Overview: To manage firewall changes on AWS environment, it is important to define the process for firewall administrators. Having a formal process to follow helps right tracking of changes, proper managing the changes on a co-managed environment such as AWS.

Document Information

Document
Title	AWS Firewall Change Process
Topic	Process Description
Author(s)	Sunny Heart
Document Type	Level 3 “Process Description”
Classification	Public / Internal / Company Confidential / Strictly Company Confidential
Responsible	Sunny Heart
Filing	ITPROSEC Document Library „Firewall Change Process.docx “

Version
Version	0.90
Status	Draft / Review /  Released / Invalid
Reviewers	IT Manager
Reviewed and Released	2015-01-10
Next Review Date	2018-01-10
Comment

Contact List

Name	Role	Involvement in document
Sunny Heart	Network Security Analyst	Creator

Document History

Vers.	Last changed	By	Comment
0.9	2015-01-10	Sunny Heart	First Version

Contents

1                Introduction……………………………………………………………………………………………………………………… 5

1.1      Purpose of this document…………………………………………………………………………………………………… 5

1.2      Limitations of this document……………………………………………………………………………………………… 5

1.3      Overview…………………………………………………………………………………………………………………………. 5

2                Regular Change Process……………………………………………………………………………………………………. 6

2.1      Scope………………………………………………………………………………………………………………………………. 6

2.2      Steps……………………………………………………………………………………………………………………………….. 6

3                Urgent Change Process……………………………………………………………………………………………………… 7

3.1      Scope………………………………………………………………………………………………………………………………. 7

3.2      Steps……………………………………………………………………………………………………………………………….. 7

4                Appendix…………………………………………………………………………………………………………………………. 9

1  Introduction

1.1    Purpose of this document

To manage firewall changes on AWS environment, it is important to define the process for firewall administrators. Having a formal process to follow helps right tracking of changes, proper managing the changes on a co-managed environment such as AWS.

1.2  Limitations of this document

This documentation describes commom and urgent process when there is a change needed. Not all scenarios will be applicable to this documentation.

1.3   Overview

There are two processes includes common regular change process and urgent change process.

2  Regular Change Process

2.1    Scope

Regular change process will be applicable to production environment.

2.2   Steps

ITPROSEC has Maximo ticket system to record all service request, change request. Service request will be recorded and a change request will be generated by corresponding department ticket owner. Change request will trigger a workflow and it will be sent from  ITPROSEC Maximo ticket system to get local security and local IT management approvals then it will be sent back to firewall administrators to implement it.

Standard process time will be two weeks or even longer depending on resources. All updates and communication will go through Maximo system.

Once change has been completed, automatically completed email will be sent out to ticket creator to notify it has been completed. Ticket will be close

3 Urgent Change Process

3.1  Scope

Urgent change process will be used for UAT environment and urgent situation for Production environment.

3.2  Steps

Following screenshot shows the urgent change form example. Word copy can be get from firewall administrators once request.

Change will be submitted by business owner who will fill in all related information before the part of Authorization. It will be mail to pre-defined reviewers to have two reviews in case any human mistakes or technical mistakes.

Standard process time will be two days , but it may take longer depending on complexity of changes and resources.

Email or printed paper will be used to do communication and approvals.

Once all change has been completed, final information for implementation details will be completed by firewall administrator who deployed this change. It will be sent out to original ticket creator for close request and testing.

After Production environment enabled and all entities have an agreement, all changes after that day will be entered into ITPROSEC Maximo sytem for recording and auditing purpose.

4  Appendix

4.1 VPN Change Form

1 –ITPROSEC Information
Department:	XXXXX	E-mail:	[email protected]
Name:	XXXX	Phone:	xxxx
2 – Peer General Information
Peer:		Contact:
E-mail:		Phone:
PROJET:
VPN Purpose:
3 – VPN – Gateways information
Informations	XXXX	Peer
IP Address	XXX:6.4.15.13
(peer)
Firewall Model	Check Point 4000
Firewall OS Version	R77.30
Encryption Domain	10.8.100.0/24
4 – VPN – Tunnel Properties
	Item	xxx Configuration	Peer Configuration
Phase 1	Authentication Method	xxxxxxxx
	Encryption Scheme	IKE
	Diffie-Hellman Group	Group 2
	Encryption Algorithm	AES256
	Hashing Algorithm	SHA-1
	Main or Aggressive Mode	Main mode
	Lifetime (for renegotiation)	86400 seconds/1440 mins
Phase 2	Encapsulation (ESP or AH)	ESP
	Encryption Algorithm	AES256
	Authentication Algorithm	SHA-1
	Perfect Forward Secrecy	No PFS
	Lifetime (for renegotiation)	3600 seconds
	Lifesize in KB (for renegotiation)	n/a

5 – VPN – Firewall / Access-list Rules
	Source	Destination	Services
Policy Rules	IP Addresses	IP Addresses	Protocol (tcp,udp,sctp,ip, icmp)	Application
Example:	10.8.100.210/32	????	TCP/22	Putty / Allow

4.2 Firewall Change Form

CLIENT DETAILS

NAME
COMPANY
PHONE NUMBER
E-MAIL
REQUEST DATE
PROPOSED CHANGE DATE
MAXIMO CR or SR

REQUEST DETAILS

Source Address	Destination Address	Destination Port / Protocol	Deny/Accept	Notes

Reason For Change:

Name:                                     Dep:                          Signature:

             ————————-            —————–                      —————————-

AUTHORIZATION

Reviewer	Name	Approved/Denied	Signature	Date
Reviewer 1
Reviewer 2

IMPLEMENTATION DETAILS

Device Type	Device Name	Device location	Impl.Date	Impl.Time