The Best Damn Firewall Book Period
|
To completely write an entire information security policy could take months of work with involvement from the legal department, and the various business units. However, in order to implement Check Point NG, you need at a minimum an executive security policy and a perimeter network security policy. Typically, the executive security policy is a high-level document of about three to five pages that points to relevant standards, procedures, and guidelines. Because the highest levels of management or the board of directors must adopt the executive security policy, it should be written without details about technologies, people, or methods. This will ensure that as technology changes or as people change, the document will not become obsolete. Think of the executive security policy as a declaration of the importance of security to your organization. However, choose your words carefully because it is a legal document in many respects.
The executive security policy is important because without an executive endorsement of your security policy, enforcement may become difficult. In order to write an effective executive security policy you must identify early on the departments with an interest in maintaining information assets like research and development, finance, and IT. Approach the managers and request their involvement in drafting an executive-level security document. In addition, you will want to include the legal department and an executive sponsor.
| Note | Executive support and approval is critical to the success of your Information Security Policy. When the CEO has to follow the same rules as everyone else, it makes policy enforcement much simpler. |
The final document should have language such as: "Because of the nature of our business, customer non-public information is frequently transmitted or stored on our information systems. As a result, we will employ appropriate controls and safeguards including encryption to ensure that non-public information is adequately protected against unauthorized disclosure while in storage or transit." We know at this point that our policy seems rather vague and legal. However, resist the impulse to say, "We must use Triple DES encryption on all private data that is stored or transmitted." This is important because technology changes and this document will eventually be presented to management for approval. Management doesn't want to see you once a month asking for changes to the security policy. As a guiding principle, the executive security policy should address why security is important and delegate the further implementation of appropriate standards, guidelines, and procedures to the appropriate individuals or groups.
| Note | Use the security policy to help you do your job better and get the things you need. For example, use the policy to ensure that you get security training. Include a statement in the policy that says, "To ensure that we are adequately controlling and anticipating current and new threats, the security manager and his or her team must attend security training on a semi-annual basis in the form of conferences, seminars, symposiums, and workshops." As you can see, the security policy can be your friend. |
Drafting the second part of your overall information security policy, the perimeter network security policy, is somewhat different. The perimeter network security policy is a document that includes specific standards, procedures, and guidelines for implementing and maintaining perimeter network security. The first step in drafting a perimeter network security policy is to obtain a network map. The network map will help you to better identify resources that need protecting and how to architect your security solution. Depending on the size of your organization, you may elect to do this yourself or to obtain the assistance of individuals with specific knowledge regarding their environment. Although there are a number of software tools to assist you in automatically mapping the network, it will still be necessary to conduct manual validation.
After mapping the network, determine once again the departments or business units with a specific interest in network perimeter security, and assemble the representatives for a meeting. The best approach in this meeting is to identify what is needed and then, by default, disallow everything else. It is at this point that successful security managers recognize the purpose of security to meet business needs. Although it would be great from a security perspective to disconnect the business from the Internet, to stay in business the connection must be maintained. In this meeting you need to specifically ask the representatives if you were to put up a firewall today and block everything, what would need to be changed and configured to allow the business to continue. This step is called defining requirements. For example, some of the requirements that might be voiced include the following:
-
We need a Web site that has dynamic content.
-
We need to have an e-Commerce storefront.
-
We need to be able to get and send e-mail.
-
We need to secure all of our internal information from external attacks.
-
We need to be able to access the Internet securely using HTTP, HTTPS, and FTP from the LAN.
-
We need to secure our critical information from internal attacks or destruction.
In addition, you will also want to identify any wishes the representatives have. This could be your opportunity to look like a hero when you say, "Yes, we can do that." Examples of wishes are as follows:
-
We would like to have Instant Messaging.
-
We would like to be able to have Sales reps connect remotely to download order status.
You may find that most needs are simple and can use further refinement. For example, the requirement to send and receive e-mail begs the questions, "From where do you need to send _e-mail? Do remote users need to send and receive e-mail? Should there be any additional restrictions on e-mail?" In addition, you should ask questions about what types of communication to log.
| Note | Make sure that everyone who has an interest in the implementation and maintenance of a security policy is involved in its creation. This may involve representatives from HR or even the custodial staff. Involvement from these departments will ease acceptance of the new policy and make the actual implementation much smoother. |
The next stage in the drafting of the perimeter network security policy is risk assessment. Every requirement and wish has a risk attached to it. As a security professional you must be able to identify those risks and communicate them to the involved parties so they can be weighed against the benefits.
Security Design
After identifying the requirements and risks you are willing to accept, you must design security solutions. Having knowledge of the features and abilities of FW-1 NG will help you to determine what you can and cannot do. In addition, be aware of the other types of controls that can be used to maintain perimeter network security. There are three main categories of controls: technical controls, physical controls, and administrative controls. Each category of controls has three functions that include preventative, detective, and responsive, as shown in Table 14.1. The firewall is primarily a technical control of a preventative and detective nature. That is to say, the firewall prevents unauthorized access and can be used to detect unauthorized access. However, do not dismiss addressing physical and administrative controls in your perimeter network security policy.
| Technical | Physical | Administrative | |
|---|---|---|---|
| Preventative | Check Point NG VPN-1 | Locked data centers Identification badges | User ID/Password policy Change management |
| Detective | Check Point NG | CCTV | Log and report reviewRule base audits |
| Responsive | Check Point NG | High availability | Incident response procedures |
Other policies that FW-1 NG can help you enforce are the following:
-
NAT Security
-
QoS Security
-
Desktop security
-
Monitoring
Firewall Architecture
Before writing the policy, one thing you need to explore is whether you will need to have different policies for different locations or if you will have only one. If you have one security policy, Check Point can enforce the same policy on all firewall modules from a central management station. Otherwise, you will have to maintain a different policy for different locations. Although for business reasons this might be necessary, it can add a level of complexity to your environment that could decrease your overall effective security. If it is necessary, then make sure that it is thoroughly documented.
Writing the Policy
Now that you know what is necessary, you can write your perimeter network security policy. As you can see in Figure 14.1, writing a security policy is a logical progression of steps.
Briefly, the structure of the policy should include the following:
-
Introduction In this section, you should state the purpose of this policy. What is the objective of the policy? Why it is important to the organization?
-
Guidelines In this section you should detail guidelines for choosing controls to meet the objectives of the policy. These are the basic requirements. Typically you will see the word should in these statements.
-
Standards In this section you should detail the standards for implementing and deploying the selected controls. For example, this section will state the initial configuration or firewall architecture. This section tends to detail the requirements given in the meeting with the interested departments and business units. This section is written with the words such as, "It is the policy that…"
-
Procedures In this section you should detail the procedures for maintaining the security solution, such as how often the logs should be reviewed and who is authorized to make changes.
-
Deployment: The purpose of the deployment section is to assign responsibilities and specific steps for the implementation of the policy. Think of it as a mini project plan. In a perimeter network Ssecurity policy, this is the section that translates the standards and guidelines into language that the security administrator can enforce on the firewall.
-
Enforcement Although many policies lack this component, all policies require a method for enforcement. A popular and effective method for enforcement is auditing. In this section you could state that the firewall rule base would be subject to an external audit yearly. In addition, this section should detail the enforcement and consequences if someone was to circumvent the firewall or its rules.
-
Modification or exceptions No policy is perfect, and the policy may require modifications or exceptions. In this section you should detail the methods for obtaining modifications to the policy or exceptions.
The following series of headings could be considered a sample of a perimeter network security policy
Introduction
Due to Company X's required connection and access to the public Internet, it is essential that a strong perimeter firewall exist that sufficiently separates the internal private LAN of CompanyX and the public Internet. The firewall should provide preventative and detective technical controls for access between the two networks.
Guidelines
The implementation of any firewall technology should follow these basic rules:
-
The firewall should allow for filtering of communication protocols based on complex rule sets.
-
The firewall should provide extensive logging of traffic passed and blocked.
-
The firewall should be the only entry and exit point to the public Internet from the CompanyX LAN.
-
The firewall operating system should be sufficiently hardened to resist attack both internal and external.
-
The firewall should fail closed.
-
The firewall should not disclose the internal nature, names, or addressing of the CompanyX LAN.
-
The firewall should only provide firewall services. No other service or application should be running on the firewall.
Standards
The implementation of any firewall must follow these basic rules:
-
It is the policy that only the identified firewall administrator is allowed to make changes to the configuration of the firewall.
-
It is the policy that all firewalls must follow the default rule: That which is not expressly permitted is denied.
In addition, the following standards for perimeter networks are as follows:
-
The deployment of public services and resources shall be positioned behind the firewall in a protected service net.
-
The firewall shall be configured to disallow traffic that originates in the service net to the general LAN.
-
Any application or network resource residing outside of the firewall and accessible by unauthorized users requires a banner similar to the following:
A T T E N T I O N! PLEASE READ CAREFULLY.
This system is the property of CompanyX. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system will be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to CompanyX management, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of CompanyX. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
Procedures
Firewall will be configured to allow traffic as defined below:
-
TCP/IP suite of protocols allowed through the firewall from the inside LAN to the public Internet is as follows:
-
HTTP to anywhere
-
HTTPS to anywhere
-
-
TCP/IP suite of protocols allowed through the firewall from the inside LAN to the Service Net is as follows:
-
HTTP to Web Server
-
SMTP to Mail Server
-
POP3 to Mail Server
-
DNS to DNS server
-
-
TCP/IP suite of protocols allowed through the firewall from the Service Net to the public Internet is as follows:
-
DNS from DNS server to anywhere
-
-
TCP/IP suite of protocols allowed through the firewall from the public Internet to the LAN is as follows:
-
None
-
-
TCP/IP suite of protocols allowed through the firewall from the public Internet with specific source, destination, and protocols is as follows:
-
SMTP to Mail Server
-
HTTP to Web Server
-
FTP to Web Server
-
Deployment
The security administrator will define the rule base and configure the firewall as defined above, in addition to other industry standard properties as appropriate.
Enforcement
Traffic patterns will be enforced by the firewall's technical controls as defined by the firewall administrator. Periodically, an external vulnerability assessment will be performed to assure the proper configuration of the firewall. Additionally, an independent third party will annually audit the configured firewall.
Modifications or Exceptions
Request for modification to the firewall configuration must be submitted via e-mail to the security manager and firewall administrator, accompanied by justification and the duration of the requested change.
|