (Minor Changes):
Types of Modifications
Major Change
Minor Change
Add/Delete/Modify specific filtering Rule
Add/Delete/Modify PAC configuration file
Add/Delete Users
Add/Delete IP Address
Add/Delete/Modify Zone Profile
Produce Attack Log
Protect Zone
Switch Zone to learning
Add/Delete/Modify specific Filtering rule
Add/Delete/Modify specific detection rule
Add/ Change/ Delete Firewall Rules for existing firewall
customer
Providing Firewall Log files to Internet Central customers
IP Address Change Remote Access (per site)
Cycling shared security secret for Remote Access users
Adding for Network Address Translations (NAT)
Changing NAT
Remove NAT
During the first full calendar month following the Ready for Service Date, the Customer shall be
entitled to request certain reasonable changes (to be determined by Interoute) which will be covered
by a non-recurring Charge.
Where the Customer requests a minor change to be carried out on their Firewall Service, and where
all of the relevant information is provided by the Customer to Interoute, Interoute will endeavour to
complete all minor changes within one (1) working days from receiving such requests. As standard,
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 11 of 20
Schedule 2s
Additional terms for Security Services
Firewall Customers are permitted to request up to three (3) minor change requests per calendar
month free of charge. Should a Customer request more than three (3) minor changes during a given
month, Interoute reserves the right to charge a one-off fee.
8.
Roaming IPsec/SSL Access Services
a.
The following terms and conditions apply where IP Customers (who have also purchased the Firewall Service)
have indicated on a Purchase Order that they require the Roaming IPsec/SSL Access Service to use with their
IPVPN Service. This Service is provided to Customers who have End Users that require access to corporate
resources on the IPVPN Service from non-fixed locations. Interoute can provide the Remote Access feature
using an IPsec client on mobile devices such as laptops or provide access based on SSL (Secure Socket Layer).
b.
The terms and conditions for the Roaming IPsec/SSL Access Service are available at www.interoute.com/legal.
In addition to these terms and conditions, Interoute will provide a support service to the Customer’s IT
department. Except as set out in this Agreement, Interoute shall have no further liability in relation to these
Services.
c.
Provided that it does not materially diminish the quality and functionality of the Service, Interoute reserves
the right to change its third party supplier of these Services without notice to the Customer.
d.
Service Levels
i.
Service Changes
Should the Customer require changes to be made to the configuration or operation of the Roaming
IPSec/SSL service once an Roaming IPSec/SSL Service has been handed over to the customer, the
Customer must contact Interoute via either Telephone, Fax, email or through the Interoute hub.
Configuration and service changes might be carried out free of charge depending on the classification
of the change. The following table shows all potential Roaming IPSec/SSL service changes and
whether they are deemed as chargeable items (Major Changes) or whether they are included within
the scope of the service (Minor Changes):
Types of Modifications
Major
Change
Minor
Change
Roaming IPSec Service
Add Remove Remote Users
Roaming IPSec Service
Provide Usage Report
Roaming IPSec Service
Cycling shared security secret for
Remote Access users
Roaming IPSec Service
Request Two-Factor Authentication
Tokens
Roaming SSL Service
Add SSL configuration file/tunnel group
Roaming SSL Service
Delete SSL tunnel group
Roaming SSL Service
Provide Usage Report
Roaming SSL Service
Request Two-Factor Authentication
Tokens
*The maximum amount of users is dependant on the capability of the firewall
During the first full calendar month following the Ready for Service Date, the Customer shall be
entitled to request certain reasonable changes (to be determined by Interoute) which will be covered
by a non-recurring Charge.
Where the Customer requests a minor change to be carried out on their Roaming IPSec/SSL Service,
and where all of the relevant information is provided by the Customer to Interoute, Interoute will
endeavour to complete all minor changes within one (1) working day from receiving such requests. As
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 12 of 20
Schedule 2s
Additional terms for Security Services
standard, IPSec/SSL Customers are permitted to request up to three (3) minor change requests per
calendar month free of charge. Should a Customer request more than three (3) minor changes during
a given month, Interoute reserves the right to charge a one-off fee.
9.
Roaming iPASS Service
a.
The following terms and conditions apply where IP Customers have indicated on a Purchase Order that they
require the Interoute Roaming iPASS Service. This Service is provided to Customers who have End Users that
require Internet access from non-fixed locations.
b.
The terms and conditions for the Roaming iPASS Service are available at www.interoute.com/legal . All other
support shall be provided by Interoute’s third party supplier. Except as set out in this Agreement, Interoute
shall have no further liability in relation to these Services.
c.
Provided that it does not materially diminish the quality and functionality of the Service, Interoute reserves
the right to change its third party supplier of these Services with thirty (30) days notice to the Customer.
d.
Service Levels
i.
Service Changes
Should the Customer require changes to be made to the configuration or operation of the Roaming
iPASS service once an Roaming iPASS Service has been handed over to the customer, the Customer
must contact Interoute via either Telephone, Fax, email or through the Interoute hub. Configuration
and service changes might be carried out free of charge depending on the classification of the
change. The following table shows all potential Roaming iPASS service changes and whether they are
deemed as chargeable items (Major Changes) or whether they are included within the scope of the
service (Minor Changes):
Types of Modifications
Provide Usage Report
Major
Change
Minor
Change
During the first full calendar month following the Ready for Service Date, the Customer shall be
entitled to request certain reasonable changes (to be determined by Interoute) which will be covered
by a non-recurring Charge.
Where the Customer requests a minor change to be carried out on their Roaming iPASS Service, and
where all of the relevant information is provided by the Customer to Interoute, Interoute will
endeavour to complete all minor changes within one (1) working day from receiving such requests. As
standard, iPASS Customers are permitted to request up to three (3) minor change requests per
calendar month free of charge. Should a Customer request more than three (3) minor changes during
a given month, Interoute reserves the right to charge a one-off fee.
e.
Exclusions
ii.
Interoute shall not be liable to the Customer for the direct support of End users of the iPASS Roaming
Service.
10. DMZ Service
a.
The DMZ Service provides a separate security zone configured on a Firewall device where Interoute provides a
Firewall Service.
b.
The following terms and conditions apply where IP Customers have indicated on a Purchase Order that they
require the DMZ Service.
c.
The DMZ Service is provided only in conjunction with a new or existing Firewall Service. The DMZ Service(s) is
directly connected, or related to its Firewall Service.
d.
Single or multiple incidents of the DMZ Service can be related to one (1) Firewall Service.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 13 of 20
Schedule 2s
Additional terms for Security Services
e.
Service Credits are the sole and exclusive remedy for any cause of action arising out of the failure of the DMZ
Service.
f.
Where an Internet Access Customer has purchased the DMZ Service, it is the Customer’s responsibility to
ensure that the Firewall Policy takes into account the presence of a DMZ Service and that the same conditions
of implementation, record keeping and security control incumbent on the Customer apply when a DMZ
Service is present within the Firewall Policy.
g.
Where the DMZ Service is purchased the Customer agrees and warrants to own, maintain and keep a Firewall
Policy and undertakes to keep Interoute fully informed of the Firewall Policy and to notify Interoute of any
changes to it immediately. Where requested by Interoute, the Customer shall provide a copy of the Firewall
Policy to Interoute.
h.
The Customer acknowledges and accepts that Interoute shall not be responsible for or liable for any security
breach or failure resulting from the Customer’s Firewall Policy in relation to the DMZ Service and Interoute
shall not be obliged to supply, advise or comply with the Customer’s Firewall Policy.
i.
The Parties acknowledge that it is technically impracticable to provide the DMZ Service free of faults.
However, without prejudice to the generality of the foregoing, Interoute shall endeavour to provide the
Services in accordance with the relevant Service Levels detailed within this Schedule 2S.
j.
Service Levels
i.
Availability
The Interoute DMZ Service is wholly reliant on the Customers Interoute Firewall service and as a
direct result the Service Availability attributed to Firewall Service applies to Interoutes DMZ service.
i.
Response Times:
The Interoute DMZ Service is wholly reliant on the Customers Interoute Firewall service and as a
direct result the Response Times attributed to Firewall Service applies to Interoutes DMZ service.
ii.
DMZ Service Changes
The Interoute DMZ Service is wholly reliant on the Customers Interoute Firewall service and as a
direct result the Service Changes attributed to Firewall Service applies to Interoutes DMZ service.
11. Managed Two Factor Authentication Service
a.
The following terms and conditions apply where IP Customers require additional security to remote
access to their network or resources, either as a complement to Roaming IPsec/SSL Services they have
indicated on a Purchase Order, or as an independent authentication service they will be making use via
their own equipment or systems. This additional fully Managed Two Factor Authentication Service uses
two factor authentication (2FA) Secure Tokens to access the Customer’s network. In order to permit
access to the Customer’s resources or network, the End User must have their username, password and
(if applicable) the token in their possession.
b.
The end user schedules applicable to the Managed Two Factor Authentication Service which supplement
the terms and conditions contained within this Schedule 2S are available at www.interoute.com/legal. In
addition to the terms and conditions set out in the end user schedules, Interoute will provide a first line
support service to the Customer’s Administrator which shall include; call logging and basic technical
trouble shooting. Interoute shall, at its sole discretion determine what is classed as first line support.
Interoute provide the first line support service between the hours of 08:00 and 18:00, Monday to Friday
Central European Time (CET). All other support shall be provided by the third party supplier identifiable
through the URL above. Except as set out in this Agreement, Interoute shall have no further liability in
relation to these Services.
c.
Provided that it does not materially diminish the quality and functionality of the Service, Interoute
reserves the right to change its third party supplier of these Services without notice to the Customer.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 14 of 20
Schedule 2s
Additional terms for Security Services
d.
Optional Managed Authentication Services
i. Provisioning: Interoute will ensure the tokens are initialised for use on the Managed Two
Factor Authentication Service and will deliver any hardware Devices to the Customer at a single
delivery address outlined on the relevant Purchase Order. It shall be the Customer’s
responsibility to distribute hardware tokens or any software to their End Users.
ii. Customer setup: Interoute will provide reasonable assistance to Customer in the set up of its
Authentication Node, including adding the Authentication Node details into 2AP
st
iii. Technical Support: Interoute will provide 1 line technical support relating to any aspect of the
Managed Two Factor Authentication Service to the Administrator for the Term of this
Agreement. Interoute will not provide technical support to End Users.
iv. For the avoidance of doubt, the Administrator is solely responsible for the following:
1.
Managing profiles, permissions and other aspects in respect of setting up and
maintaining End Users within the system;
2.
Providing information and instructions to End Users to enable authentication using the
Managed Authentication Service;
3.
Unlocking, resetting and re-synchronising Devices;
4.
Diagnosing and replacing faulty and broken or lost Devices;
5.
Managing the operation of the Authentication Node(s);
6.
Gaining usage reports from the administration portal.
v. Software Devices are provided to the Customer directly by Interoute’s 2FA partner on an “as is”
basis. It is the responsibility of the Customer to satisfy itself that the Software Devices will
function in the way required and with the equipment it wishes to use them on. Interoute does
not support any issues that may be caused by the use of the Software Devices and will not deal
with issues relating to them directly. Should any issues arise, the Customer must contact
Interoute and Interoute will forward issues to the 2FA partner.
vi. The 2FA partner validates the use of the tokens on the generally available versions of the
operating systems as advised by Interoute.
vii. Interoute shall have no further responsibility and/or liability to the Customer in relation to the
Managed Two Factor Authentication Service.
e.
Service Levels
i. Service Changes Should the Customer require changes to be made to the configuration or
operation of the Managed Two Factor Authentication Service once a Managed Two Factor
Authentication Service has been handed over to the Customer, the Customer must contact
Interoute via either Telephone, Fax, email or through the Interoute Hub. Configuration and
Service changes might be carried out free of charge depending on the classification of the
change. The following table shows all potential Managed Two Factor Authentication Service
changes and whether they are deemed as chargeable items (Major Changes) or whether they
are included within the scope of the Service (Minor Changes):
Major Change
Request More Tokens
(Hardware/Software)
Provide Usage Report
Minor Change
During the first full calendar month following the Ready for Service Date, the Customer shall
be entitled to request certain reasonable changes (to be determined by Interoute) which will
be covered by a non-recurring Charge.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 15 of 20
Schedule 2s
Additional terms for Security Services
Where the Customer requests a minor change to be carried out on their Managed Two
Factor Authentication Service, and where all of the relevant information is provided by the
Customer to Interoute, Interoute will endeavour to complete all minor changes within one
(1) working day from receiving such requests. As standard, Managed Two Factor
Authentication Customers are permitted to request up to three (3) minor change requests
per calendar month free of charge. Should a Customer request more than three (3) minor
changes during a given month, Interoute reserves the right to charge a one-off fee.
12. Web Content Filtering Service (hardware based)
a.
The following terms and conditions apply where IP Customers (who have also purchased the Firewall Service)
have indicated on a Purchase Order that they require a hardware based web filtering service. The Interoute
Web Content Filtering Service is an appliance based Service that provides corporate Customers with a solution
to manage their own corporate Internet access policy.
b.
It is the Customer’s responsibility to set its policies, allowing them to decide what content corporate Internet
access End Users are allowed to see.
c.
The hardware associated with the Interoute Content Filtering Service is specific to each Customer and allows
the Customer to have their own specific policy on the appliance according to corporate guidelines and
individual requirements.
d.
The Interoute Web Content Filtering Service must be provisioned in conjunction with the Firewall Service, and
can only be sold in the same Interoute co-location facility that is used for the Firewall Service.
e.
This managed Service includes daily updates of the URL categorisation database, which are uploaded onto the
appliance daily.
f.
In the event of hardware failure, Interoute will use reasonable endeavours to ensure hardware replacements
are delivered to the Customer by the next Working Day. Although the appliance will block all traffic in the
event of a hardware failure, Interoute will as soon as reasonably practicable and upon Customer request
implement a change to allow the Customer to have unfiltered Internet access directly via the Firewall Service.
g.
Interoute is not responsible for the Customers rules and/or policies. Further, Interoute accepts no liability in
relation to such rules and/or policies or their content.
h.
The Customer is responsible for advising Interoute of any websites it requires to be blocked.
i.
Interoute will use reasonable endeavours to provision Customer requests as soon as reasonably possible.
j.
Service Availability
i.
Interoute shall use reasonable endeavours to ensure the Web Content Filtering Service is
available 99.5% during any Monthly Review Period. Interoute shall have no liability to the
Customer in relation to the Interoute Web Content Filtering Service. Service Credits are not
applicable to this Service.
13. IPS Service
a.
The following terms and conditions apply where IP Customers have indicated on a Purchase Order that they
require the IPS Service.
b.
The IPS Service is provided to IP Customers who require protection from malicious attacks against their
infrastructure from internal and/or external sources depending on the deployment topology that the
Customer chooses. IPS identifies the pattern of an attack and depending on the rule sets inherent in the
system or those applied by the Customer’s approved technical teams, blocks such attacks whilst legitimate
traffic remains unaffected. IPS is delivered as a network based Service in either a central or distributed model.
Interoute will provision an appropriately scaled device dependant on the Customer’s requirements.
Acceptable requirements are gathered by Interoute from the Customer during an initial consultation period
and recorded.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 16 of 20
Schedule 2s
Additional terms for Security Services
c.
Where the IPS Service is purchased the Customer agrees and warrants to own, maintain and keep a IPS Policy
and undertakes to keep Interoute fully informed of the IPS Policy and to notify Interoute of any changes to it
immediately. Where requested by Interoute, the Customer shall provide a copy of the IPS Policy to Interoute.
d.
The Customer acknowledges and accepts that Interoute shall not be responsible or liable for any security
breach or failure resulting from the Customer’s IPS Policy. Interoute does not review, advise or provide
customer IPS Policies.
e.
Where the Customer has purchased the IPS Service, the Customer agrees that it has assessed for itself the
suitability of the IPS Service and confirms that the IPS Service provided by Interoute meets its requirements.
Interoute does not warrant that the IPS Service will meet such requirements or that the IPS Service will
operate in the particular circumstances in which it is used by the Customer or that any use will be
uninterrupted.
f.
The Parties acknowledge that it is technically impracticable to provide the IPS Service free of faults. However,
without prejudice to the generality of the foregoing, Interoute shall endeavour to provide the Services in
accordance with the relevant Service Levels detailed below. Interoute endeavours to carry out maintenance
work, updating, remedy and/or repair in accordance with the provisions contained within this Agreement.
g.
The management of the IPS Service is provided by Interoute at its two network operational centres, in Prague
and Geneva. Critical event data (as defined in ‘l’ below) is passed between the Customer’s IPS Service
components and Interoute management systems at these locations. Additionally, event data that may contain
transactional information is captured on customer dedicated management systems, these systems are
deployed by Interoute on Interoute secure infrastructure at locations within Interoute’s European network.
h.
Service Availability for the IPS Service
Service type used when connecting to the Interoute IP
Network
Target Site Availability
IPS Service
99.95%
Percentage Site Availability is calculated per Monthly Review Period using the following formula:
(H-U)
X 100
P=
H
Where:
P is the percentage availability;
U is the total amount of minutes a Customer Site during that Monthly Review
Period for which the Service was unavailable;
H is the total number of minutes in that Monthly Review Period;
Where Site Availability falls below the Target Site Availability during any Monthly Review Period, the Customer
will be entitled to Service Credits as follows:
i.
Service Availability for each applicable Site
during Monthly Review Period falling below
Target Availability by:
Service Credits as % of the applicable Site
Monthly Charge:
Up to 1%
5%
Up to 2%
10%
Up to 3%
15%
More than 3%
20%
Planned Maintenance Exclusions
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 17 of 20
Schedule 2s
Additional terms for Security Services
The following activities are considered by Interoute to be necessary for the IPS Service to function correctly. In
addition to the exclusions in clause 9 of Schedule 1, Service Credits will not be payable by Interoute to the
Customer for the IPS Service where the failure to meet a Service Level is caused by any of the following:
j.
•
Planned maintenance;
•
Maintenance and modification of the IPS;
•
Backing-up the IPS configuration and policy;
•
Signature management and maintenance, with new signatures being downloaded to the IPS on an
hourly basis;
•
Platform updates, with patches and version upgrades applied on a monthly basis.
Support
Interoute provides support for the IPS Service and maintains connectivity and administrative control of the IPS
appliance(s) and application at all time.
a.
Interoute supports
i. The IPS Appliance, in line with the Service Availability section above;
ii. The management of the Licensed Software and application resident on that appliance(s)
including software updates, vulnerability updates and signature updates;
iii. The provision of management reporting to the Customer’s nominated contact;
iv. The Customer’s nominated technical department and Customer end user management.
k.
l.
The Customer is provided with delegated access to their specific IPS management system for resource and
reporting capabilities. It is the Customer’s responsibility to control:
a.
The IPS Policy for the IPS Appliance within their Service and how that may affect their business and
that of their End Users; and
b.
the handling of all issues and faults for their End Users
Event classification
IPS Events (as defined below) are assigned a severity level depending on the type of attack, age, threat and
impact of the attack;
Event Table
Priority
Impact
Event Description
Action Taken
Low
Unknown
No direct threat, but may contain
information indicative of
attempted intrusion activity
Store for a period of time for
forensic purposes, view available on
the Customer portal.
Currently
Not
Vulnerable
A malevolent packet (a
deprecated attack or intrusive
enumeration) sent to the target
representing no direct threat to
operation. A medium alert would
not impact the operation or the
logical access controls of a
system.
Automated event analysis. Trend
analysis and correlation with other
events available on the Customer
portal.
Medium
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 18 of 20
Schedule 2s
Additional terms for Security Services
Attack on the target, representing
a real potential threat and having
an impact on the availability or
Target must be analysed by the
Potentially security of a systems and its data
Customer to identify if it was
Vulnerable i.e. service interruption, data
compromised or a false positive.
integrity loss or data exposure,
injection of malicious code or
software, etc.
High
Significant evidence of ongoing
actual system compromise.
Multiple high events
Vulnerable corroborated by supporting
Escalation to the Customer.
system evidence (i.e. defaced
website, system unavailable or
maxed bandwidth/cpu).
The Event to Alert time defines the maximum time between the moment the alarm is raised on the IPS
platform, its analysis and information communicated to the Customer. These are shown in the table below:
Threat Level
Time
Communication Media
Alert to Response
High/Vulnerable
Any
Email Alert
Customer Portal
30 Minutes
High/Potentially
Vulnerable
Any
Daily Email Report
Customer Portal
N/A
Low/Medium
Not Vulnerable/
Unknown
Any
Monthly Report
Customer Portal
N/A
It is the Customer’s responsibility to provide Interoute with current contact details for the relevant interface
for this Service. Interoute will not accept fault reports from End Users.
Interoute will be immediately notified of an alert. However, when configured to do so the IPS application will
also take immediate action blocking the traffic. This action is based upon the IPS Policy supplied by the
Customer at the requirements phase of the installation.
m. IPS Service Changes
Should the Customer require changes to be made to the configuration or operation of the IPS Service
once an IPS service has been installed, the Customer must contact Interoute via either Telephone,
Fax, email or through the Interoute Hub. Configuration and Service changes might be carried out free
of charge depending on the classification of the change. The following table shows all potential IPS
Service changes and whether they are deemed as chargeable items (Major Changes) or whether they
are included within the scope of the service (Minor Changes):
Types of Modifications
Major Change
The Addition of an IPS appliance
The Addition of an IPS Detection Engine
The addition of an IPS Management system
Minor Change
The provision of bespoke reports
Modifications to IPS Policy
Increasing the RNA User Licences
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 19 of 20
Schedule 2s
Additional terms for Security Services
During the first full calendar month following the Ready for Service Date, the Customer shall be
entitled to request certain reasonable changes (to be determined by Interoute) which will be covered
by a non-recurring Charge.
Where the Customer requests a minor change to be carried out on their IPS Service, and where all of
the relevant information is provided by the Customer to Interoute, Interoute will endeavour to
complete all minor changes within three (1) working day from receiving such requests. As standard,
IPS Customers are permitted to request up to three (3) minor change requests per calendar month
free of charge. Should a Customer request more than three (3) minor changes during a given month,
Interoute reserves the right to charge a one-off fee.
General Exclusions
i.
In addition to any exclusions stated in this Schedule 2S, Interoute shall not be liable to the Customer
for:
i. The performance of third party networks including Third Party Local Access circuits, traffic
exchange points including Internet networks, transit and peering connections provided and
controlled by other companies, and public and private exchange points such as NAPs and
MAEs
ii. The performance of Third Party systems including management systems, systems supporting
the service and operating systems that either the third party, the Customer or the
customers’ end users supply.
Liability
I.
The provision of Service Credits (where applicable) shall be the sole and exclusive remedy
for the failure to meet targets for any Security Service. Interoute shall have no additional
liability to the Customer.
Schedule 2S – Additional Terms for Security Services- v4.5 – 06.03.2012
page 20 of 20