S 2.78 Secure operation of a Firewall

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management, Administrators

In order to ensure correct operation of a firewall, the adherence to the required safeguards should be checked on a regular basis. In particular, the organisational provisions for the operation of the firewall should be regularly / randomly checked to ensure that these are being adhered to. Regular checks should be carried out as to whether new accesses have been created bypassing the firewall.

Regular tests should also be carried out to ensure that all filter rules have been correctly implemented. It should be ensured that only those services stated in the security policy are permitted.

In the event that alterations are to be made to the security policy at a later date, these must be closely monitored and checked for side effects, in particular.

The demands placed on packet filters and application gateways when these were purchased should be implemented. They should be updated regularly and checked for completeness.

The default setting of the filter rules and the configuration of the components must ensure that all connections not explicitly allowed are blocked. This must also apply in the event of complete failure of the firewall components.

The following should generally apply: "Everything is forbidden unless explicitly permitted". A user with no entry in an access list, for example, has no way of using the Internet.

The following points should also be observed:

• In order to prevent the eavesdropping of, or alterations to, the authentication information, the Administrator and Auditor may only authenticate themselves via a trustworthy path. This can be directly via the console, for example, an encoded connection or a separate network.

• Integrity tests of the software used must be carried out in regular intervals. The firewall must be switched off in case of errors.

• The firewall must be tested for its behaviour in case of a system crash. In particular, an automatic restart must not be possible and it must be possible to store the access lists on a write-protected medium. The access lists are the main data for the operation of the firewall and must be specially secured so that no old or faulty access lists are used when the unit is restarted as the result of an attack.

In case of failure of the firewall, it must be ensured that during this time no network connections can be made from, or to, the protected network.

• The components used may only contain programs which are required for the operation of the firewall. The use of these programs must be documented and justified in detail. The software for the graphic user interface, for example, should be removed as well as all superfluous drivers. These should also be removed from the operating system core. Remaining software must be documented and justified.

• When restoring backup data, it must be ensured that the files for the correct operation of the firewall are up-to-date, such as access lists, password files or filter rules