How to Set Up a Firewall Security Policy
Firewall Security Policy
When discussing security policies, most people think of an organizational security policy, an email, or an acceptable Internet usage policy. Most SMEs (Small and Medium-sized Enterprises) who have security policies only implement an organizational or general security plan. In reality, many businesses wouldn’t have even developed a general security policy let alone anything else, such as a firewall security policy.
Usually the general business employee isn’t really aware of the need for a firewall security policy, yet developing such knowledge would be a great asset to those who manage the IT resources – whether they’re employees or contractors. Also, it would direct the business with regard to the specific security issue of firewalls.
Firewall Security Policy
I have come across people who believe SMEs do not need intrusion detection systems but rather more restrictive firewall security policies than the ones they currently use. I’m not sure whether to agree with the statement regarding not needing intrusion detection systems, but I do agree that more restrictive security policies are essential.
Whether you need to develop a new firewall security policy or just a more restrictive security policy, there are certain guidelines which need to be followed. First of all, a business must understand the purpose of the firewall(s) and what is meant to be protected. Some firewalls help secure inbound network traffic coming from places such as the Internet, while others can protect one zone or segment of your internal network from another. Either way, you must determine your needs.
To do this, any business, especially SMEs, needs to know the topography of its network as well as the location of all its digital assets (data). Furthermore, the business must know and understand what applications, programs, ports and services are needed so that it can function properly. Without knowing your network and business needs, it’s difficult to develop a firewall security policy.
All the above should be documented in the firewall security policy and updated as needed. Keep in mind that networks which change this information frequently may need regular updates.
The next step involves determining what type of firewalls will be used. This may be a general issue as to type or may include identifying the specific firewall(s) that will be used. Also, the policy needs to identify those individuals within the organization who will be given authority to install and manage the firewall(s).
Once the specific firewalls have been determined, you will have to develop a baseline or minimum configuration requirements for the firewall(s) that you will use on your corporate network. There may be different baseline configurations for firewalls that are protecting your network from the Internet, to those that are protecting different network segments from each other.
These minimum configurations should include rules, filters, specific ports, services, and other relative items. You will also need to address the issue related to users’ requests to bypass a firewall rule for a specific protocol or other needs. Also, make sure a policy for changing firewall configurations is implemented. Without proper documentation, it’s easy to forget why a specific firewall rule was developed and employees might be scared to make changes to the rule out of fear they might damage something if the rule is deleted or removed.
Often, temporary firewall rule changes become permanent because no one knows when they were meant to be removed. Requirements for documenting changes made to the firewall rules or configuration should be part of the firewall policy, as well as the type of approval process that is necessary to make significant changes to the firewall rules or configurations.
Finally, I would include a requirement regarding the storage and analysis of firewall logs. Without logging traffic coming through the firewall and then reviewing the logged information, you miss out on the benefit of determining the type of traffic that is being allowed via your network. Reviewing logs will also assist in determining if changes should be made to the firewall rules or configuration to improve your network protection.
Remember, a firewall security policy helps provide uniformity in the use of firewalls in your business as well as providing a reference for IT administrators or other people working on your firewall(s) or network.
No comments:
Post a Comment