Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Firewall Policy Template

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 8

Firewall Policy

Prepared By
IT Security
VERSION: 1.0

All rights reserved. This document is a proprietary product of IT Security and, as such, any unauthorized use, disclosure, or
reproduction of this publication or portions thereof in any form, without written permission from IT Security, is strictly prohibited.
Any printed copy of this document is uncontrolled
Firewall Policy

CHANGE HISTORY

Version Date Summary of Author Pages Remark


changes affected
1.0

Table of Contents

___________________________________________________________________________
Page 2 of 8 Version: 1.0
Firewall Policy

GENERAL FIREWALL GUIDELINE 4

FIREWALL ADMINISTRATION 4

PHYSICAL ACCESS & ENVIRONMENT 5

LOGICAL ACCESS & REMOTE ADMINISTRATION 5

SYSTEM BACKUP 5

UPGRADE AND PATCHES 5

LOGS AND AUDIT TRAILS 6

DOCUMENTATION 6

ENCRYPTED CHANNEL OVER PUBLIC/ENTRUSTED NETWORK 7

ENFORCEMENT 7

___________________________________________________________________________
Page 3 of 8 Version: 1.0
Firewall Policy

1 GENERAL FIREWALL GUIDELINES

1.1 The firewall software should run only on dedicated computer system. Except for the
firewall-related utilities or its safeguarding components (e.g. Intrusion Detection System),
no other non-firewall related software should co-exist/installed in the firewall system.

1.2 Restricted policy shall be enforced in the firewall such that all services are denied unless
specifically permitted.

1.3 If a different users/network community requires different firewall policies, network


segregation should be in place to isolate the more permissive users/network on a subnet
apart from the more securely protected network. All access from the said subnet should
comply with the established firewall policy and guidelines.

1.4 Details of the internal trusted network should not be visible from the entrusted network side
of the firewall.

1.5 Arrangement should be made (whether system-automated or through manual detection) to


promptly notify the Firewall Administrator(s), the Backup Firewall Administrator(s) and
escalated to the Information Security Manager1 of any intrusion or break-down in the
firewall system.

1.6 Deployment of firewalls should comply with the established Network Trust Model and the
recommended firewall-layers required.

1.7 For gateway connection to the Internet, consideration should be given at management’s
discretion, to deploy two-tiered hybrid-platform firewalls.

1.8 For any systems hosting critical applications, or providing access to critical information,
internal firewalls or filtering routers should be used to provide access control and support for
auditing and logging. These controls should be used to segment the internal network to
support the access policies developed by the designated owners on information.

1.9 All hosts (servers) protected behind a firewall should be segmented through physical-ports
at the firewall and not through logical-segmentation via a VLAN-switch, for example.

2 FIREWALL ADMINISTRATION

2.1 Designated Firewall Administrator(s) 2 and Backup Firewall Administrator(s) should


administer the firewall.

2.2 Any modification on the firewall shall be under the charge of the Firewall Administrator(s) or
Backup Firewall Administrator(s) and requires approval from IT Security.

2.3 The Firewall Administrator(s) should validate on periodic basis (e.g. quarterly) with
application-systems/hosts owners all previously defined connections, and allowed rules and
services in the firewall. Such definitions, when no longer valid, should be confirmed by the
application-systems/hosts owners and promptly removed by the Firewall Administrator(s).

2.4 There should be authorization by users, application-systems owners and the Information
Security Manager for any request for connections and rules/services definition on the
firewall. Prior to authorization, all such request should be first reviewed and the acceptable
security controls established by the Information Security department.

3 PHYSICAL ACCESS & ENVIRONMENT


1
See End of Document
2
See End of Document
___________________________________________________________________________
Page 4 of 8 Version: 1.0
Firewall Policy

3.1 The firewall should be located in restricted access area where access is allowed on a need to
basis.

3.2 The firewall should be installed in a controlled environment appropriate for 24x7 computer
operations, with air-conditioning, and uninterruptible power supply.

4 LOGICAL ACCESS & REMOTE ADMINISTRATION

4.1 Logical access to the firewall should be restricted only to the Firewall Administrator(s),
Backup Firewall Administrator(s) and the Information Security Manager i. Any other access
granted should be on a need to basis and with prior approval by the IT Security.

4.2 The Information Security Manager shall approve all access and privilege-level attributes.

4.3 Access previously granted which is invalid or no longer required should be removed
immediately.

4.4 Logical access to the firewall, through administration workstation or direct terminal, should
be controlled with authentication, with for example with user id and password.

4.5 Remote connection for firewall administration should only be considered if operational
environment requires. If via entrusted network, remote connection should be secured with
session encryption.

5 SYSTEM BACKUP3

5.1 The following files in the firewall should be periodically backed up for recovery in case of
system failure or for forensic-related activity in case of incidents: -

5.1.1 System Configuration

a) Firewall software (e.g. Rules/Policies, Network objects, definitions, etc)

b) Operating system (e.g. inetd.conf, rc3.d)

c) Network definitions (e.g. routing tables, hostname)

5.1.2 Logs

a) Firewall software (e.g. fwlog, etc)

b) Operating system (e.g. syslog, etc)

c) Removable media when used to back up the above files should be labelled and securely
stored.

6 UPGRADE AND PATCHES

6.1 Patches recommended by firewall vendor should be promptly implemented with


management’s approval.

6.2 The Firewall Administrator ii shall evaluate new version or release of the firewall or its
platform capacity requirement to determine if upgrading is necessary. Prior approval from
the Information Security Manager should be obtained before implementation.

___________________________________________________________________________
Page 5 of 8 Version: 1.0
Firewall Policy
6.3 After any upgrade, the firewall’s proper operation shall be verified prior to going operational.

7 LOGS AND AUDIT TRAILS

7.1 Where available in the firewall system, the following logging should be enabled: -

a) The firewall’s filtering activity (e.g. TCP connect attempts, in-bound and out-bound proxy
traffic information, etc)

b) The firewall’s audit trail (e.g. login/logout activity, connect time, rules/definition changes
etc.)

c) At the firewall’s system level (e.g. disk media errors, configuration/parameter changes,
etc).

7.2 Depending on operational requirement OR business criticality environment, the Information


Security Manager should establish if the logs (in total or selectively) be reviewed: -

a) On a periodic basis (from standpoint of accountability or for detective control purpose)


OR

b) On situational required basis (for problem determination or for forensic investigative


purpose).

7.3 For the review of the logs, where accountability over firewall administration is concerned, it
should be carried out internally either by the Information Security Manager or an
independent party.

7.4 The logs should be archived for an established period.

7.5 At the end of archival, the logs should be dispensed with securely, either through total
irrecoverable erasure or by overwriting its data.

8 DOCUMENTATION

8.1 All operational procedures for the firewall should be documented. At the minimum, they
consist of the following: -

a) Administration procedures

b) Backup procedures

c) Troubleshooting guide

d) Review of firewall logs and audit trails

e) House keeping procedures4

8.2 The firewall’s configurable parameters should be documented and kept in confidence,
accessible only by Firewall Administrator(s), Backup Firewall Administrator(s) and the
Information Security Manager. At the minimum, the configuration documents should
include: -

a) Network diagram(s)

b) IP addresses of all relevant network devices, internal hosts and relevant hosts of the
Internet Service Provider (ISP) e.g. DNS server, router, etc

4
Further details please refer to Organization Firewall Clean up Procedures
___________________________________________________________________________
Page 6 of 8 Version: 1.0
Firewall Policy

c) Routing tables

d) Firewall rules

8.3 All the above documentation should be updated following any changes to the firewall.

9 ENCRYPTED CHANNELS OVER PUBLIC/ENTRUSTED NETWORK

9.1 Any connection between internal host to an external organization’s host over the public
network or entrusted network for business-related exchange (e.g. B2B) shall use encrypted
channel such as Virtual Private Network (VPN), router-to-router encryption, Secured-Socket-
Layer (SSL), Secure-Shell (SSH), etc to ensure privacy and integrity of its data
communication.

9.2 For establishing encrypted channel, there should be secured means for distributing the
encryption keys prior to its operational use.

10 ENFORCEMENT

10.1 All staffs are required to comply with this security policy and its appendices.
Disciplinary actions including termination may be taken against any Organization
staffs who fail to comply with the Organization’s security policies, or
circumvent/violate any security systems and/or protection mechanisms.

10.2 Staff having knowledge of personal misuse or malpractice of IT Systems must


report immediately to management and IT Security.

10.3 Organization’s staff must ensure that Organization’s contractors and others
parties authorized by the Organization using its internal computer systems,
comply with this policy.

10.4 Where the role of the service provider is outsourced to a vendor, the outsourced
vendor should ensure compliance with this policy.

___________________________________________________________________________
Page 7 of 8 Version: 1.0
i
Outside of Head Office, for subsidiaries or oversea centre, the resident manager in charge of Information Systems
would assume the role of the Information Security Manager.

ii
As in the above, outside of Head Office, local Firewall Administrator(s) would be appointed by the resident manager
in charge of Information Systems.

You might also like