Virtual private networks

Virtual private networks (VPNs) allow a trusted network to communicate with another trusted network over untrusted networks such as the Internet. Because some firewalls provide VPN capability, it is necessary to define policy for establishing VPNs. Firewall-based VPNs can be established in a number of configurations.

Tip: Any connection between firewalls over public networks should use encrypted VPNs to ensure the privacy and integrity of the data passing over the public network. All VPN connections should be approved and managed by a network services manager. Appropriate means for distributing and maintaining encryption keys must be established before operational use of VPNs.

Firewall administration

A firewall, like any other network device, has to be managed by someone. Security policy should state who is responsible for managing the firewall.

Tip Two firewall administrators (one primary and secondary) should be designated by a chief information security officer (or other manager) and should be responsible for the upkeep of the firewall. The primary administrator should make changes to the firewall, and the secondary administrator should only do so in the absence of the former so there is no simultaneous or contradictory access to the firewall.

Tip Each firewall administrator should provide his or her home phone number, pager number, cellular phone number, and other numbers or modes by which they can be contacted when support is required.