application , compliances , firewalls , networking , policies , security

Sample – Cloud Services Firewall and VPN Security Standards

October 5, 2012

This document is provided without warranty, always vet out what works best for you and your organization.

Scope

This standard applies to all data, including corporate customer data, whether located at a corporate facility or a third party facility, and whether handled by corporate employees, or corporate contractors, vendors, third party service providers, or their staff or agents.  This standard also applies to all wholly owned and partially owned subsidiaries.

The guidance in this standard shall be considered the minimum acceptable requirements for the use of Firewalls.  This standard sets forth expectations across the entire organization.  Additional guidance and control measures may apply to certain areas of corporate.  This standard shall not be construed to limit application of more stringent requirements where justified by business needs or assessed risks.

Firewall Standard

Corporate business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them. Responsibilities and procedures for the management, operation and security of all information processing facilities must be established.  This Standard supports the stated objectives.

It is the policy of corporate to provide safe, secure systems to its employees, contingent workforce, and other properly authorized persons, for the purpose of enabling and supporting the conduct of business.  Use of systems shall be in conformance with relevant policies, and shall not, whether by intent or mistake, increase the risks to corporate information assets or business functions.

Roles & Responsibilities

The IT Custodian is responsible for defining and implementing security measures and controls to ensure the system(s)/application(s) are managed and operated in a secure and effective manner.

The Chief Information Security Officer has overall responsibility for security policy, and in conjunction with the Information Security Department will be responsible for defining, implementing, managing, monitoring and reviewing compliance with the Information Security – Firewall Standard.

The Information Security Department will assist End Users and IT Custodians in assessing, defining, implementing, managing and monitoring appropriate controls and security measures.

The Information Security Department will audit and review the adequacy of controls and security measures in place to measure and enforce conformance to this Standard.

Requirements and Implementations

Corporate IT Security team has created the following guidelines for selecting the Hardware and Software, Configuring and Implementing Firewalls on corporate Network. Administrators are advised to use this document to maintain the same standards across all corporate offices.

Hardware

  • The hardware for firewall’s MUST be based and specifically designed for firewall and / or VPN applications.
  • Hardware for VPN Appliance MUST specifically be designed for VPN Application and support all IPSeC standards.
  • The Firewall and VPN components MUST both support At Least 3DES Encryption and SHA-1 Hashing.
  • The Appliances MUST support corporate IPSeC Certificates.
  • Firewall and VPN appliance MUST support ICMP and SNMP based monitoring.
  • SNMP Version 2 and 3 only
  • SNMP must be Read only
  • Should only be enabled on dedicated OOB interface.
  • They should have a dedicated Out Of Band [OOB] Interface supplied for Administration purposes.
  • Vendor must supply Hardware which has Fault Tolerance options,
  • Redundant Power supplies
  • Mirrored Hard Drives, mirrored ROM ‘s
  • Clustering
  • Vendor must supply hardware which can be deployed in a load balanced configuration
  • All Tiers A through C site Firewalls should have console access, through a PSTN service.
  • At the time of writing, Juniper Security appliances have been standardized and approved for use within corporate and Subsidiaries.

Software

  • Firewall and VPN application MUST support stateful inspection.
  • Firewall and VPN application MUST support centralized administration and logging.
  • Software for VPN Appliance MUST specifically be designed for VPN Application and support all IPSeC standards.
  • The Firewall and VPN components MUST both support At Least 3DES Encryption and SHA-1 Hashing.
  • The Appliances MUST support corporate IPSeC Certificates.
  • Software for VPN must be configured to NOT allow Split Tunneling as standard.
  • Firewall and VPN software MUST support ICMP and SNMP based monitoring.
  • SNMP Monitoring MUST be limited to sending of Traps, No SNMP Sets Allowed
  • SNMP Version must be at a minimum version 2, preferred version 3.
  • Firewall Software should support Anti Spoofing.
  • Anti Spoofing should be enabled in the absence of a screening router with this same functionality.

Configuration and Administration

  • All Firewalls will be a member of the Centralized Firewall Management Infrastructure.
  • All firewall configurations will be kept on the centralized firewall management Infrastructure.
  • Configuration management must be done through an encrypted channel.
  • Administration level access to the Management Interfaces MUST be achieved using two factor methods.
  • Where the firewall does not support two factor authentication through the CLI, the Bastian system used to make the connection should support two factor authentication and access to the CLI interface limited to the Bastian system only.
  • SNMP monitoring MUST monitor,
  • Session Counts,
  • Network Interface Usage,
  • Disk Usage,
  • Memory Utilization and
  • Processes running
  • Failover Status

System Restarts

  • Firewall and VPN Appliances must confirm to agreed naming and implementation standards
  • Firewall and VPN Rules must confirm to agreed naming and implementation standards
  • Only persons and IP addresses specifically approved by Information Security will be granted Remote Management Console (Password Vault) access to any IT maintained firewalls. As a general guideline, Information Security will require the following
  • SANS Firewalls Training,
  • Vendor specific product training
  • Security Operations Account Approval
  • Security Engineering Account Approval
  • Individual’ Manager approval

The password(s) used to access the Password Vault will comply with the guidelines set forth in the corporate Password and Data Classification policy.

  • All Firewall Configurations must be stored centrally in a secure location, with a documented backup procedure.
  • Processes for Change Management MUST include a Pre and Post Change Backup of the current rule set.
  • The Firewall Change Management process MUST be auditable. All changes must be accounted for and be referenced to an approved Change Request ticket.
  • Management of the Firewall should be run from a dedicated Out Of Band [OOB] interface
  • Where an OOB interface does not exist, management should be run In Band, but restricted access to a dedicated Firewall Administration Workstation.
  • All Firewalls should be configured with the GMT Time zone to ensure consistent log data.
  • Dedicated Management Workstation
  • The Dedicated Administration Workstation will be assigned a Static IP Address
  • The dedicated workstation WILL be a member of the corporate Active Directory Infrastructure, at the time of writing this was the “Enterprise” domain.
  • Terminal Services and Log on Locally Access to the firewall Administration Workstation will be restricted through Active Directory Groups to the Firewall Administration Group.
  • A dedicated Firewall Administration Group will exist on the “Enterprise” domain
  • The Firewall Administration Active Directory Group members will be audited quarterly.
  • Group membership will be requested using the current standard for account administration, with an appropriate approvals chain to include Security Engineering, Security Operations Management and the requesting Individuals, managers’ approval.
  • The system accessing the firewall(s) will be properly hardened and physically secured in accordance with IT Standards for Workstations

Logging

All firewalls and VPN’s must log to the respective centralized logging infrastructure

  • The logging server MUST have disk space to store 6 months logs on disk.
  • Logs of firewalls and VPN MUST store as defined by the Data Retention Policy
  • Appliance Naming Standard
  • All firewall and VPN appliances MUST adhere to the following naming convention
  • <Site ID>-<function>-<instance>
  • For more information please refer to the corporate DNS Standards document