Establish an overarching firewall placement standard

Status: Live

The organization will ensure that it has established an overarching placement standard that can be applied to all firewall types. [UCF ID 00546]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Ensure firewall change procedures are formalized [UCF Control ID 00548]
    Ensure firewall logs are capturing correct data [UCF Control ID 00549]
    Formalize the processes for testing and approving all external network connections [UCF Control ID 01270]
    Place firewalls between all security domains and between any DMZ, secure subnet, and internal network zones [UCF Control ID 01274]
    Place perimeter firewalls between any wireless networks and applications or databases with confidential information and either completely deny, or strictly control wireless traffic to these applications and databases [UCF Control ID 01293]
    Ensure that the firewalls are designed to detect malicious code and spoofed addresses [UCF Control ID 01313]
    All wireless access points and bridges will be separated from the wired network through a firewall [UCF Control ID 04588]

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 1.2; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 6; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 4.1; Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1, App A.2.1; The Standard of Good Practice for Information Security, CB4.3.4(a), NW2.2.2; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 1.2; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.2; Archer Control Table, ATCS-500

Payment Card Guidance

Ensure the firewall configuration restricts connections between untrusted networks and any system in the cardholder data environment. [§ 1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

Ensure the firewall configuration restricts connections between untrusted networks and any system in the cardholder data environment. [§ 1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Ensure the firewall configuration restricts connections between untrusted networks and any system in the cardholder data environment. [§ 1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Internal Revenue Guidance

Database and application server(s) must be located behind firewalls, and only authenticated users and applications must have access to the servers. [Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The steps to creating an appropriate firewall policy is described as follows. First, determine what network applications are necessary for successful operations. Then determine the vulnerabilities for those applications. Next, conduct a cost-benefits analysis of methods for securing each application. The next step is to create an applications traffic matrix showing protection method and finally, create a firewall ruleset based on the matrix. [§ 4.1, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

It is recommended that firewall rule sets be configured to prevent reflector attacks by rejecting all suspicious combinations of source and destination ports. [App A.2.1, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1]

Other Configuration Guidance

Remote access device traffic and data must pass through the security architecture defined in the Network Infrastructure STIG. [§ 6, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

General Guidance

All application-related traffic from external sources should be routed through an appropriate firewall. Procedures should exist for managing the firewall and should cover developing rules for filtering traffic, filtering network traffic, blocking certain traffic, protecting firewalls against attack, and not disclosing information about the network. [CB4.3.4(a), NW2.2.2, The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.