TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY



Similar documents
FIREWALL POLICY November 2006 TNS POL - 008

CMPT 471 Networking II

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Firewalls (IPTABLES)

Global Partner Management Notice

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

ICANWK406A Install, configure and test network security

Security Technology: Firewalls and VPNs

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

CSCI Firewalls and Packet Filtering

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

8. Firewall Design & Implementation

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Intro to Firewalls. Summary

ADM:49 DPS POLICY MANUAL Page 1 of 5

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

HANDBOOK 8 NETWORK SECURITY Version 1.0

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

74% 96 Action Items. Compliance

CTS2134 Introduction to Networking. Module Network Security

Chapter 9 Firewalls and Intrusion Prevention Systems

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

SonicWALL PCI 1.1 Implementation Guide

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewalls, Tunnels, and Network Intrusion Detection

Information Technology Security Guideline. Network Security Zoning

Internet Security Firewalls

ICT USER ACCOUNT MANAGEMENT POLICY

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Network Instruments white paper

3. Firewall Evaluation Criteria

Guideline on Firewall

SANS Top 20 Critical Controls for Effective Cyber Defense

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls. Ahmad Almulhem March 10, 2012

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Internet Security Firewalls

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

CMS Operational Policy for Firewall Administration

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewalls. Chapter 3

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Chapter 20. Firewalls

Network Security Policy

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Guideline on Auditing and Log Management

Cisco Advanced Services for Network Security

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

PART D NETWORK SERVICES

Lessons Learned CIP Reliability Standards

Using Skybox Solutions to Achieve PCI Compliance

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Security threats and network. Software firewall. Hardware firewall. Firewalls

What would you like to protect?

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

CS5008: Internet Computing

Information Technology Branch Access Control Technical Standard

March

Overview - Using ADAMS With a Firewall

Networking for Caribbean Development

Automate PCI Compliance Monitoring, Investigation & Reporting

Proxy Server, Network Address Translator, Firewall. Proxy Server

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Overview - Using ADAMS With a Firewall

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Computer Security: Principles and Practice

FIREWALL POLICY DOCUMENT

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Lecture 23: Firewalls

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Computer Security DD2395

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

GFI White Paper PCI-DSS compliance and GFI Software products

Information and Communication Technology. Firewall Policy

Deploying Firewalls Throughout Your Organization

Network Defense Tools

Transcription:

IT FIREWALL POLICY

TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION... 6 9. AUDIT AND COMPLIANCE... 7 10. RESPONSIBILITIES... 8 11. CHANGE CONTROL... 8 12. MONITOR STABILITY... 8 13. ENFORCEMENT... 8 14. CONSEQUENCES FOR NON-COMPLIANCE... 9 15. POLICY REVIEW... 9 Page 2 of 9

1. INTRODUCTION Firewalls are an essential component of any organization information systems security infrastructure. Firewalls are defined as security systems that control and restrict both Internet connectivity and Internet services. Firewalls establish a parameter where access controls are enforced 2. TERMS AND DEFINITION FTP (File Transfer Protocol): a standard Internet protocol that allows users to transfer files from one computer to another over a network. HTTP (Hypertext Transfer Protocol): set of rules for transferring files (text, graphic images, sound, video and other multimedia files) on the World Wide Web. Security device: Hardware or software that provides security services. Inbound Traffic: Traffic coming into Local Area Network Outbound Traffic: Traffic going out of Local Area Network Exploitation: The process of obtaining intelligence information from any source and taking advantage of it. Perimeter Firewall: a Firewall installed between a private network and public networks, such as the Internet. Network security: refers to any activities designed to protect network, especially the usability, reliability, integrity and safety of the network and data Network Security Architecture: a subset of network architecture specifically addressing network security. Security Functionality: are the security-related features or functions employed within an information system or the infrastructure supporting the system. IT Security Requirements: describe functional and non-functional requirements that need to be satisfied in order to achieve the security attributes of an IT system. Remote Access Points (RAPs): provide secure always-on network access to corporate enterprise resources from remote locations. Data: Information that has been translated into a form that is more convenient to move or process. Page 3 of 9

VPN (Virtual Private Network: A virtual private network (VPN) is a network that uses a public telecommunication infrastructure and their technology such as the Internet, to provide remote offices or individual users with secure access to their organization's network Proxy server: is a computer that acts as a gateway between a local network and a large scale network such as the Internet. Proxy servers provide increased performance and security. Database: is a collection of information that is organized so that it can easily be accessed, managed and updated. TCP/IP: a set of protocols (including TCP) developed for the internet in the 1970s to get data from one network device to another Authentication: a systematic method of confirming the identity of an individual or system Service: is a long-running executable that performs specific functions and which is designed not to require user intervention. Traffic: is data in a network. In computer networks, the data is encapsulated in packets Threat: is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. Vulnerability: is a weakness which allows an attacker to reduce a system's information assurance. Firewall: is a software or hardware-based network security system that controls the incoming and outgoing network traffic. (IT)Information technology: any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of vocal, pictorial, textual and numerical data or information Page 4 of 9

3. PURPOSE To define standards for provisioning security devices owned and/or operated by Bojanala Platinum District Municipality. To prevent exploitation of insecure services, restrict inbound/outbound traffic from unregistered devices, control inbound/outbound access to/from specific services or devices and monitor traffic volumes. 4. SCOPE This policy defines the essential rules regarding the management and maintenance of Firewall at Bojanala Platinum District Municipality and it applies to all users that use computers and the network of Bojanala Platinum District Municipality. 5. POLICY STATEMENT Bojanala Platinum District Municipality perimeter firewalls are a key component of the overall department s Network Security Architecture. This IT Firewall policy governs how the perimeter Firewalls will filter Internet traffic to mitigate risks and possible losses associated with security threats to the networks and information systems. 6. REQUIREMENTS 6.1. The Firewall system shall control all traffic entering and leaving the Bojanala Platinum District Municipality Internal network. 6.2. Bojanala Platinum District Municipality Firewall shall block all incoming and outgoing traffic by default. 6.3. Only authorized incoming and outgoing traffic shall be allowed to pass through the firewall. 6.4. Traffic with invalid source or destination addresses shall always be blocked. 6.5. Traffic with an invalid source address for incoming traffic or destination address for outgoing traffic (an invalid external address) shall be blocked at the network perimeter. 6.6. Traffic with a private destination address for incoming traffic or source address for outgoing traffic (an internal address) shall be blocked at the network perimeter. 6.7. Outbound traffic with invalid source addresses shall be blocked. 6.8. Incoming traffic with a destination address of the firewall itself shall be blocked unless the firewall is offering services for incoming traffic that require direct connections. Page 5 of 9

6.9. Traffic from outside the network containing broadcast addresses that are directed to inside the network shall be blocked. 7. OPERATIONS 7.1. Only Firewall system administrators shall be permitted to logon to Firewall hosts. Access to firewall hosts shall be tightly controlled. Only Firewall system administrators are allowed to have user accounts on Firewall hosts. Firewall system administrators shall have personal accounts; i.e. no group logins are allowed. 7.2. All changes to Firewall access rules shall be made through a single approved interface. The firewall shall have a trusted path for its management e.g. a physically secure dedicated management process with a password-based identification and authentication system 7.3. Only personnel with the appropriate authorization shall make changes to the Firewall access rules, software, hardware or configuration. All changes shall be as a result of a request recorded in a Change Management System although emergency modifications can be requested be phone, with a follow up email and change request. Only authorized personnel must be able to implement the changes and an audit log must be retained as per Unit ICT Change Management Policy. 7.4. Logging and audit facilities provided by the Firewall system shall be fully utilized. All significant traffic through the Firewall shall be logged. The Firewall shall provide sufficient audit capacity to detect breaches of the Firewall s security and attempted network intrusions. Firewall System Administrators shall examine logs on a regular basis and also set up mechanisms to respond to alarms. 8. CONFIGURATION 8.1 The perimeter Firewall system shall be configured to deny any service unless it is expressly permitted. If there are no rules defined for the department network address, then traffic to or from that address shall be denied. Access to the department network shall be blocked during the start-up procedure of the Firewall. 8.2 The Firewall operating system shall be configured for maximum security. The underlying operating system of Firewall hosts shall be configured for maximum security, including the disabling of any unused services. 8.3 The Firewall product suite shall reside on dedicated hardware. Applications that could interfere with, and thus compromise, the security and effectiveness of the Firewall products, Page 6 of 9

shall not be allowed to run on the host machine. 8.4 The initial build and configuration of the Firewall shall be fully documented. This provides a baseline description of the Firewall system to which all subsequent changes can be applied. This permits tracking of all changes to ensure a consistent and known state is maintained. 8.5 Security shall not be compromised by the failure of any Firewall component. If any component of the Firewall fails, the default response will be to immediately prevent any further access, both outbound as well as inbound. A Firewall component is any piece of hardware or software that is an integral part of the Firewall system. A hardware failure occurs when equipment malfunctions or is switched off. A software failure can occur for many reasons e.g. bad maintenance of the rules database on the Firewall or software which is incorrectly installed or upgraded. 8.6 There shall be regular reviews to validate the Firewall system meets the needs of the business regarding information security. The configuration of the Firewalls shall be regularly checked to ensure they still match the business requirements regarding the security. It may be necessary to implement separate Firewall modules to protect against the vulnerabilities of certain services. An example would be a package to scan email for viruses or other malicious software. The Firewall must also be regularly tested for vulnerabilities. Applications on internal hosts that handle incoming services will need to be checked for known vulnerabilities. 9. AUDIT AND COMPLIANCE 9.1 Regular testing of the Firewall shall be carried out. The Firewall shall be regularly tested for Configuration errors that may represent a weakness that can be exploited by those with hostile intent. 9.2 Consistency of the Firewall rule set. 9.3 Secure base system implementation 9.4 The Firewall system shall have an alarm capability and supporting procedures. When an agreed specified event occurs, an alarm shall be sent to the security team. Documented procedures shall exist to permit an efficient response to such Firewall security alarms and incidents. In the event that the Firewall itself is the subject of malicious attempts to penetrate it and the Firewall has the capability, delivery of services should be terminated rather than permit uncontrolled access to the department network. Page 7 of 9

9.5 There shall be an active auditing/logging regime to permit analysis of Firewall activity both during and after a security event. An audit trail is vital in determining if there are attempts to circumvent the Firewall security. Audit trails must be protected against loss or unauthorized modification. The Firewall system must be able to provide logging of specific (or all) traffic when suspicious activity is detected. 10. RESPONSIBILITIES IT Unit will be the sole responsible entity for putting in place firewalls and the management thereof. The monitoring will be done by IT Unit and reported to Risk and Security management if any breach attempts are detected. 11. CHANGE CONTROL With any Firewall it is very important to have change control. When rules are introduced there should be a well-defined method for documenting these and in the case of temporary rules, the removal date for the rule should be added in a comment field. The only way of checking if the Firewall is actually enforcing the agreed policy is to either verify it with an Intrusion Detection System, or to do a manual verification using a penetration test or a Firewall review by third party. 12. MONITOR STABILITY A Firewall is like any other infrastructure component and should be managed as such. It should be monitored for availability to ensure maximum uptime. If a Firewall isn t stable, people will find ways of avoiding the Firewall that leads to a low level of security. 13. ENFORCEMENT IT Unit is responsible for enforcing this policy and continuously ensuring monitoring and compliance. Page 8 of 9

14. CONSEQUENCES FOR NON-COMPLIANCE Non-compliance of this policy may lead to disciplinary actions. 15. POLICY REVIEW This policy shall be reviewed annually. Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information