Use of Checkpoint Firewall Code of Practice. This code of practice is also qualified by The University of Edinburgh computing regulations, found at:



Similar documents
Use of (Central) Load Balancers Code of Practice

Use of (Central) Load Balancers Code of Practice

Use of EASE Code of Practice. This code of practice is also qualified by The University of Edinburgh computing regulations, found at:

Use of UniDesk Code of Practice

CoP Template, Version Jun

Use of Exchange Mail and Diary Service Code of Practice

Use of The Information Services Electronic Journals Service Code of Practice

Use of The Information Services Active Directory Service (AD) Code of Practice

Audit and Risk Management Committee. IT Security Update

Newcastle University Information Security Procedures Version 3

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Policies. Version 6.1

INFORMATION TECHNOLOGY SECURITY STANDARDS

Supplier Security Assessment Questionnaire

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Client Security Risk Assessment Questionnaire

Data Network Security Policy

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

A Decision Maker s Guide to Securing an IT Infrastructure

N e t w o r k E n g i n e e r Position Description

NOS for Network Support (903)

Information Services. Standing Service Level Agreement (SLA) Firewall and VPN Services

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Virtual Appliance Setup Guide

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

ISO COMPLIANCE WITH OBSERVEIT

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

Keyfort Cloud Services (KCS)

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

EA-ISP-012-Network Management Policy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ASX SETTLEMENT OPERATING RULES Guidance Note 10

AUSTRACLEAR REGULATIONS Guidance Note 10

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Device Log Export ENGLISH

Business process efficiency is improved with task management, alerts, notifications and automated process workflows.

ISO27001 Controls and Objectives

Version 1.0. Ratified By

ULH-IM&T-ISP06. Information Governance Board

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

STANDARD ON LOGGING AND MONITORING

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Cisco Unified MobilityManager Version 1.2

Chapter 1: Planning Maintenance for Complex Networks. TSHOOT v6 Chapter , Cisco Systems, Inc. All rights reserved.

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

InHand Device Cloud Service DN 4.0 Quick Start Guide

Information Security Office. Logging Standard

SCHEDULE 1 SERVICE DESCRIPTION

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Central Hosting. Case Study

ISO 27002:2013 Version Change Summary

Service Schedule 2 MS Lync Terms & Conditions v1.0

MANAGED SECURITY SERVICES RESPONSIBILITIES GUIDE July 2013

NETASQ ACTIVE DIRECTORY INTEGRATION

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

H.I.P.A.A. Compliance Made Easy Products and Services

Planning Maintenance for Complex Networks

BME CLEARING s Business Continuity Policy

Information Security Policy. Information Security Policy. Working Together. May Borders College 19/10/12. Uncontrolled Copy

Information Security Policy

Chapter 1 Introduction to Network Maintenance Objectives

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

Australasian Information Security Evaluation Program

Web hosting. Web hosting

NVIRON SUPPORT SERVICES OVERVIEW

BKDconnect Security Overview

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 07/01/ L Wyatt Update to procedure

HIGH AVAILABILITY DISASTER RECOVERY SOLUTION

EA-ISP-011-System Management Policy

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

RSA Authentication Manager 8.1 Setup and Configuration Guide. Revision 2

How To Get The Best Out Of Your It Investments On Mtn.Com

Data Protection Act Guidance on the use of cloud computing

IBX Business Network Platform Information Security Controls Document Classification [Public]

University of Aberdeen Information Security Policy

NETWORK MONITORING & ALERTING SERVICES SERVICE DEFINITION

Enterprise level security, the Huddle way.

Cloud Management. Overview. Cloud Managed Networks

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

SonicWALL PCI 1.1 Implementation Guide

Security Whitepaper: ivvy Products

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

MCSA Instructor-led Live Online Training Program. Course Outline MCSA Deploying and Managing Windows Server 2012

SURE 5 Zone DDoS PROTECTION SERVICE

Information Security Management. Audit Check List

Virtual Appliance Setup Guide

Enterprise Broadband Customer Service Description

סילבוס -MCITP מנהלי רשתות

Vendor Audit Questionnaire

How to complete the Secure Internet Site Declaration (SISD) form

Conditions for ICT Partner Solutions Service Schedule for SecureData Service

Technical White Paper

CNS-200-1I Basic Administration for Citrix NetScaler 9.0

Office of Information Technology Hosted Services Service Level Agreement FY2009

Security Provider Integration Kerberos Authentication

Transcription:

Use of Checkpoint Firewall Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document. http://www.ed.ac.uk/schools-departments/information-services/about/policiesandregulations/security-policies/security-policy This code of practice is also qualified by The University of Edinburgh computing regulations, found at: http://www.ed.ac.uk/schools-departments/information-services/about/policies-and-regulations 1. Code of Practice Version [The CoP for any system is expected to develop over time. For this reason, it may be important to track versions of any CoP. This section in the template suggests a framework in which you could record reasons for change to the CoP for the system referred to.] Revision Date CoP Template Author Notes Version Version 04/09/12 1.0 1.4 Tony Weir Initial version 04/09/12 1.1 1.4 Apollon Koutlidis Update detail and review 29/09/14 1.2 1.4 Graeme Wood Minor edit 6/11/14 1.3 1.4 Graeme Wood Minor edit QA Date QA Process Notes 14 Nov 12 Accepted by IT Security WP 15 Dec 14 Accepted by IT Security WP Suggested date for Revision of the CoP Author 01/09/14 Tony Weir 01/09/16 Graeme Wood 2. System description Revision Date System Version Author Notes CoP Template, Version 1.4 20 Jun 2011 1

4/9/12 CheckPoint FW-1 R72 29/9/14 CheckPoint FW-1 R75.40 Apollon Koutlidis Graeme Wood Curent revision of Check Point software. Current revision of Check Point software. 2.1 System name CheckPoint firewall. 2.2 Description of system The firewalls provide network security to a number of central IS applications such as EUCLID and MyEd. 2.3 Data The firewalls route network traffic to services they protect and store no end service data. The firewalls store configuration and audit information. 2.4 Components The firewalls consist of two Sun Fire X4150 systems running Check Point Secure Platform and Firewall-1. 2.5 System owner This service is provided by the Unix Section in the IT Infrastructure division of Information Services. 2.6 User base The Check Point firewalls do not provide any end-user access they control the network traffic for appropriate applications. 2.7 Criticality High. 2.8 Disaster recovery status There are administrative accounts on the Check Point firewalls, which are used by the Unix Section technical staff to control their function. A read-only view of the Check Point firewall configuration is exported to a separate web service, which allows EASE protected read-only access to the configuration. This is used by IS technical staff who administer the end services which the firewalls route traffic for. The Check Point firewalls operate as a resilient pair, with separate physical devices installed on two distinct sites. These operate as a fail-over pair, with service automatically failing over to the partner as required. This process is well-documented and thoroughly tested. CoP Template, Version 1.4 20 Jun 2011 2

3. User responsibilities 3.1 Data There is no end-user access to the Check Point firewalls. 3.2 Usernames and passwords A view of the Check Point firewall information is exported through a separate web service, which allows EASE protected read-only access to the configuration. This is used by a small number of IS technical staff who administer the end services which the firewalls route traffic for. There are administrative accounts for a small number of technical staff. The read-only view of the configuration is EASE protected and made available to a small number of IS technical staff in the Applications Division. There is no end-user access to the Check Point firewalls. 3.3 Physical security The firewalls are sited within IS managed data centres. The data centres are appropriately secured. 3.4 Remote/mobile working 3.5 Downloads and removal of data from premises 3.6 Authorisation and access control Administrator access to the firewalls is limited to a subset of the local University networks. Any remote access to the firewalls must be through these local networks. The read-only view of the configuration is EASE protected and access is limited to EdLAN. The only data that the firewalls store is the systems configuration. Only a small number of technical staff in the ITI Unix Section have access to the firewall accounts. Access is only permitted to administrators. 3.7 Competencies There is no end user access to the firewalls. ITI Unix Section staff who have access have been appropriately trained in their use. CoP Template, Version 1.4 20 Jun 2011 3

4. System Owner Responsibilities 4.1 Competencies The ITI Unix Section has members of staff with many years of experience in administering firewalls and with experience of managing the current implementation. 4.2 Operations The firewalls are updated with appropriate software upgrades to ensure the security of the devices and of end user services which they control network traffic for. Access to the configuration is restricted to administrator logins which are password protected and to which only a small number of ITI Unix Section staff have access to. 4.3 System documentation 4.4 Segregation of Duties Operational documentation is provided by the supplier and augmented by local procedural documentation stored on the ITI Unix Section wiki. Administrator users have access to the configuration of the firewalls. The read-only administrative view of the configuration is EASE protected and made available to a small number of IS technical staff. 4.5 Security incidents Any security incidents related to the firewalls would be referred to the IS IRT, who would log the issue and aid with investigation. Any security incident related to the firewalls would be reported to the ITI Unix Section head who would appropriately report to the ITI Director. 4.6 Fault/problem reporting 4.7 Systems development Any faults would be raised by the service owners of end user services or by ITI Unix Section staff. If necessary support calls are logged with end suppliers via maintenance contract. There is no local development of the firewall software. Software upgrades are provided by the supplier and obtained as part of the systems maintenance contract. CoP Template, Version 1.4 20 Jun 2011 4

5. System Management 5.1 User account management A small number of local system logins are provided for firewall administration. These are only granted to members of the ITI Unix Section with appropriate skill set. A web-based EASE protected readonly view is available from a separate web service. 5.2 Access control Only ITI Unix Section staff have access to the firewall administration logins. Only a small number of IS technical staff have access to the read-only view of the configuration. 5.3 Access monitoring All logins and each separate administrative operation is logged in the firewalls' audit system. 5.4 Change control Change management is organised through the ITI Unix Section service management procedures. Any major change e.g. major firmware revision or change in platform - would be discussed and scheduled with end service providers and communicated through IS alerting processes. 5.5 Systems clock synchronisation 5.6 Network management Configuration changes e.g. updates to firewall rulesets are requested and recorded via IS Service Management tools (UniDesk) and conform to agreed templates. The change request is subject to approver sign off. Each change results in a new configuration version which is tagged with the incident number for full audit tracking. All servers synchronise their clocks to UTC using the NTP protocol. The firewalls control access to services within a private network address range ensuring that any access to these services is closely controlled. Appropriate networks are provided over both main University data centres to ensure fail-over of services across sites. The Check Point firewalls operate closely with the central FWSM firewall and with the Load Balancers to achieve fine grained network control. 5.7 Business continuity The Check Point firewalls operate as a fully resilient fail-over pair this function has been rigorously tested. 5.8 Security Control The firewalls closely control administrative access to defined networks and have a very small number of administrative logins. 6. Third Party CoP Template, Version 1.4 20 Jun 2011 5

6.1 Outsourcing A maintenance contract is supplied by SecureData. This provides hardware maintenance of the devices, access to firmware upgrades and a support mechanism to investigate faults and discuss functionality. SecureData have no access to the University's firewalls. 6.2 Contracts and Maintenance agreement with SecureData. Agreements 6.3 Compliance with the university security policy The agreements with third-parties comply with the university's security policy. 6.4 Personal data No personal data is used in the provision of the service and no data is exported. CoP Template, Version 1.4 20 Jun 2011 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information