Configure firewalls, routers, and networking equipment to follow organizational compliance mandates in order to protect confidential information and systems

Status: Live

The organization will maintain a standard and appropriate procedures to configure firewalls, routers, and networking equipment to follow organizational compliance mandates and protect confidential information and systems. [UCF ID 01284]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Information Security, Pg 42, Pg 43; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 33; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 1.1.4; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-701, § 8-702; The Standard of Good Practice for Information Security, NW2.1.1, NW2.1.3, NW2.2.4(b), NW2.2.4(c); CI Security Windows XP Professional SP1/SP2, v2.01, § 5.2.1.1; Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1, § 3.1.1, § 7.6; DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.1 (WIR1040); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 3.7, App B.3; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 4.2.3; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 3.4.2, App B.1, App B.2; ISO 17799:2005 Code of Practice for Information Security Management, § 11.4.7; ISO/IEC 27002-2005 Code of practice for information security management, § 11.4.7; Australian Government ICT Security Manual (ACSI 33), § 3.10.20, § 3.10.50; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.1.4; Archer Control Table, ATCS-349, ATCS-358, ATCS-368, ATCS-369, ATCS-477, ATCS-500; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 10.1

Banking and Finance Guidance

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

The firewall should be configured to ensure the organization's computers are not directly accessible to the Internet and the firewall should be appropriately patched. [Pg 42, Pg 43, FFIEC IT Examination Handbook – Information Security]

Firewalls should be implemented and configured to protect the retail payment system from unauthorized access. [Pg 33, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Payment Card Guidance

The firewall and router configuration standard must include a description of the roles, groups, and responsibilities for the logical management of the network components.
Verify firewall and router configuration standards exist and include a description of the roles, groups, and responsibilities for the logical management of the network components. [§ 1.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The firewall and router configuration standard must include a description of the roles, groups, and responsibilities for the logical management of the network components. [§ 1.1.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

When a VPN or other high-speed connection is used to download software updates from vendors, a firewall should be used and properly configured to protect these "always-on" connections. [§ 10.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

Controlled interfaces must provide a secure connection point between networks, devices, and remote hosts; reliably exchange security information; monitor and enforce the network protection requirements; filter information based on content; not have general users; not execute user code; and review communications for viruses and malicious code. [§ 8-701, § 8-702, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

System Configuration Guidance

Firewall settings, even more than most of the other security settings in this guide, must be tailored to your site. Testing is critical before deploying a firewall configuration for your site. Improper firewall settings could block critical applications such as antivirus or desktop management agents. In some instances, improper firewall settings could even block Active Directory and group policy management of the machine, leaving no easy way to undo changes. [§ 5.2.1.1, CI Security Windows XP Professional SP1/SP2, v2.01]

Windows Firewall is the built-in Windows XP firewall. It can be configured to restrict all inbound connections, but cannot filter or block any outbound connections. The primary benefit of using Windows Firewall is in limiting network connections to another computer, thus reducing the exposure of the computer to network-based attacks, such as worms. Windows Firewall is enabled by default for each network interface. If it is not configured correctly, Windows Firewall can prevent the use of Microsoft file and print services as well as other services and applications. If Windows Firewall and a third-party, host-based firewall are both enabled, Windows Firewall might block traffic that the third-party, host-based firewall has been configured to allow, impacting system functionality and usability. [§ 3.1.1, § 7.6, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1]

Other Configuration Guidance

BlackBerry devices and systems should not be connected to any network or system that contains classified information. [§ 2.1 (WIR1040), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

Good Mobile Messaging systems include a Bluefire Security firewall. The default firewall policy should be used as the minimum firewall rule set and is listed in Table B-4. [§ 3.7, App B.3, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

The requirements of the Network Infrastructure STIG must be used to configure the network access server and/or communications server based on the architecture and the dial-up connection method used. [§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

The firewall rules for the ISA Server should be set to: Action: Allow; From: External & Local Hosts; To: enter outer facing IP address of web site; Computer Name: list name of Front-end Exchange Server; Traffic: HTTPS; Listener: set up SSL 443 listener; Public: same as To address; Authentication Delegation: No delegation, but client may authenticate directly; Paths: for Internal Path: /Microsoft-Server-ActiveSync; and Bridging: Check Web server and Check Redirect requests to SSL Port, enter 443. The Microsoft Exchange Server Security Policy rule "SSL connection to ISA server" should be Enabled. The Microsoft ISA Server 2006 Security Policy rule "SSL connection to Exchange" should be Enabled. [§ 3.4.2, App B.1, App B.2, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

ISO Guidance

Routers should be used to ensure connections and information flow do not breach the access control policy. Routing controls should be in effect to validate addresses at all internal and external network control points. [§ 11.4.7, ISO 17799:2005 Code of Practice for Information Security Management]

Routers should be used to ensure connections and information flow do not breach the access control policy. Routing controls should be in effect to validate addresses at all internal and external network control points. [§ 11.4.7, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Network devices should be configured to restrict network device access, manage routing table changes, and prevent unauthorized or incorrect routing table changes. Firewalls should be configured to protect protocols prone to abuse, such as FTP and telnet, and block network packets that are commonly used for denial of service attacks. Only authorized staff should be allowed to access network devices. [NW2.1.1, NW2.1.3, NW2.2.4(b), NW2.2.4(c), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

All networks should be protected by a gateway to control the data flow. The gateway should be the only communications route into or out of the network; deny all connections to the network by default; allow only authorized connections; provide real-time alarms; and detect breaches and attempted intrusions. All security measures recommended by the switch vendors should be implemented. [§ 3.10.20, § 3.10.50, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which approved configuration settings have been implemented as required by policy [UCF Control ID 02097]
    Report on the percentage of host servers that are protected from becoming relay hosts [UCF Control ID 02108]
    Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy [UCF Control ID 02116]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.