S 2.71 Establishing a security policy for a firewall

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management

The first step in establishing a security policy is to determine which types of communication with the external network are permitted. When selecting the communication requirements, the following questions must be answered:

• Which information should the firewall allow out / in?

• Which information should the firewall conceal (e.g. the internal net structure or the user names)?

• Which authentication procedures should be used within the network requiring protection or for the firewall (e.g. one-time passwords or chip cards)?

• Which access possibilites are needed (e.g. only via an Internet service provider or also via a modem pool)?

• What data throughput is to be expected?

Selection of Services

The communication requirements are the basis for determining which services are permitted in the network requiring protection and which must be forbidden.

A distinction must be made between those services permitted for the users in the network requiring protection and those permitted for external users.

If E-mail is to be received, for example, which is generally the minimum requirement, the firewall must allow the SMTP protocol to pass through. If files from external IT systems are to be collected, FTP must be available.

The security policy must clearly state for each service which services are permitted for which user and/or computer and for which services confidentiality and/or integrity must be guaranteed. Only services which are absolutely necessary should be permitted. All other services must be forbidden. This must be the basic principle: All services for which there are no explicit rules must be forbidden.

It must be determined whether and which information should be filtered (e.g. checking for computer viruses).

The security policy should be established in such a way that it can meet future requirements, i.e. it should have a sufficient number of connection possibilities. Any alteration at a later date must be strictly monitored and particularly checked for side effects.

Provisions must be made for exceptions, particularly for new services and short-notice alterations (e.g. for tests).

The filters must fulfil certain requirements: the filters using information from the services of layers three and four of the OSI layer model (IP, ICMP, ARP, TCP and UDP) and the filter using information from the services of the application layer (e.g. Telnet, FTP, SMTP, DNS, NNTP, HTTP). An overview of aspects to be observed for correct operation of the various protocols and services is provided in S 5.39 Secure Use of Protocols and Services. Using this as a basis, filter rules must be drawn up (see S 2.76 Selection and Implementation of Suitable Filter Rules).

In addition to the establishment and implementation of filter rules, the following organisational regulations are required:

• Persons-in-charge should be appointed for the establishment, implementation and testing of the filter rules. It must be clarified who is authorised to alter filter rules, e.g. for testing new services.

• It must be determined which information is logged and who assesses these protocols. All connections which were correctly established and those which were denied must be logged. Logging must comply with the data privacy regulations.

• The users must be informed in detail of their permissions, particularly with regard to the extent of the data filtering.

• Attacks on the firewall should not only be successfully prevented, but also detected at an early stage. Attacks can be detected by assessing the log files. On the basis of predefined events, e.g. repeated entry of an incorrect password on an application gateway, or attempts to establish forbidden connections, the firewall should also be able to issue warnings or even trigger actions.

• It should be clarified which actions are started in the event of an attack, whether the attacker should be traced, for example, or whether the external network connection should be cut off. As this can have a great effect on operation of the network, persons-in-charge must be appointed who are able to decide whether an attack is present and what action should be taken. The tasks and authority for the persons and functions in question must be clearly stipulated.

The following questions must be clarified when determining the security policy:

• What damage can be caused to the network requiring protection if the firewall is passed? As there is no such thing as absolute protection, it must be decided whether the maximum possible damage is acceptable or whether additional measures must be taken.

• What is the remaining risk when the firewall is operating correctly? This may be vulnerabilities in the equipment and operating systems used.

• How quickly is an attack on the firewall detected?

• Which protocol information is still available after a successful attack?

• Are the users willing to accept the limitations caused by the firewall