Networking / Beginners

---

Revision/update of firewall policy

Given the rapid introduction of new technologies and the tendency for organizations to continually introduce new services, firewall security policies should be reviewed on a regular basis (see below). As network requirements change, so should security policy.

Example of General Policies

The following policy statements are only examples. They do not constitute a complete firewall policy, and even if they did, they would not necessarily apply to your organization's environment. The statements are grouped into those applicable to low-, medium-, and high-risk environments. Within each category, they are divided into statements targeted toward users, managers, and technicians. In general, all organizations would employ at least the low-risk policies.

Low-Risk Environment Policies: User

• All users who require access to Internet services must do so using organizationapproved software and Internet gateways.
• A firewall has been placed between your private networks and the Internet to protect your systems. Employees must not circumvent the firewall by using modems or network tunneling software to connect to the Internet.
• Some protocols have been blocked or redirected. If you have a business need for a particular protocol, you must raise the issue with your manager and the Internet security officer.

Low-Risk Environment Policies: Manager

• A firewall should be placed between the organization's network and the Internet to prevent untrusted networks from accessing the organization network. The firewall should be selected and maintained by a network services manager.
• All other forms of Internet access (such as via dial-out modems) from sites connected to the organization's wide area network are prohibited.
• All users who require access to Internet services must do so using organizationapproved software and Internet gateways.

Low-Risk Environment Policies: Technician

• All firewalls should fail to a configuration that denies all services and requires a firewall administrator to re-enable services after a failure.
• Source routing should be disabled on all firewalls and external routers (discussed earlier in this tutorial).
• The firewall should not accept traffic on its external interfaces that appear to be coming from internal network addresses (discussed earlier in this tutorial).
• The firewall should provide detailed audit logs of all sessions so that these logs can be reviewed for any anomalies.
• Secure media should be used to store log reports so that access to this media is restricted to only authorized personnel.
• Firewalls should be tested offline and the proper configuration verified.
• The firewall should be configured to implement transparency for all outbound services. Unless approved by a network services manager, all inbound services should be intercepted and processed by the firewall.
• Appropriate firewall documentation should be maintained on offline storage devices at all times. Such information should include but not be limited to the network diagram, including all IP addresses of all network devices, the IP addresses of relevant hosts of the Internet service provider (ISP) such as external news server, router, DNS server, etc., and all other configuration parameters such as packet filter rules, etc. Such documentation should be updated any time the firewall configuration is changed.

Medium-Risk Environment Policies: User

When you are off-site, you may only access internal systems by using organization-approved one-time passwords and hardware tokens to authenticate yourself to the firewall. Any other means of accessing internal systems is prohibited.

Medium-Risk Environment Policies: Manager

• Strong authentication using organization-approved one-time passwords and hardware tokens is required for all remote access to internal systems through the firewall.
• The network security policy should be reviewed on a regular basis (every 3 months minimum) by the firewall administrators and other top information (security) managers. When requirements for network connections and services have changed, the security policy should be updated and approved. If a change is to be made, the firewall administrator should ensure that the change is implemented and the policy modified.
• The details of the organization internal trusted network should not be visible from outside the firewall.

Medium-Risk Environment Policies: Technician

• The firewall should be configured to deny all services not expressly permitted and should be regularly audited and monitored to detect intrusions or misuse.
• The firewall should notify the system administrator in near-real time of any item that may need immediate attention such as a break into the network, little disk space available, or other related messages so that an immediate action could be taken.
• The firewall software should run on a dedicated computer; all non-firewallrelated software, such as compilers, editors, communications software, etc., should be deleted or disabled.
• The firewall should be configured to deny all services not expressly permitted and should be regularly audited and monitored to detect intrusions or misuse.

High-Risk Environment Policies: User

• All nonbusiness use of the Internet from organization systems should be forbidden. All access to Internet services should be logged. Employees who violate this policy should be subject to disciplinary action.
• Your browser has been configured with a list of forbidden sites. Any attempts to access those sites should be reported to your manager.

High-Risk Environment Policies: Manager

All nonbusiness use of the Internet from organization systems is forbidden. All access to Internet services should be logged. Employees who violate this policy should be subject to disciplinary action.

High-Risk Environment Policies: Technician

All access to Internet services should be logged. Summary and exception reports should be prepared for the network and security managers.