General Policy for Production Firewalls

General Policy for Production Firewalls

The following standards apply to all firewalls used in company production and DMZ .

Table of contents

1 Organizational Standards. 2

1.1 Firewall rule change: 2

1.2 Firewall system change: 2

1.3 Patch Management: 3

1.3.1 Firewall software. 3

1.3.2 Operating system.. 3

1.4 Log Management: 3

2 Technical Standards. 5

1 Organizational Standards

1.1 Firewall rule change:

  • all rule set changes must be requested and approved using an electronic workflow
  • changes to the rule set must be approved by the Corporate IT Security Officer
  • the documentation of the change must be part of the electronic workflow

Remark: For all workflows related to IT service processes the software Assyst is used. All change requests must be entered in Assyst. The approval process is implemented in the tool and also the documentation of changes is kept in Assyst as follows:

  • who requested the change, when
  • short description (why?)
  • who approved it
  • who implemented it when
  • the Operating Officer (Head of communications infrastructure) is responsible for the implementation of the security policy of the corporate rules in the filters of each firewall system
  • the firewall administrators are responsible for the implementation and configuration
  • rule set changes must be made by two persons (4-eye-principle)
  • changes to the rule set of a firewall must be immediately documented in the firewall documentation
  • the implementation of a rule set change is made on the central management station (according to the technical concept of production firewalls)
  • the firewall rule set has to be revised on a regular basis once every month

1.2 Firewall system change:

  • all system changes must be requested and approved using an electronic workflow
  • changes to the system must be approved by the Corporate IT Security Officer
  • the documentation of the change must be part of the electronic workflow

Remark: For all workflows related to IT service processes the software Assyst is used. All change requests must be entered in Assyst. The approval process is implemented in the tool and also the documentation of changes is kept in Assyst as follows:

  • who requested the change, when
  • short description (why?)
  • who approved it
  • who implemented it when
  • the firewall administrators are responsible for the implementation and configuration
  • system changes must be made by two persons (4-eye-principle)
  • system changes of a firewall must be immediately documented in the firewall documentation

1.3 Patch Management:

The firewall administrators are responsible for regular updating of the software on the firewall systems. This includes the following specific tasks:

1.3.1 Firewall software

  • The firewall administrators are responsible that the installed software on the firewall systems is up-to-date
  • The firewall administrators will be informed by the software vendors about updates or have to check frequently the according web-page
  • All relevant security upgrades and patches must be installed immediately on the test system (if any) and after the functionality is tested on the production systems

1.3.2 Operating system

  • The firewall administrators are responsible that the operating system on the firewall systems is up-to-date
  • The firewall administrators will be informed by the software vendors about updates or have to check frequently the according web-page
  • All relevant security patches for the operating system must be installed immediately on the test system (if any) and after the functionality is tested on the production systems

1.4 Log Management:

All logon activities and executions of commands must be logged. The log files must be protected from manipulation.

The logging is primarily used to the ensure operation of a firewall system, maintain safety and detect possible violations. The logging is based on the stored information of the firewall logfiles:

The analysis of these events is to be used to determine whether a security breach has existed and what information and what IT systems were affected. Ultimately, the evaluation of the target, attacks on the firewall system itself and its IT systems to be protected in the network through the firewall system have to recognize, so that appropriate action can be initiated and escalated.

It has to be ensured, that personal data as part of the protocol data is only used for the purpose of data protection control, data backup and to ensure a proper operation.

The firewall administrators are responsible to review and ensure the firewall operation:

Since evaluation is at present not accomplished by an independent examiner, this task is likewise noticed by the firewall administrators. For this reason the results of the evaluation are submitted to the operating responsible person (leader of IT). The operating responsible person has to ensure that enough time is available for the firewall administrators to evaluate the log files.

In order to reduce the risk, that important details will be ignored during the evaluation, the examinations are usually done by two firewall administrators (4-eye-principle). Like that, characteristics and incidents can be discussed together first and possibly clarified before an escalation, too.

On the morning of each working day the responsible firewall administrators must do the following tasks:

2 Technical Standards

  • it is not allowed to define generic rules on the firewall; all rules must relate to IP addresses or ranges of addresses and specific ports
  • anti-spoofing: in the rules must be a relation between IP address ranges and specific network interfaces
  • any violation of a firewall rule must be logged to the central log server
  • real-time alerting: the administrators of the firewall must be informed about violations of rules and must analyze the cause
  • it must be technically ensured, that at any time a rule set is loaded and active on the firewall
  • the firewall must be a dedicated hardware
  • there must be no routing of traffic through the firewall, always IP masquerading or network address translation must be used
  • connections between a high security network to a network with a lower security level must always be initiated from within the high security network; initialization of connections from the network with lower security into the high security network are prohibited

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.