The security policy document library: Firewall policy

In upcoming tips, I'll continue to discuss and to provide examples of what goes into formulating and publishing various elements within an organization's collection of security policy documents -- what I call "the security policy document library."

Today's topic is firewall policy, a document that describes requirements for an organization's firewalls. In fact, multiple such documents may be required in larger operations. It's not unthinkable to have separate enterprise-wide, site-specific, branch office, home office and traveling employee firewall documents, instead of a single, monolithic firewall document covering all potential boundary scenarios through which individual systems or internal networks connect to the Internet.

The contents of such a document must include numerous headings and address numerous topics, including the following:

• A statement of purpose that indicates the document is intended to set standards and state rules and guidelines for firewalls, and the role(s) firewalls are intended to play within the organization.
• The roles or types of individuals who may be authorized to install and manage firewalls should be identified, including terms like employees, vendors, contractors, agents, business partners and so forth. The types of computers or dedicated systems that may be used should also be specified to indicate whether only computers that belong to the organization may be used for such purposes or whether personally-owned or third-party machines may also be used.
• Specify the types or kinds of firewalls to be used. This may require enumerating specific security appliances or firewall devices, or types of hardware configurations allowed, and what kind of software should be installed on them. Use of auxiliary or add-on components, such as content filters, proxies, VPN server software or other items should also be addressed.
• A general section that states the user's obligation to honor other security policy requirements, ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchSecurity.com

  As an existing member of the TechTarget network please activate your SearchSecurity.com account 

  By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  BROWSE BY TAG Security Management,   Compliance Counselor,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

  
  

  RELATED CONTENT Security Management Smart shopper's guide to correlation tools What's your infosec IQ? Countdown begins for Mydoom DDoS attacks Hackers scanning for ports opened by Mydoom National cybersecurity alert system launched Dangerous, familiar application vulnerabilities top list Potent Mydoom worm flooding inboxes SSL VPNs stealing IPSec's thunder Security insurance may be a smart policy for some China official makes information security a priority Compliance Counselor PCI compliance requirements affect IT risk assessments Cloud computing compliance: Exploring data security in the cloud The future of PCI DSS encryption requirements? Tokenization for PCI Security compliance predictions for 2010: New regulations, new technology Compliance strategy: How to become an internal IT auditor GRC customers point to better efficiency, convergence and consistency Benefits of ISO 27001 and ISO 27002 certification for your enterprise Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Information Security Policies, Procedures and Guidelines Balancing security, business case for consumer products in enterprise Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar

  RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  meet legal obligations, adhere to information protection and confidentiality requirements, and so forth. This is where numerous other documents in the library will typically be invoked, including Acceptable Use Policies, Encryption Policy, VPN Policy and so forth.

• A statement of requirements that must be met before a firewall can be deployed in a production environment, including access controls, baseline configurations, rules or filters for specific TCP and/or UDP ports, IP services and content restrictions where applicable, security and authentication details, and so forth. The idea is to create a minimum set of standards to ensure that firewalls impose the right kinds of barriers between the inside and outside worlds. It's also important to address issues related to requests from users to bypass firewall security (sometimes called "punching through the firewall") for specific protocols or services when outright filtering, blocks or proxy support would otherwise prevent their use.
• Enforcement provisions, usually in the form of warnings about consequences for failing to adhere to policy, with specific penalties described for specific offenses.
• Many such documents also include a glossary of all technical terms that appear in the text, to make it absolutely clear to users what's intended by the language used.

Other elements common to security policy documents of all kinds include various sign-offs, revision dates, identification of responsible parties, feedback solicitation and so forth. Make these points a part of your overall policy document design, too.

For discussions and some examples of firewall policy documents, see:

• Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations. A NIST document describing firewalls guidelines and policies.
• Designing an Academic Firewall: Policy, Practice, and Experience With SURF, by Michael B. Greenwald, Sandeep K. Singhal, Jonathan R. Stone and David R. Cheriton, Department of Computer Science, Stanford University.
• Firewall + Firewall Policy = Improved Security, by Etienne Greeff, Professional Services Director, MIS Corporate Defence Solutions, April 2, 2003.

Next time, I'll continue on with a description of what goes into formulating policy for virus handling and avoidance, and malware controls, and where to find some good examples of the same.

Please feel free to e-mail me with feedback, comments, or questions at etittel@yahoo.com.

About the author

Ed Tittel is VP of Content Services at iLearning, a CapStar company, and is based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.