Establish and maintain firewall design and configuration practices

Status: Live

The organization will maintain a standard and appropriate procedures to establish and maintain firewall design and configuration practices. [UCF ID 00544]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Secure router configurations against unauthorized changes [UCF Control ID 00541]
    Establish an overarching firewall placement standard [UCF Control ID 00546]
    All mobile computers should be equipped with a firewall that is installed, active, configured by the organization, and not changeable by the end user [UCF Control ID 00550]
    Configure firewalls, routers, and networking equipment to follow organizational compliance mandates in order to protect confidential information and systems [UCF Control ID 01284]
    Key web-facing applications should have application layer firewalls [UCF Control ID 01450]

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.3, ¶ .20 § 3.6, ¶ .24 § 3.7, ¶ .29 § 3.6; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj C.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 29; FFIEC IT Examination Handbook – Information Security, Pg 39, Pg 42; FFIEC IT Examination Handbook – Operations, July 2004, Pg 28; American Express Data Security Standard (DSS), § 1a; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 1, § 1.1.6; Army Regulation 380-19: Information Systems Security, February 27, 1998, App D-3; Protection of Assets Manual, ASIS International, Pg 12-II-35, Pg 12-IV-24; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 15.i; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.2(E); Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.12.2; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 2.2, § 2.4, § 2.6, § 3.1, § 5.3, § 5.7; CobiT 4.1, DS5.10; The Standard of Good Practice for Information Security, NW2.2.1, NW2.2.3, NW2.2.5, UE5.4.4(c); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 3.11; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 3.7, App B.3; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 5.2; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 3.8, App B.3; OGC ITIL: Security Management, § 4.2.4; OECD / World Bank Technology Risk Checklist, Version 7.3, § V; Australian Government ICT Security Manual (ACSI 33), § 3.8.72, § 3.10.28; Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.04(6); Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 1; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1, § 1.1.6; Archer Control Table, ATCS-188, ATCS-363, ATCS-477, ATCS-500

Sarbanes Oxley Guidance

Procedures should be in place to restrict unauthorized access to the system. [¶ .17 § 3.3, ¶ .20 § 3.6, ¶ .24 § 3.7, ¶ .29 § 3.6, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

[Exam Tier II Obj C.1, FFIEC IT Examination Handbook – Audit, August 2003]

Firewalls should be used by the organization to control external access to the network by enforcing the organization's security policy. [Pg 29, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should develop a firewall policy. The firewall policy should include the type of firewall being used; how to monitor the firewall traffic; the physical placement of the firewall; the firewall architecture; how to update the firewall; what traffic is permitted; what protocols and applications are permitted; when to audit the firewall configuration; when to test the firewall's effectiveness; and who is responsible for monitoring and enforcing the firewall policy. The organization should use a firewall to protect their system. They have four types of firewalls to choose from: packet filtering, proxy servers, stateful inspection, and application-level firewalls. A firewall should be set to fail closed, blocking all traffic. [Pg 39, Pg 42, FFIEC IT Examination Handbook – Information Security]

The organization should use firewalls to segregate and restrict access to the network and restrict the content of inbound and outbound traffic. [Pg 28, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

The organization must employ internal and external firewalls to prevent intrusions from the internet and from within the organization. [§ 1a, American Express Data Security Standard (DSS)]

Install and maintain a firewall configuration to protect data and review those rules regularly.
Verify the firewall and router rules sets are reviewed at least every 6 months. [§ 1, § 1.1.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

Install and maintain a firewall configuration to protect data [§ 1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Install and maintain a firewall configuration to protect data and review those rules regularly. [§ 1, § 1.1.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

A firewall should be implemented for any system connected to the Internet. [App D-3, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Firewalls should be installed between the Internet and the organization's network. [Pg 12-II-35, Pg 12-IV-24, Protection of Assets Manual, ASIS International]

The organization must implement and monitor the status of firewall controls. [§ 15.i, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

[AC-3.2(E), Federal Information System Controls Audit Manual (FISCAM), February 2009]

NIST Guidance

There is a need for secure firewalls to block or filter access between two networks, often between a private network and a larger, more public network such as the internet. Secure gateways allow internal users to connect to external networks while protecting internal systems from compromise. [§ 3.12.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Offers a lot of general information on firewall design. The document discuss different firewalls, how they work and their strengths and weaknesses, making it easier for an organization to choose what is right for their environment.
§ 2.2 describes packet filter firewalls, concluding they are best for high-speed environments where user authentication is not important.
§ 2.4 presents application-proxy firewalls. The final judgment on these is that they are good for creating user authentication, but are very slow and must have their vulnerability to address spoofing attacks defended against.
§ 2.6 covers hybrid firewall technologies. Because there are many different varieties, organizations must take the time and care to evaluate a firewall project before purchasing anything.
§ 3.1 provides four guidelines for building an ideal firewall environment. These include keeping a project as simple as possible, using any devices as they are meant to be used, creating defenses that include multiple layers and being sure to focus on external and internal threats to an organization’s network.
§ 5.3 offers additional strategies for handling firewalls. This section recommends having a failover strategy. That way, if one firewall fails, all traffic shifts over to a backup firewall and defenses are still in place.
§ 5.7 talks about firewalls that are created to protect specific, special-purpose systems. These can be used with a network firewall to limit user access to resources inside an organization. [§ 2.2, § 2.4, § 2.6, § 3.1, § 5.3, § 5.7, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

US State Laws and Protectorates Guidance

Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems and must include an up-to-date firewall implemented on all systems that connect to the Internet. [§ 17.04(6), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]

Other Configuration Guidance

The Enclave firewall should be configured to allow only the required outbound Sensa connections. [§ 3.11, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

The Enclave firewall should be configured to allow only the required outbound Sensa connections, as noted in Table 3-2. [§ 3.7, App B.3, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

The personal firewall must be configured at least at the "Medium" security level and must include the following: block Internet access, unless permitted by the user; block unused ports in the background; and prompt the user before executing Java Applets and ActiveX controls. [§ 5.2, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

The Enclave firewall should be configured to only allow the required connections, as noted in Table 3-2. The Trust Digital security policy rule "Enable Firewall" should be Enabled. This is located under Policy Manager/Firewall Settings. [§ 3.8, App B.3, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

ITIL Guidance

[§ 4.2.4, OGC ITIL: Security Management]

General Guidance

The organization should ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation and intrusion detection) are used to authorize access and control information flows from and to networks. [DS5.10, CobiT 4.1]

The network should be protected by one or more firewalls. Firewalls should be configured to block or restrict communications based on addresses and ports. Firewalls should check destination addresses and ports, the validity of the network services, and information about the state of communications and users. [NW2.2.1, NW2.2.3, NW2.2.5, UE5.4.4(c), The Standard of Good Practice for Information Security]

EU Guidance

Certified firewalls or use of specific criteria when deciding on a specific firewall are called for. Additionally, it calls for a comprehensive list of what should be allowed through the firewall, and strategic placement of firewalls. A network should be explicitly configured to restrict access for everything that does not need to enter the firewall. Finally, firewall logs must be monitored to be sure they are correctly capturing data. [§ V, OECD / World Bank Technology Risk Checklist, Version 7.3]

Asia and Pacific Rim Guidance

A firewall should be installed between the organization's network and the Voice over Internet Protocol (VoIP) gateway and should be configured to only allow VoIP traffic. [§ 3.8.72, § 3.10.28, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Establish and maintain a networks and firewalls metrics management program [UCF Control ID 02082]
    Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy [UCF Control ID 02116]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.