Firewall Appliance

External facing firewall systems must use certain security features to defend against Internet attacks

All external firewall appliance connected to the entry point must be configured to protect internal assets from Internet (eg. any public or un-trusted network) based security risks. This includes providing firewall appliance connected to all external connections to the global corporate network. An external facing firewall appliance is required when connecting any part of the corporate network (business unit) to a public or un-trusted network, such as the Internet. It is critical for the operational success of the corporate network that all external network access points are appropriately secured with a suitable defense system – external firewall appliance. This consists of suitable firewall appliance enforcing a strong configured security policy.

Ensuring that a firewall appliance is configured correctly is paramount to the security of the network. For this reason it is critical that all corporate firewall configuration changes are made by authorized security personnel and are routinely reviewed to ensure maximum security.

External facing firewall appliance systems must use certain security features to defend against Internet attacks. Firewall appliance must be configured to deny all traffic, unless the traffic has been explicitly allowed (granted).

Authorized traffic must be granted based on traffic characteristics and is defined in the firewalls security policy. This firewall appliance must also be configured to defend against common Internet hacking techniques, such as address masquerading (IP-spoofing).

Firewalls must also hide corporate internal addresses and DNS configurations from the Internet. This information if discovered (via reconnaissance) can be used by intruders to generate a specifically constructed DDOS attack. The process of hiding IP addresses is done via Network Address Translation (NAT).

Firewall appliance systems must not be built on-line in such a manner to expose the internal corporate network to the Internet. Firewall appliance systems should be built offline with an air-gap protecting the internal corporate network from the Internet.

Firewall appliance must also be located in a physically secured location to defend against system tampering which may circumvent the corporate network security.


Minimum standard

The external firewall appliance facing to the internet should follow the following minimum firewall security standards guidelines:

1. All perimeter routers (external router in front of a firewall appliance) shall be configured to provide basic packet filtering using extended access-lists. This is done to provide a front-line defense mechanism against Internet based attacks.

2. A suitable firewall (as in the firewall functional requirements guideline) must be used in conjunction with a suitable firewall topology and security policy (rule base).

3. All external traffic (public or Internet) must pass through a corporate firewall. No corporate system must be attached to the Internet unless protected by a firewall appliance.

4. The corporate security guideline must be used to determine the traffic types permitted through an external facing firewall (application type and port definitions). This documents in detail the protocols and ports that must be protected if connecting to any un-trusted network such as the Internet.

5. All external facing firewalls must be configured to DENY all traffic unless explicitly permitted (refer to default firewall configuration).

6. Traffic must be individually ALLOWED (permitted) based on traffic classification parameters, which include:

a. Application type (protocol and port)

b. Direction (source /destination)

c. Action (Permit or Deny)

d. Authentication requirements

e. Virus Scanning (Content Filtering)

f. Logging Level

7. External facing firewalls must not expose internal components such as inside IP addresses and private DNS to the Internet.

a. The use of a split DNS with DNS zone filtering is mandatory. This protects the internal DNS from such risks as reconnaissance attacks.

b. Network Address Translation (NAT) must be used to hide corporate internal IP addresses.

8. All high-risk traffic must be logged with sufficient detail to assist with security analysis (date\time, source\destination IP address, protocol and port).

9. External facing firewalls must be configured with event and alert notification. Multiple notification methods should be used to guarantee immediate notification to security staff. Valid notification methods include email, pager, or SMS (this can be done via SNMP traps).

10. All firewall appliance systems must have a disaster recovery and incidence response strategy in place. These must be documented (check out the risk assessment example here), up-to-date and regularly tested (refer to firewall contingency planning).

11. Firewall appliance systems must be maintained and administered by trained and security conscious personnel. Firewall configurations must not be made by non-authorized or untrained personnel.

12. External facing firewalls must be configured for anti-spoofing (IP masquerading) to defend against common IP based security attacks.

13. All external facing firewall configurations must be tested and validated prior to production.

14. The corporate internal network must not be exposed to the Internet while building or performing maintenance on firewall appliance systems. An air-gap (no network connection) to the external network must be used if there is no (or limited) enforced security policy.

15. All corporate firewall appliance systems must be physically secure and access only permissible to authorized personnel.

By not adhering to the External Firewall Connections guidelines, a business unit risks exposing multiple security holes which could compromise network security within corporate internally trusted network.

Besides previous discussion about firewall topology, you cam also read the following next series about firewall security standards – firewall auditing. Firewall auditing should be regularly undertaken to ensure that the firewall is performing its intended function. Read more about firewall auditing here and also other good article about securing laptop.
Search More Information Here: