Configure firewalls, routers, and networking equipment to protect restricted data or information in accordance with organizational compliance mandates.

UCF ID: 01284
Control Type: Configuration
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain a standard and procedure for firewall design and configuration practices. [UCF Control ID 00544]

This control has the following supporting controls:

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – Information Security, Pg 42, Pg 43; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 33; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 1.1.4; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-701, § 8-702; The Standard of Good Practice for Information Security, NW2.1.1, NW2.1.3, NW2.2.4(b), NW2.2.4(c); CI Security Windows XP Professional SP1/SP2, Version 2.01, § 5.2.1.1; Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1, § 3.1.1, § 7.6; DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.1 (WIR1040); DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 4.2.3; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 11.4.7; ISO/IEC 27002 Code of practice for information security management, 2005, § 11.4.7; Australian Government ICT Security Manual (ACSI 33), § 3.10.20, § 3.10.50; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.1.4; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 10.1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, ECIM-1, ECVI-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, ECIM-1, ECVI-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, ECIM-1, ECVI-1; Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1, § 4.2.2; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.4(3)(4), ¶ 9.2 Table Row “Network Configuration”, ¶ 9.2 Table Row “Network Segregation”; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 13.8

Banking and Finance Guidance

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

The firewall should be configured to ensure the organization's computers are not directly accessible to the Internet and the firewall should be appropriately patched. [Pg 42, Pg 43, FFIEC IT Examination Handbook – Information Security]

Firewalls should be implemented and configured to protect the retail payment system from unauthorized access. [Pg 33, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Payment Card Guidance

The firewall and router configuration standard must include a description of the roles, groups, and responsibilities for the logical management of the network components. [§ 1.1.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The firewall and router configuration standard must include a description of the roles, groups, and responsibilities for the logical management of the network components. [§ 1.1.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

When a VPN or other high-speed connection is used to download software updates from vendors, a firewall should be used and properly configured to protect these "always-on" connections. [§ 10.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

Controlled interfaces must provide a secure connection point between networks, devices, and remote hosts; reliably exchange security information; monitor and enforce the network protection requirements; filter information based on content; not have general users; not execute user code; and review communications for viruses and malicious code. [§ 8-701, § 8-702, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

ECIM-1 Ensure Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited.
ECVI-1 Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information.systems. [ECIM-1, ECVI-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

ECIM-1 Ensure Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited.
ECVI-1 Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information.systems. [ECIM-1, ECVI-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

ECIM-1 Ensure Instant messaging traffic to and from instant messaging clients that are independently configured by end users and that interact with a public service provider is prohibited.
ECVI-1 Voice over Internet Protocol (VoIP) traffic to and from workstation IP telephony clients that are independently configured by end users for personal use is prohibited within DoD information.systems. [ECIM-1, ECVI-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

To aid in preventing DoS attacks, the network perimeter should be configured to deny all incoming and outgoing traffic that is not expressly permitted, including blocking unneeded services that are used in DoS attacks, configuring border routers to not forward directed broadcasts, blocking traffic from unassigned IP address ranges, writing and sequencing firewall rules and router access control lists, limiting incoming and outgoing Internet Control Message Protocol traffic, using ingress and egress filtering, and blocking outgoing connections to common IRC, peer-to-peer service, and instant messaging ports, if usage is not permitted. [§ 4.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1]

System Configuration Guidance

Firewall settings, even more than most of the other security settings in this guide, must be tailored to your site. Testing is critical before deploying a firewall configuration for your site. Improper firewall settings could block critical applications such as antivirus or desktop management agents. In some instances, improper firewall settings could even block Active Directory and group policy management of the machine, leaving no easy way to undo changes. [§ 5.2.1.1, CI Security Windows XP Professional SP1/SP2, Version 2.01]

Windows Firewall is the built-in Windows XP firewall. It can be configured to restrict all inbound connections, but cannot filter or block any outbound connections. The primary benefit of using Windows Firewall is in limiting network connections to another computer, thus reducing the exposure of the computer to network-based attacks, such as worms. Windows Firewall is enabled by default for each network interface. If it is not configured correctly, Windows Firewall can prevent the use of Microsoft file and print services as well as other services and applications. If Windows Firewall and a third-party, host-based firewall are both enabled, Windows Firewall might block traffic that the third-party, host-based firewall has been configured to allow, impacting system functionality and usability. [§ 3.1.1, § 7.6, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1]

Other Configuration Guidance

BlackBerry devices and systems should not be connected to any network or system that contains classified information. [§ 2.1 (WIR1040), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

The requirements of the Network Infrastructure STIG must be used to configure the network access server and/or communications server based on the architecture and the dial-up connection method used. [§ 4.2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

ISO Guidance

Routers should be used to ensure connections and information flow do not breach the access control policy. Routing controls should be in effect to validate addresses at all internal and external network control points. [§ 11.4.7, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Routers should be used to ensure connections and information flow do not breach the access control policy. Routing controls should be in effect to validate addresses at all internal and external network control points. [§ 11.4.7, ISO/IEC 27002 Code of practice for information security management, 2005]

¶ 8.2.4(3)(4) Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of network management are listed below.
3. Network Configuration
An appropriate network configuration should be implemented for reliable functioning. This includes a standardized approach for the configuration of servers throughout the organization, and good documentation. Servers used for special purposes should only used for these purposes (e.g. no other tasks should run on a firewall), and that sufficient protection from failure is in place.
4. Network Segregation
In order to minimize the risks and the possibilities of misuse in a network in operation, business areas dealing with critical business issues and information should be kept separate, logically or physically. As well, development facilities should be separated from operational facilities.
¶ 9.2 Table Row “Network Configuration” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 9.2 Table Row “Network Segregation” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network. [¶ 8.2.4(3)(4), ¶ 9.2 Table Row “Network Configuration”, ¶ 9.2 Table Row “Network Segregation”, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

Security Gateways. A suitable security gateway arrangement will protect the organization's internal systems and securely manage and control the traffic flowing across it, in accordance with a documented security gateway service access policy (see below).
A security gateway should:
• separate logical networks,
• provide restricting and analyzing functions on the information which passes between the logical networks,
• be used by an organization as a means of controlling access to and from the organization’s network,
• provide a controlled and manageable single point of entry to a network,
• enforce an organization's security policy, regarding network connections,
• provide a single point for logging.
For each security gateway a separate service access (security) policy document should be developed and implemented for each such connection to ensure that only the traffic authorized for that connection should be allowed to pass. It must be possible to define permitted connections separately according to communications protocol and other details. In order to ensure that only valid users and traffic gain access from communications connections, the policy should define and record in detail the constraints and rules applied to traffic passing into and out of each security gateway, and the parameters for its management and configuration.
With all security gateways, full use should be made of available identification and authentication, logical access control and audit facilities. In addition, they should be checked regularly for unauthorized software and/or data and, if such is found, incident reports should be produced in accordance with the organization's security incident handling scheme.
It is emphasized that the connection to a network should only take place after it is checked that the selected security gateway suits the requirements of the organization, and that all risks resulting from such a connection can be managed securely. It should be ensured that by-passing the security gateway is not possible. [¶ 13.8, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

Network devices should be configured to restrict network device access, manage routing table changes, and prevent unauthorized or incorrect routing table changes. Firewalls should be configured to protect protocols prone to abuse, such as FTP and telnet, and block network packets that are commonly used for denial of service attacks. Only authorized staff should be allowed to access network devices. [NW2.1.1, NW2.1.3, NW2.2.4(b), NW2.2.4(c), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

All networks should be protected by a gateway to control the data flow. The gateway should be the only communications route into or out of the network; deny all connections to the network by default; allow only authorized connections; provide real-time alarms; and detect breaches and attempted intrusions. All security measures recommended by the switch vendors should be implemented. [§ 3.10.20, § 3.10.50, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF Control ID 02097]
    Report on the percentage of host servers that are protected from becoming relay hosts. [UCF Control ID 02108]
    Report on the percentage of workstation firewalls, host firewalls, sub-network firewalls, and perimeter firewalls configured in accordance with policy. [UCF Control ID 02116]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.