Overview and Purpose

This information security standard specifies minimum requirements for protection of sensitive Information Resources on [variable: Covered Organization] networks. The purpose of this standard is to define common technical procedures and protocols that protect network systems. Ultimately, the standard helps ensure the confidentiality, integrity, and availability of organizational systems, applications, and information that support business performance. Although this policy addresses specific aspects of network security, including firewall management, it in no way reduces the responsibilities of users, system managers, system owners, and administrators to protect sensitive data and systems.

Coverage

All full- and part-time employees, contractors, franchisees, and other entities that use network resources or are granted network access by [variable: Covered Organization]. The policy covers desktop computers, laptops, workstations, servers, printers, and all other devices connected to the [variable: Covered Organization] wide area network or local area networks.

Roles and Responsibilities

Chief Information Security Officer (CISO)

• Defines and delegates responsibility to an Information Technology Security Manager (ITSM) for oversight of network security policy
• In conjunction with the ISO, oversees development, coordination, interpretation, and approval of IT security policy
• In conjunction with the ISO, reviews network security policy and maintenance procedures not less than once every [variable: time period].
• Oversees compliance with 1) regulatory and legal requirements, and 2) organizational standards, policies, and procedures governing IT security

Information Security Officer (ISO)

• Approves security policy on behalf of [variable: Covered Organization]
• In conjunction with the CISO, oversees development, coordination, and interpretation of IT security policy
• Is authorized to disable the [variable: Covered Organization] network in order to protect the confidentiality, integrity, and broader availability of sensitive and proprietary Information Resources
• In conjunction with the CISO, reviews network security policy and maintenance procedures not less than once every [variable: time period].

Information Technology Security Manager (ITSM)

• Oversees the development and implementation of an overall network security plan for [variable: Covered Organization] systems
• Issues security standards, policies, and procedures
• Oversees [variable: Covered Organization] network security
• Provides technical direction to IT staff responsible for firewall management on required policies and procedures

[variable: Role]

• Develops [variable: Covered Organization] IT security policies
• Manages the IT security program, coordinates activities that protect Information Resources, and reports to the CISO and ISO on the effectiveness network security measures

Program/Project Security Managers

• For a given [variable: Covered Organization] program or project, 1) manages the program or project's information security plans and controls; and 2) coordinates all program activities designed to protect IT resources
• Works closely with ITSMs and other security management to insure consistent application of security policy through out the organization

Policy

• Employees may access the Internet only through trusted [variable: Covered Organization] access points and devices.
• Employees must used approved software and Internet gateways for network access.
• Employees must not publish or make publicly visible any information or details on the internal trusted network
• All traffic originating from external sources must go through a firewall configured per organizational standards
• [variable: Covered Organization] policy is to deny any Internet access or service that is not expressly permitted.
• No employee—including executive security, IT staff, and other privileged users—may grant or enable public or Internet-based access directly to servers or machines on the internal (trusted) network.

Procedures

Firewall

The [variable: Covered Organization] firewall must be configured using IT “best practices” that include, but are not limited to the following:

• Establishment and maintenance of a robust “ firewall system” between the Internet and the [variable: Covered Organization] business network. All Internet traffic between internal and external networks must pass through the firewall system.
• Firewall configurations that permit Internet-based access to internal information systems must not make sensitive information or information systems vulnerable to compromise
• Only network sessions using strong authentication and encryption can pass through the firewall to internal systems. If users are required by business roles to access internal systems and networks via the Internet, they must be required to use strong authentication and data encryption throughout the course of that access.
• The firewall must deny all services not expressly permitted.
• The firewall must be configured to alert the firewall administrator(s)in near-real-time of anomalies and events that may require immediate attention, such as unauthorized or anomalous network access attempts or a shortage of disk space.
• If firewall software is run on a dedicated computer, all non- firewall related software on the same machine must deleted or disabled.
• All firewalls must be set to fail to a configuration that denies all services, and require a firewall administrator to re-enable services.
• Source routing must be disabled on all firewalls and external routers.
• The firewall must not accept traffic on external interfaces that appear to originate from internal network addresses.
• Firewall devices must be tested offline prior to enablement, in order to verify proper functionality and configuration
• The firewall must be configured to allow transparency for all outbound services.
• Unless explicitly excepted by [variable: Role], all inbound network traffic must be intercepted and processed by the firewall
• Firewall documentation must be maintained in secure (but accessible) offline storage at all times. Such information will include but not be limited to the network diagram, including all IP addresses of all network devices, the IP addresses of relevant hosts of the Internet Service Provider (ISP) such as external news server, router, DNS server, etc. and other configuration parameters such as packet filter rules, etc.
  • Firewall documentation must be updated whenever the firewall hardware, software, configuration, or or other variables change
• The firewall implementation (system software, configuration data, database files, etc.) must be backed up daily, weekly, and monthly so that in case of system failure, data and configuration files can be recovered.
  • Firewall backup files must be secured so that the media is accessible only to approved personnel.
• Only firewall administrator(s) may be assigned privileges to update system executables or other system software.
• Modifications to firewall hardware, software, configurations, or other variables must be done by a firewall administrator and require formal approval from the ITSM.
• Firewall administrators must evaluate each new release of firewall software to determine whether an upgrade is required.
• All security patches recommended by the firewall vendor should be implemented in a timely manner, not less than [variable: time period] after release.
• All services and traffic to be authorized across the firewall implementation must be well documented. Documented must include a business need, protocol used, inbound and/or outbound variable, port assignments, known vulnerabilities, and risk mitigation statements.
• If application-level proxy firewalls are used, outbound network traffic must appear as if the traffic had originated from the firewall, ensuring that only the firewall is visible to outside networks.
• The firewall must be regularly audited and monitored to detect intrusions or misuse

DMZ

• Limitation of Internet-based access to [variable: Covered Organization] data and systems must be implemented via a “Demilitarized Zone” (DMZ), which is a component of the firewall architecture.

Protection of Information on Network Settings, Infrastructure, and Resources

• Information on the architecture, structure, and configuration of ['variable: Covered Organization'] computer and communication systemsare considered confidential. Information such as dial-up modem phone numbers, network diagrams, and firewall configurations must not be posted online or otherwise made visible to third parties without the written permission of [variable: Role].
• The [variable: Role] directs periodic scanning of direct dial-in lines to monitor compliance with policies and may periodically change dial-in numbers to make it more difficult for unauthorized parties to locate and access network entry points.

Intrusion Detection

• Normal logging processes must be enabled on all host and server systems. Alarm and alert functions, as well as logging, of any firewalls and other network perimeter access control systems will be enabled.
• The firewall must provide detailed logs of all sessions.
  • Secure media must be used to store log reports such that access to this media is restricted to only authorized personnel
  • The [variable: Role] must review firewall logs not less than once per [variable: time period]

Firewall Architectures

• Routing by a dual-homed firewall must be disabled so that IP packets from one network are not directly routed to another
• All inbound Internet services must be processed by proxy software or state-full inspection at the firewall. If a new service is requested, that service must not be made available until a proxy is available from the firewall vendor and tested by the firewall administrator(s). A custom proxy may be developed inhouse or by vendors only when approved by [variable: Role(s)]
• The firewall must run as a DNS server in order to provide public/Internet addresses to clients. The firewall must be configured to hide information about the network so that internal host data are not available to the outside world.
• Firewall implementations must use technologies capable of access control decisions based on information examined as high as the application layer. That is, application proxy or stateful aware technologies. Simple packet filtering or circuit-level firewall implementation must not be used.
• If application-level proxy firewalls are used, outbound network traffic must appear as if the traffic had originated from the firewall. Only the firewall should be visible to external traffic.

Network Trust Relationships

• All connections from internal networks to external networks must be approved by [variable: Role(s)] and managed by [variable: Role(s)]
  • Connections with external networks will be allowed only after a review finds the connection and external network to have acceptable security controls and procedures
• All connections to approved external networks must pass through approved firewalls
• Functional managers must validate the need for any existing connections to external networks on an [variable: time period] basis. When notified by a functional manager that the need for connection to a particular network is no longer valid, [variable: Role] will ensure all accounts and parameters related to the connection are deleted within [variable: Period].

Virtual Private Networks (VPNs)

• Any connection between firewalls over public networks must use encrypted and password protected Virtual Private Networks to ensure the privacy and integrity of the data passing between networks
  • All VPN connections must be approved by [variable: Role]
  • All VPN connections must use unique access credentials. Organizational IT and information security personnel must not issue or allow group or generic access credentials to VPNs.
• All external connections over untrusted public networks to services or applications located behind the firewall must use encrypted VPNs to ensure the privacy and integrity of the data during transit.
  • Such connections are considered extensions of the internal (trusted) network, and as such will not fall under the service restrictions that follow.

Service Specific Policies

• The table in Appendix 1 contains examples of common services that must be approved by [variable: Role] prior to implementation. It is not an all-inclusive list and is subject to change.

Supporting Documentation

This standard is supported by the following rules, policies, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Enforcement

Gross negligence or willful disregard of this standard may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Standards Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Research Resources

• Computer Security Act of 1987 (PL 100-235)
• OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources
• NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems
• Interim Network Perimeter Security Standard (INPSS), January 5, 2001
• Policies on Limited use of Government Equipment and Telephone Use., Issued June 14, 2000
• INTERNET Acceptable Use Policy, June 13, 1997

Policy Source Document(s)

• Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)