Use of Checkpoint Firewall Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document. http://www.ed.ac.uk/schools-departments/information-services/about/policiesandregulations/security-policies/security-policy This code of practice is also qualified by The University of Edinburgh computing regulations, found at: http://www.ed.ac.uk/schools-departments/information-services/about/policies-and-regulations 1. Code of Practice Version [The CoP for any system is expected to develop over time. For this reason, it may be important to track versions of any CoP. This section in the template suggests a framework in which you could record reasons for change to the CoP for the system referred to.] Revision Date CoP Template Author Notes Version Version 04/09/12 1.0 1.4 Tony Weir Initial version 04/09/12 1.1 1.4 Apollon Koutlidis Update detail and review 29/09/14 1.2 1.4 Graeme Wood Minor edit 6/11/14 1.3 1.4 Graeme Wood Minor edit QA Date QA Process Notes 14 Nov 12 Accepted by IT Security WP 15 Dec 14 Accepted by IT Security WP Suggested date for Revision of the CoP Author 01/09/14 Tony Weir 01/09/16 Graeme Wood 2. System description Revision Date System Version Author Notes CoP Template, Version 1.4 20 Jun 2011 1
4/9/12 CheckPoint FW-1 R72 29/9/14 CheckPoint FW-1 R75.40 Apollon Koutlidis Graeme Wood Curent revision of Check Point software. Current revision of Check Point software. 2.1 System name CheckPoint firewall. 2.2 Description of system The firewalls provide network security to a number of central IS applications such as EUCLID and MyEd. 2.3 Data The firewalls route network traffic to services they protect and store no end service data. The firewalls store configuration and audit information. 2.4 Components The firewalls consist of two Sun Fire X4150 systems running Check Point Secure Platform and Firewall-1. 2.5 System owner This service is provided by the Unix Section in the IT Infrastructure division of Information Services. 2.6 User base The Check Point firewalls do not provide any end-user access they control the network traffic for appropriate applications. 2.7 Criticality High. 2.8 Disaster recovery status There are administrative accounts on the Check Point firewalls, which are used by the Unix Section technical staff to control their function. A read-only view of the Check Point firewall configuration is exported to a separate web service, which allows EASE protected read-only access to the configuration. This is used by IS technical staff who administer the end services which the firewalls route traffic for. The Check Point firewalls operate as a resilient pair, with separate physical devices installed on two distinct sites. These operate as a fail-over pair, with service automatically failing over to the partner as required. This process is well-documented and thoroughly tested. CoP Template, Version 1.4 20 Jun 2011 2
3. User responsibilities 3.1 Data There is no end-user access to the Check Point firewalls. 3.2 Usernames and passwords A view of the Check Point firewall information is exported through a separate web service, which allows EASE protected read-only access to the configuration. This is used by a small number of IS technical staff who administer the end services which the firewalls route traffic for. There are administrative accounts for a small number of technical staff. The read-only view of the configuration is EASE protected and made available to a small number of IS technical staff in the Applications Division. There is no end-user access to the Check Point firewalls. 3.3 Physical security The firewalls are sited within IS managed data centres. The data centres are appropriately secured. 3.4 Remote/mobile working 3.5 Downloads and removal of data from premises 3.6 Authorisation and access control Administrator access to the firewalls is limited to a subset of the local University networks. Any remote access to the firewalls must be through these local networks. The read-only view of the configuration is EASE protected and access is limited to EdLAN. The only data that the firewalls store is the systems configuration. Only a small number of technical staff in the ITI Unix Section have access to the firewall accounts. Access is only permitted to administrators. 3.7 Competencies There is no end user access to the firewalls. ITI Unix Section staff who have access have been appropriately trained in their use. CoP Template, Version 1.4 20 Jun 2011 3
4. System Owner Responsibilities 4.1 Competencies The ITI Unix Section has members of staff with many years of experience in administering firewalls and with experience of managing the current implementation. 4.2 Operations The firewalls are updated with appropriate software upgrades to ensure the security of the devices and of end user services which they control network traffic for. Access to the configuration is restricted to administrator logins which are password protected and to which only a small number of ITI Unix Section staff have access to. 4.3 System documentation 4.4 Segregation of Duties Operational documentation is provided by the supplier and augmented by local procedural documentation stored on the ITI Unix Section wiki. Administrator users have access to the configuration of the firewalls. The read-only administrative view of the configuration is EASE protected and made available to a small number of IS technical staff. 4.5 Security incidents Any security incidents related to the firewalls would be referred to the IS IRT, who would log the issue and aid with investigation. Any security incident related to the firewalls would be reported to the ITI Unix Section head who would appropriately report to the ITI Director. 4.6 Fault/problem reporting 4.7 Systems development Any faults would be raised by the service owners of end user services or by ITI Unix Section staff. If necessary support calls are logged with end suppliers via maintenance contract. There is no local development of the firewall software. Software upgrades are provided by the supplier and obtained as part of the systems maintenance contract. CoP Template, Version 1.4 20 Jun 2011 4
5. System Management 5.1 User account management A small number of local system logins are provided for firewall administration. These are only granted to members of the ITI Unix Section with appropriate skill set. A web-based EASE protected readonly view is available from a separate web service. 5.2 Access control Only ITI Unix Section staff have access to the firewall administration logins. Only a small number of IS technical staff have access to the read-only view of the configuration. 5.3 Access monitoring All logins and each separate administrative operation is logged in the firewalls' audit system. 5.4 Change control Change management is organised through the ITI Unix Section service management procedures. Any major change e.g. major firmware revision or change in platform - would be discussed and scheduled with end service providers and communicated through IS alerting processes. 5.5 Systems clock synchronisation 5.6 Network management Configuration changes e.g. updates to firewall rulesets are requested and recorded via IS Service Management tools (UniDesk) and conform to agreed templates. The change request is subject to approver sign off. Each change results in a new configuration version which is tagged with the incident number for full audit tracking. All servers synchronise their clocks to UTC using the NTP protocol. The firewalls control access to services within a private network address range ensuring that any access to these services is closely controlled. Appropriate networks are provided over both main University data centres to ensure fail-over of services across sites. The Check Point firewalls operate closely with the central FWSM firewall and with the Load Balancers to achieve fine grained network control. 5.7 Business continuity The Check Point firewalls operate as a fully resilient fail-over pair this function has been rigorously tested. 5.8 Security Control The firewalls closely control administrative access to defined networks and have a very small number of administrative logins. 6. Third Party CoP Template, Version 1.4 20 Jun 2011 5
6.1 Outsourcing A maintenance contract is supplied by SecureData. This provides hardware maintenance of the devices, access to firmware upgrades and a support mechanism to investigate faults and discuss functionality. SecureData have no access to the University's firewalls. 6.2 Contracts and Maintenance agreement with SecureData. Agreements 6.3 Compliance with the university security policy The agreements with third-parties comply with the university's security policy. 6.4 Personal data No personal data is used in the provision of the service and no data is exported. CoP Template, Version 1.4 20 Jun 2011 6