ITPROSEC Firewall Change Process

Overview: To manage firewall changes on AWS environment, it is important to define the process for firewall administrators. Having a formal process to follow helps right tracking of changes, proper managing the changes on a co-managed environment such as AWS.

Document Information

Document
Title                       AWS Firewall Change Process
Topic Process Description
Author(s) Sunny Heart
Document Type Level 3 “Process Description”
Classification Public / Internal / Company Confidential / Strictly Company Confidential
Responsible Sunny Heart
Filing ITPROSEC Document Library „Firewall Change Process.docx
Version
Version 0.90
Status Draft / Review /  Released / Invalid
Reviewers IT Manager
Reviewed and Released 2015-01-10
Next Review Date 2016-01-10
Comment  


Contact List

Name Role Involvement in document
Sunny Heart Network Security Analyst Creator
     


Document History

Vers. Last changed By Comment
0.9 2015-01-10 Sunny Heart First Version
       
       
       
       
       
       


Contents

1                Introduction……………………………………………………………………………………………………………………… 5

1.1      Purpose of this document…………………………………………………………………………………………………… 5

1.2      Limitations of this document……………………………………………………………………………………………… 5

1.3      Overview…………………………………………………………………………………………………………………………. 5

2                Regular Change Process……………………………………………………………………………………………………. 6

2.1      Scope………………………………………………………………………………………………………………………………. 6

2.2      Steps……………………………………………………………………………………………………………………………….. 6

3                Urgent Change Process……………………………………………………………………………………………………… 7

3.1      Scope………………………………………………………………………………………………………………………………. 7

3.2      Steps……………………………………………………………………………………………………………………………….. 7

4                Appendix…………………………………………………………………………………………………………………………. 9

1  Introduction

1.1    Purpose of this document

To manage firewall changes on AWS environment, it is important to define the process for firewall administrators. Having a formal process to follow helps right tracking of changes, proper managing the changes on a co-managed environment such as AWS.

1.2  Limitations of this document

This documentation describes commom and urgent process when there is a change needed. Not all scenarios will be applicable to this documentation.

1.3   Overview

There are two processes includes common regular change process and urgent change process.

2  Regular Change Process

2.1    Scope

Regular change process will be applicable to production environment.

2.2   Steps

ITPROSEC has Maximo ticket system to record all service request, change request. Service request will be recorded and a change request will be generated by corresponding department ticket owner. Change request will trigger a workflow and it will be sent from  ITPROSEC Maximo ticket system to get local security and local IT management approvals then it will be sent back to firewall administrators to implement it.

Standard process time will be two weeks or even longer depending on resources. All updates and communication will go through Maximo system.

Once change has been completed, automatically completed email will be sent out to ticket creator to notify it has been completed. Ticket will be close

3 Urgent Change Process

3.1  Scope

Urgent change process will be used for UAT environment and urgent situation for Production environment.

3.2  Steps

Following screenshot shows the urgent change form example. Word copy can be get from firewall administrators once request.

Change will be submitted by business owner who will fill in all related information before the part of Authorization. It will be mail to pre-defined reviewers to have two reviews in case any human mistakes or technical mistakes.

Standard process time will be two days , but it may take longer depending on complexity of changes and resources.

Email or printed paper will be used to do communication and approvals.

Once all change has been completed, final information for implementation details will be completed by firewall administrator who deployed this change. It will be sent out to original ticket creator for close request and testing.

After Production environment enabled and all entities have an agreement, all changes after that day will be entered into ITPROSEC Maximo sytem for recording and auditing purpose.

4  Appendix

4.1 VPN Change Form

1 –ITPROSEC Information
Department:XXXXXE-mail:[email protected]
Name:XXXXPhone:xxxx
2 – Peer General Information
Peer: Contact: 
E-mail: Phone: 
PROJET: 
VPN Purpose: 
3 – VPN – Gateways information
InformationsXXXXPeer
IP AddressXXX:6.4.15.13 
(peer)
Firewall ModelCheck Point 4000  
Firewall OS VersionR77.30 
Encryption Domain10.8.100.0/24 
4 – VPN – Tunnel Properties
 Itemxxx ConfigurationPeer Configuration
Phase 1Authentication Methodxxxxxxxx 
 Encryption SchemeIKE 
 Diffie-Hellman GroupGroup 2 
 Encryption AlgorithmAES256 
 Hashing AlgorithmSHA-1 
 Main or Aggressive ModeMain mode 
 Lifetime (for renegotiation)86400 seconds/1440 mins 
Phase 2Encapsulation (ESP or AH)ESP 
 Encryption AlgorithmAES256 
 Authentication AlgorithmSHA-1 
 Perfect Forward SecrecyNo PFS 
 Lifetime (for renegotiation)3600 seconds 
 Lifesize in KB (for renegotiation)n/a 
5 – VPN – Firewall / Access-list Rules 
 SourceDestinationServices
Policy RulesIP Addresses IP AddressesProtocol
(tcp,udp,sctp,ip, icmp)
Application
Example:10.8.100.210/32????TCP/22 Putty / Allow

4.2 Firewall Change Form

CLIENT DETAILS

NAME  
COMPANY  
PHONE NUMBER  
E-MAIL  
REQUEST DATE  
PROPOSED CHANGE DATE  
MAXIMO CR or SR  

REQUEST DETAILS

Source AddressDestination AddressDestination Port / ProtocolDeny/AcceptNotes

Reason For Change:

Name:                                     Dep:                          Signature:

             ————————-            —————–                      —————————-

AUTHORIZATION

Reviewer Name Approved/Denied Signature Date
Reviewer 1        
Reviewer 2        

IMPLEMENTATION DETAILS

Device Type Device Name Device location  Impl.Date Impl.Time
         

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: