In: Categories » Computers and technology » Networks » Drafting the Network Security Policy and the firewall
Now that you know what is necessary, you can begin to write your network security policy.Writing a security policy is a logical progression of steps. Briefly, the structure of the policy should include the following:
- Introduction In this section, you should state the purpose of this policy. What is the objective of the policy? Why it is important to the organization? Guidelines In this section, you should detail guidelines for choosing controls to meet the objectives of the policy.These are the basic requirements. Typically, you will see the word should in these statements.
- Standards In this section, you should detail the standards for implementing and deploying the selected controls. For example, this section will state the initial configuration or firewall architecture.This section tends to detail the requirements given in the meeting with the interested departments and business units.This section is written with the words such as, “It is the policy that… .”
NOTE Remember that any type of traffic that takes place on your network should be defined somewhere within your network policy.
- Procedures In this section, you should detail the procedures for maintaining the security solution, such as how often the logs should be reviewed and who is authorized to make changes.
- Deployment The purpose of the deployment section is to assign responsibilities and specific steps for implementation of the policy.Think of it as a mini project plan. In a perimeter network security policy, this section translates the standards and guidelines into language the security administrator can enforce on the firewall.
- Enforcement Although many policies lack this component, all policies require a method for enforcement. A popular and effective method for enforcement is auditing. In this section, you could state that the firewall rule base would be subject to an external audit yearly. In addition, this section should detail the enforcement and consequences if someone was to circumvent the firewall or its rules.
- Modification or exceptions No policy is perfect, and the policy may require modifications or exceptions. In this section, you should detail the methods for obtaining modifications to the policy or exceptions. The following series of headings could be considered a sample of a perimeter network security policy. Introduction Due to Company X’s required connection and access to the public Internet, it is essential that a strong perimeter firewall exist that sufficiently separates the internal private LAN of CompanyX and the public Internet.The firewall should provide preventative and detective technical controls for access between the two networks. Guidelines The implementation of any firewall technology should follow these basic rules:
- The firewall should allow for filtering of communication protocols based on complex rule sets.
- The firewall should provide extensive logging of traffic passed and blocked.
- The firewall should be the only entry and exit point to the public Internet from the CompanyX LAN.
- The firewall operating system should be sufficiently hardened to resist both internal and external attacks.
- The firewall should fail closed.
- The firewall should not disclose the internal nature, names, or addressing of the CompanyX LAN.
- The firewall should only provide firewall services. No other service or application should be running on the firewall. Standards The implementation of any firewall must follow these basic rules:
- It is the policy that only the identified firewall administrator is allowed to make changes to the configuration of the firewall.
- It is the policy that all firewalls must follow the default rule:That which is not expressly permitted is denied. In addition, the following standards for perimeter networks are as follows:
- The deployment of public services and resources shall be positioned behind the firewall in a protected service net.
- The firewall shall be configured to disallow traffic that originates in the service net to the general LAN.
- Any application or network resource residing outside the firewall and accessible by unauthorized users requires a banner similar to the following: This system is the property of CompanyX. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system will be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to CompanyX management, and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of CompanyX. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system, you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
Procedures
Firewall will be configured to allow traffic as defined here:
- TCP/IP suite of protocols allowed through the firewall from the inside LAN to the public Internet is as follows:
- HTTP to anywhere
- HTTPS to anywhere
- TCP/IP suite of protocols allowed through the firewall from the inside LAN to the Service Net is as follows:
- HTTP to Web server
- SMTP to Mail server
- POP3 to Mail server
- DNS to DNS server
- TCP/IP suite of protocols allowed through the firewall from the Service Net to the public Internet is as follows:
- DNS from DNS server to anywhere
- TCP/IP suite of protocols allowed through the firewall from the public Internet to the LAN is as follows:
- None
- TCP/IP suite of protocols allowed through the firewall from the public Internet with specific source, destination, and protocols is as follows:
- SMTP to Mail server
- HTTP to Web server
- FTP to Web server
Deployment
The security administrator will define the rule base and configure the firewall as defined above, in addition to other industry standard properties as appropriate.
Enforcement
Traffic patterns will be enforced by the firewall’s technical controls as defined by the firewall administrator. Periodically, an external vulnerability assessment will be performed to assure the proper configuration of the firewall. Additionally, an independent third party will annually audit the configured firewall. Modifications or Exceptions Request for modification to the firewall configuration must be submitted via e-mail to the security manager and firewall administrator, accompanied by justification and the duration of the requested change.
legal notice
Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above.
related articles
When the Multiprotocol Label Switching Label Distribution Protocol-IGP synchronization is active for an interface, the IGP announces that link with maximum metric until the synchronization is achieved, or until the Label Distribution Protocol session is running across that interface. The maximum link metric for OSPF is 65536 (hex 0xFFFF). No path through the interface where Label Distribution Protocol is down is used unless it is the only path. (No other paths have a better metric.) After the Label Distribution Protocol ...
2. Multiprotocol Label Switching and Asynchronous Transfer Mode Architecture
Asynchronous Transfer Mode is a connection-oriented protocol that the ITU-T developed. It is connection-oriented because virtual circuits are signaled that carry the Asynchronous Transfer Mode traffic. The Asynchronous Transfer Mode traffic consists of fixedsized cells of 53 bytes. Of those 53 bytes, 5 are the cell header and 48 are the cell data. The success of Asynchronous Transfer Mode was predominantly in the WAN network. Many vendors built Asynchronous Transfer Mode switches that could set up virtual circuits in the ...
3. Label Advertisement
The IGP and Label Distribution Protocol on the Asynchronous Transfer Mode Label Switch Routers cannot run directly over the Asynchronous Transfer Mode interface and establish a neighborship. A control VC is needed for the IGP and Label Distribution Protocol to run on between two adjacent Asynchronous Transfer Mode Label Switch Routers. When the IGP adjacency is built, the IGP can exchange IP prefixes which are put in the routing table. After Label Distribution Protocol forms a session across the control VC, it can exchange ...
4. Cisco Express Forwarding
Cisco Express Forwarding (CEF) is a packet forwarding or switching method that Cisco IOS uses. It is the latest IP switching method developed in Cisco IOS, and it is the default packet forwarding method being used now. CEF is needed in Multiprotocol Label Switching networks, which is why this article devotes an article to it. This article explains the basics of CEF so that you can understand its role in Multiprotocol Label Switching networks. Overview of Cisco IOS Switching Methods The b...
CEF allows for load balancing or load sharing of traffic among multiple outgoing links. CEF needs multiple outgoing links as next hops in the routing table to perform load balancing. The command maximum-paths specifies how many paths or next hops are allowed per prefix in the routing table for the specific routing protocol. For instance, if you configure maximum-path 2 under the routing protocol Open Shortest Path First (OSPF), only two OSPF paths per prefix are allowed in the routing...
6. Multiprotocol Label Switching Virtual Private Network
Multiprotocol Label Switching Virtual Private Network, or Multiprotocol Label Switching Virtual Private Networks, is the most popular and widespread implementation of Multiprotocol Label Switching technology. Its popularity has grown exponentially since it was invented, and it is still growing steadily. Although most service providers have implemented it as a replacement for the Frame Relay and Asynchronous Transfer Mode services that were popular before it, Multiprotocol Label Switching Virtual Private Network is now see...
7. Virtual Private LAN Service
Virtual Private LAN Service (VPLS) emulates a LAN segment across the Multiprotocol Label Switching backbone across pseudowires or virtual circuits. VPLS creates one or more LANs for each customer who is using the service from the service provider. Each LAN, of course, is completely separate from the other emulated LAN segments—hence the “P” for “Private” in VPLS. When the customer with different Ethernet sites connects to an Multiprotocol Label Switching backbone where VPLS is deployed, it a...
8. Router Alert Option and Router Alert Label
IP packets can have a Router Alert option appended to the IP header. This option is an IP option indicating that the router should inspect the packet further when forwarding the packet, even though the packet is not directly addressed to that router. The transit router for the packet should not just forward the packet by doing an IP lookup, but the router should inspect it further before forwarding it. What this inspection means is not defined and is up to the software implementation on the router. The Router Alert ...