ITPROSEC Firewall Change Process
Overview: To manage firewall changes on AWS environment, it is important to define the process for firewall administrators. Having a formal process to follow helps right tracking of changes, proper managing the changes on a co-managed environment such as AWS.

Document Information
Document | |
Title | AWS Firewall Change Process |
Topic | Process Description |
Author(s) | Sunny Heart |
Document Type | Level 3 “Process Description” |
Classification | Public / Internal / Company Confidential / Strictly Company Confidential |
Responsible | Sunny Heart |
Filing | ITPROSEC Document Library „Firewall Change Process.docx “ |
Version | |
Version | 0.90 |
Status | Draft / Review / Released / Invalid |
Reviewers | IT Manager |
Reviewed and Released | 2015-01-10 |
Next Review Date | 2018-01-10 |
Comment |
Contact List
Name | Role | Involvement in document |
Sunny Heart | Network Security Analyst | Creator |
Document History
Vers. | Last changed | By | Comment |
0.9 | 2015-01-10 | Sunny Heart | First Version |
Contents
1 Introduction……………………………………………………………………………………………………………………… 5
1.1 Purpose of this document…………………………………………………………………………………………………… 5
1.2 Limitations of this document……………………………………………………………………………………………… 5
1.3 Overview…………………………………………………………………………………………………………………………. 5
2 Regular Change Process……………………………………………………………………………………………………. 6
2.1 Scope………………………………………………………………………………………………………………………………. 6
2.2 Steps……………………………………………………………………………………………………………………………….. 6
3 Urgent Change Process……………………………………………………………………………………………………… 7
3.1 Scope………………………………………………………………………………………………………………………………. 7
3.2 Steps……………………………………………………………………………………………………………………………….. 7
4 Appendix…………………………………………………………………………………………………………………………. 9
1 Introduction
1.1 Purpose of this document
To manage firewall changes on AWS environment, it is important to define the process for firewall administrators. Having a formal process to follow helps right tracking of changes, proper managing the changes on a co-managed environment such as AWS.
1.2 Limitations of this document
This documentation describes commom and urgent process when there is a change needed. Not all scenarios will be applicable to this documentation.
1.3 Overview
There are two processes includes common regular change process and urgent change process.
2 Regular Change Process
2.1 Scope
Regular change process will be applicable to production environment.
2.2 Steps
ITPROSEC has Maximo ticket system to record all service request, change request. Service request will be recorded and a change request will be generated by corresponding department ticket owner. Change request will trigger a workflow and it will be sent from ITPROSEC Maximo ticket system to get local security and local IT management approvals then it will be sent back to firewall administrators to implement it.
Standard process time will be two weeks or even longer depending on resources. All updates and communication will go through Maximo system.
Once change has been completed, automatically completed email will be sent out to ticket creator to notify it has been completed. Ticket will be close
3 Urgent Change Process
3.1 Scope
Urgent change process will be used for UAT environment and urgent situation for Production environment.
3.2 Steps
Following screenshot shows the urgent change form example. Word copy can be get from firewall administrators once request.
Change will be submitted by business owner who will fill in all related information before the part of Authorization. It will be mail to pre-defined reviewers to have two reviews in case any human mistakes or technical mistakes.
Standard process time will be two days , but it may take longer depending on complexity of changes and resources.
Email or printed paper will be used to do communication and approvals.
Once all change has been completed, final information for implementation details will be completed by firewall administrator who deployed this change. It will be sent out to original ticket creator for close request and testing.
After Production environment enabled and all entities have an agreement, all changes after that day will be entered into ITPROSEC Maximo sytem for recording and auditing purpose.

4 Appendix
4.1 VPN Change Form
1 –ITPROSEC Information | |||
Department: | XXXXX | E-mail: | [email protected] |
Name: | XXXX | Phone: | xxxx |
2 – Peer General Information | |||
Peer: | Contact: | ||
E-mail: | Phone: | ||
PROJET: | |||
VPN Purpose: | |||
3 – VPN – Gateways information | |||
Informations | XXXX | Peer | |
IP Address | XXX:6.4.15.13 | ||
(peer) | |||
Firewall Model | Check Point 4000 | ||
Firewall OS Version | R77.30 | ||
Encryption Domain | 10.8.100.0/24 | ||
4 – VPN – Tunnel Properties | |||
Item | xxx Configuration | Peer Configuration | |
Phase 1 | Authentication Method | xxxxxxxx | |
Encryption Scheme | IKE | ||
Diffie-Hellman Group | Group 2 | ||
Encryption Algorithm | AES256 | ||
Hashing Algorithm | SHA-1 | ||
Main or Aggressive Mode | Main mode | ||
Lifetime (for renegotiation) | 86400 seconds/1440 mins | ||
Phase 2 | Encapsulation (ESP or AH) | ESP | |
Encryption Algorithm | AES256 | ||
Authentication Algorithm | SHA-1 | ||
Perfect Forward Secrecy | No PFS | ||
Lifetime (for renegotiation) | 3600 seconds | ||
Lifesize in KB (for renegotiation) | n/a |
5 – VPN – Firewall / Access-list Rules | ||||
Source | Destination | Services | ||
Policy Rules | IP Addresses | IP Addresses | Protocol (tcp,udp,sctp,ip, icmp) | Application |
Example: | 10.8.100.210/32 | ???? | TCP/22 | Putty / Allow |
4.2 Firewall Change Form
CLIENT DETAILS
NAME | |
COMPANY | |
PHONE NUMBER | |
REQUEST DATE | |
PROPOSED CHANGE DATE | |
MAXIMO CR or SR |
REQUEST DETAILS
Source Address | Destination Address | Destination Port / Protocol | Deny/Accept | Notes |
Reason For Change:
Name: Dep: Signature:
————————- —————– —————————-
AUTHORIZATION
Reviewer | Name | Approved/Denied | Signature | Date |
Reviewer 1 | ||||
Reviewer 2 |
IMPLEMENTATION DETAILS
Device Type | Device Name | Device location | Impl.Date | Impl.Time |