Introduction
A Firewall Management policy is one of many policies in an IT Services framework. Firewalls can appear in many areas of a network topology but they are almost always found guarding the perimeter of the network. Modern technologies such as VPN and
wireless networking make maintaining this ‘perimeter’ more difficult. A strong and well defined Firewall Management policy can bolster security, support a larger IT policy, as well as provide detailed guidance for the people managing these services.
A Firewall management policy can be broken into four main areas:
- Core Tenets (Principles)
This is the section of the Firewall Management Policy where broad policy statements and references to other security policies should appear
- Operational
This section details more specific areas of the day to day operating of the Firewall and how the core tenets are supported. There may seem to be overlap in the operational and principle sections but as the Firewall management policy matures, these areas will become more distinct and may possibly be further subdivided.
- Configuration
This section should detail specific statements with respect to the firewall configuration and be applicable to any vendor’s firewall. This area is not intended to document the firewall rule set but rather provide broader guidance that will shape the rule set.
- Audit
This section of the Firewall Management policy details the requirements that must be met to ensure that the firewall meets the firewall policy, tests the supporting documentation and ensures that the firewall is actively maintained and not simply forgotten until a firewall incident occurs.
The following items will provide a strong basis for a firewall management policy and should be tailored to meet your organizations business requirements. As you develop your firewall management policy, there will be many additions to the sections below.
Principles
- Perimeter firewall(s) must control all traffic into/out of the network.
- The firewall must be physically secure
- The firewall configuration must be fully documented
- The firewall policy should support not conflict with the overarching security/business policies
- All services provided to the Internet must undergo a security risk analysis
- The firewall must provide a high level of available service
- The perimeter firewall should be one part of a defense in depth strategy
- Security systems should not be made unnecessarily complex. As the complexity of a security system increases the ability to easily manage it decreases.
- Only use devices intended to be firewalls as firewalls. Routers and intelligent switches can provide firewall like capabilities but should be used to augment your firewall not replace it.
Operational
- Only firewall system administrators are allowed to make firewall changes
- All firewall logs must be securely stored outside of the firewall device
- All firewall logs must be reviewed for security incidents
- All firewall audits must be documented. This includes non-compliance, remediation, risk acceptance, and compliant audits
- Limit connectivity to the firewall for management purposes and encrypt communication if remote management is required
- Firewall configurations including access control lists (ACLs) are backed up routinely
- Any changes to the firewall should initiate a risk analysis
- Any changes to the firewall follow the firewall change management process. This includes firewall configuration, ACLs, patches, and upgrades.
- The firewall should be monitored and provides alerts for security/firewall incidents.
- The firewall should provide for redundancy. This may include hot failover, warm failover, cold standby, or an alternate provisioning mechanism that meets the business service level agreement.
- The operational section should have or reference an incident response policy/procedure for firewall incidents. A strong incident response policy will ensure that firewall administrators follow prescribed guidance in heightened anxiety situations where a poor decision is more likely.
- The firewall policy should have or reference an acceptable use policy that defines acceptable use from internal as well as external perspective.
Configuration
- The default condition of the firewall should be to deny traffic. This means that if no ACL allows the traffic to pass the firewall, the firewall should deny this traffic.
- The password on the firewall should be changed routinely in accordance with your organizations password policy.
- The configuration should be fully documented.
- The firewall should be hardened
- The firewall should deny external traffic to itself
- The firewall should deny traffic on the external interface that appears to be from an internal address (spoofing)
- The firewall should deny IMCP traffic
- The firewall should deny traffic from the non-routable address space on the external interface
- The firewall should not allow non-authenticated SNMP traffic
- The firewall should duplicate or log directly to an alternate location than the firewall.
- The firewall should be configured for real time alerting by the monitoring system.
Audit and Compliance
- The firewall should be audited on a regular interval. This audit should include all facets of the three areas above to ensure that the practice of maintaining the firewall meets or exceeds the guidance of the firewall policy.
- All audits should be logged and approved when completed.
- Any audits that discover areas of non-compliance should provide mechanisms/timelines for the non-compliant area to be remedied.
- Any non-compliant area should be remediated or have a senior executive approved exception. Note – these exceptions should be rare.
- All audits should ensure that the firewall policy meets or exceeds regulatory compliance as dictated for your industry.
- An external and internal ‘penetration test’ type of audit should be performed regularly to ensure that the firewall is performing as expected.
Conclusion
The firewall is most often the gate keeper to your organizations assets. Don’t fall prey to believing the
Firewall Myths and use this guide as a basis for your firewall policy.
| 