The organization will maintain a standard and appropriate procedures to establish and maintain firewall design and configuration practices. [UCF ID 00544]
Supporting and supported controls
This control directly supports:
• Ensure network access points are identified and controlled [UCF Control ID 00529]
This control has the following supporting controls:
• Secure router configurations against unauthorized changes [UCF Control ID 00541]
• Establish an overarching firewall placement standard [UCF Control ID 00546]
• All mobile computers should be equipped with a firewall that is installed, active, configured by the organization, and not changeable by the end user [UCF Control ID 00550]
• Configure firewalls, routers, and networking equipment to follow organizational compliance mandates in order to protect confidential information and systems [UCF Control ID 01284]
• Key web-facing applications should have application layer firewalls [UCF Control ID 01450]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.8.72, 3.10.28; FFIEC IT Examination Handbook – Information Security Pg 39, Pg 42; FFIEC IT Examination Handbook – Audit Exam Tier II Obj C.1; FFIEC IT Examination Handbook – Operations Pg 28; FFIEC IT Examination Handbook – E-Banking Pg 29; OECD / World Bank Technology Risk Checklist V; CobiT 4.1 DS5.10; The Standard of Good Practice for Information Security NW2.2.1, NW2.2.3, NW2.2.5, UE5.4.4(c ); ISO 17799:2000, Code of Practice for Information Security Management § 9.4.8(f), B.4.5; OGC ITIL: Security Management 4.2.4; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.12.2; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 § 2.2, § 2.4, § 2.6, § 3.1, § 5.3, § 5.7; American Express Data Security Standard (DSS) § 1a; Payment Card Industry Self-Assessment Questionnaire D § 1.1.4; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 1, 1.1.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 § 1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 1, 1.1.6; AICPA/CICA Privacy Framework 8.2.2(i); AICPA Suitable Trust Services Criteria ¶ .17 § 3.3, ¶ .20 § 3.6, ¶ .24 § 3.7, ¶ .29 § 3.6
Sarbanes Oxley Guidance
¶ .17 § 3.3, ¶ .20 § 3.6, ¶ .24 § 3.7, ¶ .29 § 3.6 of AICPA Suitable Trust Services Criteria states that procedures should be in place to restrict unauthorized access to the system.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 28 states that the organization should use firewalls to segregate and restrict access to the network and restrict the content of inbound and outbound traffic.
The FFIEC IT Examination Handbook – E-Banking Pg 29 states that firewalls should be used by the organization to control external access to the network by enforcing the organization's security policy.
Credit Card Guidance
PCI-DSS, § 1.1 calls for the organization to establish firewall configuration standards, policies, and procedures.
§ 1.1.8 calls for the organization to review these standards quarterly.
The American Express Data Security Standard § 1a states that the organization must employ internal and external firewalls to prevent intrusions from the internet and from within the organization.
The Payment Card Industry's Security Audit Procedures § 1.1 states that the auditor should obtain and inspect the firewall configuration standards and other documentation specified in § 1.1 of the PCI-DSS to verify that standards are complete.
§ 1.1.8a states that the auditor should verify that firewall configuration standards require quarterly review of firewall and router rule sets.
§ 1.1.8b states that the auditor should verify that the rule sets are reviewed each quarter.
The Payment Card Industry Self-Assessment Questionnaire D § 1.1.4 states that firewall configuration standards should include a description of the groups, roles, and responsibilities for the logical management of network components.
The Payment Card Industry Self-Assessment Questionnaire C § 2.1.1a states that sSID broadcasts should be disabled.
§ 1.1.6 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the router and firewall rules sets must be reviewed at least every 6 months.
§ 1 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008 states that install and maintain a firewall configuration to protect data
§ 1, 1.1.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that install and maintain a firewall configuration to protect data and review those rules regularly.
US Federal Security Guidance
The Corporate Information Security Working Group, Report of the Best Practices Subgroup PE 15.i states that the organization must implement and monitor the status of firewall controls.
NIST Guidance
NIST 800-14 § 3.12.2 calls for secure firewalls to block or filter access between two networks, often between a private network and a larger, more public network such as the internet. Secure gateways allow internal users to connect to external networks while protecting internal systems from compromise.
NIST 800-41 offers a lot of general information on firewall design. § 2.2 and § 2.4-2.6 discuss different firewalls, how they work and their strengths and weaknesses, making it easier for an organization to choose what is right for their environment.
§ 2.2 describes packet filter firewalls, concluding they are best for high-speed environments where user authentication is not important.
§ 2.4 presents application-proxy firewalls. The final judgment on these is that they are good for creating user authentication, but are very slow and must have their vulnerability to address spoofing attacks defended against.
§ 2.6 covers hybrid firewall technologies. Because there are many different varieties, organizations must take the time and care to evaluate a firewall project before purchasing anything.
§ 3.1 provides four guidelines for building an ideal firewall environment. These include keeping a project as simple as possible, using any devices as they are meant to be used, creating defenses that include multiple layers and being sure to focus on external and internal threats to an organization’s network.
§ 5.3 offers additional strategies for handling firewalls. This section recommends having a failover strategy. That way, if one firewall fails, all traffic shifts over to a backup firewall and defenses are still in place.
§ 5.7 talks about firewalls that are created to protect specific, special-purpose systems. These can be used with a network firewall to limit user access to resources inside an organization.
§ 1, 1.1.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that install and maintain a firewall configuration to protect data and review those rules regularly.
European Union Guidance
The OECD Risk Checklist V calls for certified firewalls or use of specific criteria when deciding on a specific firewall. Additionally, it calls for a comprehensive list of what should be allowed through the firewall, and strategic placement of firewalls. A network should be explicitly configured to restrict access for everything that does not need to enter the firewall. Finally, firewall logs must be monitored to be sure they are correctly capturing data.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.8.72, 3.10.28 states that a firewall should be installed between the organization's network and the Voice over Internet Protocol (VoIP) gateway and should be configured to only allow VoIP traffic..
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02082.doc
• Metric Reporting Standard 02116.doc