Establish and maintain firewall design and configuration practices

The organization will maintain a standard and appropriate procedures to establish and maintain firewall design and configuration practices. [UCF ID 00544]

Supporting and supported controls

This control directly supports:

• Ensure network access points are identified and controlled [UCF Common Control ID 00529]

This control has the following supporting controls:

• Secure router configurations against unauthorized changes [UCF Common Control ID 00541]
• Establish an overarching firewall placement standard [UCF Common Control ID 00546]
• All mobile computers should be equipped with a firewall that is installed, active, configured by the organization, and not changeable by the end user [UCF Common Control ID 00550]
• Configure firewalls, routers, and networking equipment to follow organizational compliance mandates in order to protect confidential information and systems [UCF Common Control ID 01284]
• Key web-facing applications should have application layer firewalls [UCF Common Control ID 01450]

Authority documents complied with:

Australian Government ICT Security Manual (ACSI 33) § 3.8.72, 3.10.28; FFIEC IT Examination Handbook – Information Security Pg 39, Pg 42; FFIEC IT Examination Handbook – Audit Exam Tier II Obj C.1; FFIEC IT Examination Handbook – Operations Pg 28; FFIEC IT Examination Handbook – E-Banking Pg 29; OECD / World Bank Technology Risk Checklist V; CobiT 4.1 DS5.10; The Standard of Good Practice for Information Security NW2.2.1, NW2.2.3, NW2.2.5, UE5.4.4(c ); ISO 17799:2000, Code of Practice for Information Security Management § 9.4.8(f), B.4.5; OGC ITIL: Security Management 4.2.4; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.12.2; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 § 2.2, § 2.4, § 2.6, § 3.1, § 5.3, § 5.7; DISA Wireless STIG Windows Mobile Messaging Checklist Version 5,Release 2.3 3.8, App B.3; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.1 ?; DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.1 ?; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2 5.2; American Express Data Security Standard (DSS) § 1a; Payment Card Industry Self-Assessment Questionnaire D § 1.1.4; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 1, 1.1.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 § 1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 1, 1.1.6; AICPA/CICA Privacy Framework 8.2.2(i); AICPA Suitable Trust Services Criteria ¶ .17 § 3.3, ¶ .20 § 3.6, ¶ .24 § 3.7, ¶ .29 § 3.6; FISCAM (Federal Information System Controls Audit Manual) AC-3.2(E); Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives PE 15.i; Army Regulation 380-19: Information Systems Security App. D-3

Sarbanes Oxley Guidance

¶ .17 § 3.3, ¶ .20 § 3.6, ¶ .24 § 3.7, ¶ .29 § 3.6 of AICPA Suitable Trust Services Criteria states that procedures should be in place to restrict unauthorized access to the system.

Banking and Finance Guidance

The FFIEC IT Examination Handbook – Operations Pg 28 states that the organization should use firewalls to segregate and restrict access to the network and restrict the content of inbound and outbound traffic.

The FFIEC IT Examination Handbook – E-Banking Pg 29 states that firewalls should be used by the organization to control external access to the network by enforcing the organization's security policy.

Credit Card Guidance

PCI-DSS, § 1.1 calls for the organization to establish firewall configuration standards, policies, and procedures.

§ 1.1.8 calls for the organization to review these standards quarterly.

The American Express Data Security Standard § 1a states that the organization must employ internal and external firewalls to prevent intrusions from the internet and from within the organization.

The Payment Card Industry's Security Audit Procedures § 1.1 states that the auditor should obtain and inspect the firewall configuration standards and other documentation specified in § 1.1 of the PCI-DSS to verify that standards are complete.

§ 1.1.8a states that the auditor should verify that firewall configuration standards require quarterly review of firewall and router rule sets.

§ 1.1.8b states that the auditor should verify that the rule sets are reviewed each quarter.

The Payment Card Industry Self-Assessment Questionnaire D § 1.1.4 states that firewall configuration standards should include a description of the groups, roles, and responsibilities for the logical management of network components.

The Payment Card Industry Self-Assessment Questionnaire C § 2.1.1a states that sSID broadcasts should be disabled.

§ 1.1.6 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the router and firewall rules sets must be reviewed at least every 6 months.

§ 1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 states that install and maintain a firewall configuration to protect data

§ 1, 1.1.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that install and maintain a firewall configuration to protect data and review those rules regularly.

US Federal Security Guidance

The Corporate Information Security Working Group, Report of the Best Practices Subgroup PE 15.i states that the organization must implement and monitor the status of firewall controls.

App. D-3 of Army Regulation 380-19: Information Systems Security states that a firewall should be implemented for any system connected to the Internet.

NIST Guidance

NIST 800-14 § 3.12.2 calls for secure firewalls to block or filter access between two networks, often between a private network and a larger, more public network such as the internet. Secure gateways allow internal users to connect to external networks while protecting internal systems from compromise.

NIST 800-41 offers a lot of general information on firewall design. § 2.2 and § 2.4-2.6 discuss different firewalls, how they work and their strengths and weaknesses, making it easier for an organization to choose what is right for their environment.

§ 2.2 describes packet filter firewalls, concluding they are best for high-speed environments where user authentication is not important.

§ 2.4 presents application-proxy firewalls. The final judgment on these is that they are good for creating user authentication, but are very slow and must have their vulnerability to address spoofing attacks defended against.

§ 2.6 covers hybrid firewall technologies. Because there are many different varieties, organizations must take the time and care to evaluate a firewall project before purchasing anything.

§ 3.1 provides four guidelines for building an ideal firewall environment. These include keeping a project as simple as possible, using any devices as they are meant to be used, creating defenses that include multiple layers and being sure to focus on external and internal threats to an organization’s network.

§ 5.3 offers additional strategies for handling firewalls. This section recommends having a failover strategy. That way, if one firewall fails, all traffic shifts over to a backup firewall and defenses are still in place.

§ 5.7 talks about firewalls that are created to protect specific, special-purpose systems. These can be used with a network firewall to limit user access to resources inside an organization.

General security checklist guidance

5.2 of DISA Secure Remote Computing Security Technical Implementation Guide version 1.2 states that the personal firewall must be configured at least at the "Medium" security level and must include the following: block Internet access, unless permitted by the user; block unused ports in the background; and prompt the user before executing Java Applets and ActiveX controls.

3.8, App B.3 of DISA Wireless STIG Windows Mobile Messaging Checklist Version 5,Release 2.3 states that the Enclave firewall should be configured to only allow the required connections, as noted in Table 3-2. The Trust Digital security policy rule "Enable Firewall" should be Enabled. This is located under Policy Manager/Firewall Settings.

3.7, App B.3 of DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.1 states that the Enclave and Windows Mobile device firewalls should be configured as noted in Table 3-3. The Good Default Firewall Policy should be set to the required rules listed in Table B-4.

3.11 of DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.1 states that the Enclave firewall should be configured to allow only the required outbound Sensa connections, as noted in Table 3-2.

European Union Guidance

The OECD Risk Checklist V calls for certified firewalls or use of specific criteria when deciding on a specific firewall. Additionally, it calls for a comprehensive list of what should be allowed through the firewall, and strategic placement of firewalls. A network should be explicitly configured to restrict access for everything that does not need to enter the firewall. Finally, firewall logs must be monitored to be sure they are correctly capturing data.

Asia and Pacific Rim Guidance

The Australian Government ICT Security Manual (ACSI 33) § 3.8.72, 3.10.28 states that a firewall should be installed between the organization's network and the Voice over Internet Protocol (VoIP) gateway and should be configured to only allow VoIP traffic..

Metrics

The metrics associated with this control are as follows:

• Establish and maintain a networks and firewalls metrics management program [UCF Common Control ID 02082]

• Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy [UCF Common Control ID 02116]