All mobile computers should be equipped with a firewall that is installed, active, configured by the organization, and not changeable by the end user

Status: Live

The organization will ensure that all mobile computers are equipped with a firewall, that the firewall has been configured correctly, and that the firewall cannot be disabled or changed by the end user. [UCF ID 00550]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 1.4; Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002, § 2.9; The Standard of Good Practice for Information Security, SM6.4.7(d), CB3.3.5(d), CI2.4.5(d), UE5.4.4(c); The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005, § 2.3.2 (2.3.2.040); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 5.2; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 3.2 (WIR0100); Australian Government ICT Security Manual (ACSI 33), § 3.10.35, § 3.11.19; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.4; Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1, § 6.3.4; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-2 Item 16; Archer Control Table, ATCS-353

Payment Card Guidance

Personal firewall software must be installed on all mobile and employee-owned computers that are used to connect to the organization's network and to the Internet.
Verify all mobile and employee-owned computers that access the Internet and the organization's network have personal firewall software installed. Verify the firewall on each computer is active at all times, configured by the organization, and not alterable by the employee. [§ 1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

Personal firewall software must be installed on all mobile and employee-owned computers that are used to connect to the organization's network and to the Internet. [§ 1.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

NIST Guidance

As an added security feature, each laptop in an organization should be equipped with a firewall. [§ 2.9, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002]

Client devices should have personal firewalls installed and implemented. The firewall should be centrally managed to ensure all client devices are configured according to the organization's security policy. [§ 6.3.4, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48 Revision 1, Revision 1]

All mobile devices should have a personal firewall installed. [Table 8-2 Item 16, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

Other Configuration Guidance

Host-based firewalls should be installed and configured on all WLAN client devices.
Before making a purchase, verify that WLAN client devices, such as PDAs, can have a host-based firewall installed on them. [§ 2.3.2 (2.3.2.040), The Center for Internet Security Wireless Networking Benchmark version 1.0, v1.0 April 2005]

Remote access devices, including those that can dial in via modem, that access DoD networks must have a personal firewall that has been approved and distributed by DoD CERT. [§ 5.2, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

802.11 enabled wireless devices should have a personal firewall implemented and configured to block unauthorized access. The personal firewall software should meet the NIAP Common Criteria requirements.
If the organization does not inspect a sampling of laptops, examine the SRR or self-assessment results for laptops with WLAN access to verify firewalls are installed and configured correctly.
Inspect 10% of the laptops that use WLAN access and run the Gold Disk or SRR scripts to verify that each laptop has the correct configuration for the personal firewall. Inspect 10% of the PDAs and smart phones with WLAN access and verify the personal firewall software on each device is configured to block unneeded inbound and outbound services and ports; configured to automatically update every 14 days or the user is trained to manually update the software every 14 days; configured to block known DDoS ports; and is NIAP certified. [§ 3.2 (WIR0100), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

General Guidance

All mobile computers and workstations should be equipped with a personal firewall. [SM6.4.7(d), CB3.3.5(d), CI2.4.5(d), UE5.4.4(c), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

Firewalls should be implemented to protect individual machines. If possible, hardware devices should be used instead of software-based firewall applications. If mobile devices are going to be connected to a system with a different classification, a firewall should be used to protect the side of the connection with a higher classification. [§ 3.10.35, § 3.11.19, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems with configurations that do not deviate from approved standards [UCF Control ID 02098]
    Report on the percentage of notebooks and mobile devices that are required to verify compliance with approved configuration policy prior to being granted network access [UCF Control ID 02106]
    Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy [UCF Control ID 02116]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.