Firewall Security Policy

One of the reasons for covering this security policy separately after the other common security policies is that it may well contain or replace elements of any of the previously mentioned security policies. The firewall security policy (sometimes known as the firewall policy) should address all the firewall-specific security requirements, as defined in the layered structure of Figure 10-1. In doing this, the firewall policy may overlap, include, or refer to elements from any of the previous mentioned security policies. In addition, if any other security policies are applicable to the firewall, they should be referenced in this document. A good checklist to ensure complete coverage of your firewall security policy is to build a checklist based on the four layers from Figure 10-1. The following sections cover these four layers.

Firewall Physical Integrity

To ensure that your firewall security policy adequately addresses physical security, make sure that the following elements are components of the security policy:

• Define who is authorized to install, uninstall, and move the firewall.

• Define who is authorized to perform hardware maintenance and to change the physical configuration of the firewall.

• Define who is authorized to physically connect to the firewall, in particular through the console port or physical logon console.

• Define the appropriate recovery requirements in the event of a physical failure or evidence of tampering with the firewall.

Firewall Static Configuration

To ensure that your firewall security policy adequately addresses static configuration security, make sure that the following elements are components of the security policy:

• Define who is authorized to login to the firewall via any connectivity method (local or remote).

• Define the appropriate privileges and users to which the privileges are applicable.

• Define the procedures for performing configuration changes and firewall updates.

• Define the password policy (typically in conjunction with the corporate password policy) for the firewall.

• Define the method of remote login capability, including defining the permitted networks or systems from which remote logins will be allowed (typically in conjunction with the management-access policy).

• Define the recovery procedures for the firewall in the event of a failure.

• Define the audit log policy for the firewall (typically in conjunction with the corporate audit policy).

• Define the encryption requirements for the firewall (typically in conjunction with the corporate encryption policy).

• Define the method of remote management and monitoring (that is, SNMP, syslog, and so on) for the firewall (typically in conjunction with the management-access policy).

Firewall Dynamic Configuration

To ensure that your firewall security policy adequately addresses dynamic configuration security, make sure that the following elements are components of the security policy:

• Define what kinds of dynamic configuration processes and services will be permitted to run on the firewall as well as what networks and devices will have access to those processes and services.

• Define the routing protocols that will be allowed and the security features that will be required.

• Define how the firewall will update and maintain the clock information (that is, NTP).

• Define how one-time password or similar authentication or dynamic encryption and key algorithms will be maintained.

Network Traffic through the Firewall

To ensure that your firewall security policy adequately addresses traffic through the firewall, make sure that the following elements are components of the firewall security policy:

• Define the method by which traffic will be permitted and denied (for example, will traffic be permitted to specific segments and so on).

• Define the process for requesting changes and updates to the firewall ruleset.

• Define the kinds of protocols, ports, and services that will be permitted or denied (this information may be included in more detail in a separate ingress- and egress-filtering document).

This information should be used to build your ingress and egress filters, as discussed in the next section.

4 PREY

4 PREY

Was this article helpful?

0 0
Basic SEO Explained

Basic SEO Explained

Struggling to Optimize Your Site for the Search Engines? Uncover What You Need to Know to Perform Basic SEO on Your Site, and Help Get it Listed in the Powerful Search Engines. Are YOU Ready to Climb Your Way Up The Search Engine Rankings and Start Getting the FREE Traffic You're Looking For? Hundreds of places claim they can give you top rankings, but wouldn't you rather just learn how to do it on your own so you can repeat the process on any future site you build?

Get My Free Ebook


Post a comment