UCF ID: 00550 |
Control Type: Configuration |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain a standard and procedure for firewall design and configuration practices. [UCF Control ID 00544]
There are no supporting controls.
Authority documents complied with:
Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 1.4; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 2.9; The Standard of Good Practice for Information Security, SM6.4.7(d), CB3.3.5(d), CI2.4.5(d), UE5.4.4(c); The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005, § 2.3.2 (2.3.2.040); DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 5.2; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 3.2 (WIR0100); Australian Government ICT Security Manual (ACSI 33), § 3.10.35, § 3.11.19; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.4; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1, § 6.3.4 (Personal firewalls); Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-2 Item 16; DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1, § 4.1
Payment Card Guidance
Personal firewall software must be installed on all mobile and employee-owned computers that are used to connect to the organization's network and to the Internet. [§ 1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]
Personal firewall software must be installed on all mobile and employee-owned computers that are used to connect to the organization's network and to the Internet. [§ 1.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]
NIST Guidance
As an added security feature, each laptop in an organization should be equipped with a firewall. [§ 2.9, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]
Client devices should have personal firewalls installed and implemented. The firewall should be centrally managed to ensure all client devices are configured according to the organization's security policy. [§ 6.3.4 (Personal firewalls), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1]
All mobile devices should have a personal firewall installed. [Table 8-2 Item 16, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]
Other Configuration Guidance
Host-based firewalls should be installed and configured on all WLAN client devices.
Before making a purchase, verify that WLAN client devices, such as PDAs, can have a host-based firewall installed on them. [§ 2.3.2 (2.3.2.040), The Center for Internet Security Wireless Networking Benchmark, Version 1.0 April 2005]
Remote access devices, including those that can dial in via modem, that access DoD networks must have a personal firewall that has been approved and distributed by DoD CERT. [§ 5.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]
802.11 enabled wireless devices should have a personal firewall implemented and configured to block unauthorized access. The personal firewall software should meet the NIAP Common Criteria requirements.
If the organization does not inspect a sampling of laptops, examine the SRR or self-assessment results for laptops with WLAN access to verify firewalls are installed and configured correctly.
Inspect 10% of the laptops that use WLAN access and run the Gold Disk or SRR scripts to verify that each laptop has the correct configuration for the personal firewall. Inspect 10% of the PDAs and smart phones with WLAN access and verify the personal firewall software on each device is configured to block unneeded inbound and outbound services and ports; configured to automatically update every 14 days or the user is trained to manually update the software every 14 days; configured to block known DDoS ports; and is NIAP certified. [§ 3.2 (WIR0100), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]
Implement Firewall Blocks on PCs and Portable Electronic Devices (PED)s to prevent unauthorized traffic from the internet. [§ 4.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1]
General Guidance
All mobile computers and workstations should be equipped with a personal firewall. [SM6.4.7(d), CB3.3.5(d), CI2.4.5(d), UE5.4.4(c), The Standard of Good Practice for Information Security]
Asia and Pacific Rim Guidance
Firewalls should be implemented to protect individual machines. If possible, hardware devices should be used instead of software-based firewall applications. If mobile devices are going to be connected to a system with a different classification, a firewall should be used to protect the side of the connection with a higher classification. [§ 3.10.35, § 3.11.19, Australian Government ICT Security Manual (ACSI 33)]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of systems with configurations that do not deviate from approved standards. [UCF Control ID 02098]
• Report on the percentage of notebooks and mobile devices that are required to be in compliance with approved configuration policy before being granted network access. [UCF Control ID 02106]
• Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy. [UCF Control ID 02116]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.