Establish and maintain a firewall standard for an overarching placement of all types of firewalls.

UCF ID: 00546
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a standard and procedure for firewall design and configuration practices. [UCF Control ID 00544]

This control has the following supporting controls:

    Test and approve all firewall changes, ensuring the changes and changed documentation match and meet organizational standards. [UCF Control ID 00548]
    Perform a firewall log review to ensure the firewall logs capture the correct data. [UCF Control ID 00549]
    Test and approve all external network connections through the firewall ensuring the changes and changed documentation match and meet organizational standards. [UCF Control ID 01270]
    Place firewalls between all security domains and between any DMZ, secure subnet, and internal network zones in accordance with the firewall standard. [UCF Control ID 01274]
    Place perimeter firewalls between wireless networks and applications or databases that contain restricted data or information and completely deny or strictly control wireless traffic to these applications and databases. [UCF Control ID 01293]
    Configure firewalls to detect, filter, and log all malicious code and spoofed addresses. [UCF Control ID 01313]
    Separate the wireless access points and bridges from the wired network through use of a firewall. [UCF Control ID 04588]

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 1.2; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 6; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 4.1; The Standard of Good Practice for Information Security, CB4.3.4(a), NW2.2.2; DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2, § 1.2; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.2

Payment Card Guidance

Ensure the firewall configuration restricts connections between untrusted networks and any system in the cardholder data environment. [§ 1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

Ensure the firewall configuration restricts connections between untrusted networks and any system in the cardholder data environment. [§ 1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 1.2]

Ensure the firewall configuration restricts connections between untrusted networks and any system in the cardholder data environment. [§ 1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Internal Revenue Guidance

Database and application server(s) must be located behind firewalls, and only authenticated users and applications must have access to the servers. [Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

The steps to creating an appropriate firewall policy is described as follows. First, determine what network applications are necessary for successful operations. Then determine the vulnerabilities for those applications. Next, conduct a cost-benefits analysis of methods for securing each application. The next step is to create an applications traffic matrix showing protection method and finally, create a firewall ruleset based on the matrix. [§ 4.1, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

Other Configuration Guidance

Remote access device traffic and data must pass through the security architecture defined in the Network Infrastructure STIG. [§ 6, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

General Guidance

All application-related traffic from external sources should be routed through an appropriate firewall. Procedures should exist for managing the firewall and should cover developing rules for filtering traffic, filtering network traffic, blocking certain traffic, protecting firewalls against attack, and not disclosing information about the network. [CB4.3.4(a), NW2.2.2, The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.