When
When vulnerabilities are identified that apply to your system and whenever patches and upgrades are applied. Examine your guidance policies at least annually.
Why
When your organization's networks are connected to the Internet without adequate security measures, you are vulnerable to attack.
Strategy
In the limited space available here, I cannot possibly address how to secure a firewall. Instead, I'll note the considerations that go into doing so and point you to some useful resources. CNSS Instruction No. 4009, revised May 2003, National Information Assurance (IA) Glossary defines a firewall as a "system designed to defend against unauthorized access to or from a private network." I prefer CERT's definition: "A combination of hardware and software used to implement a security policy governing the network traffic between two or more networks, some of which may be under your administrative control (e.g., your organization's networks) and some of which may be out of your control (e.g., the Internet)."
A DMZ (Demilitarized Zone) is a combination of firewalls -- a perimeter network segment logically between internal and external networks. Also called a "screened subnet," its purpose is to enforce the internal network's IA policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding internal networks from outside attacks. In some circles the DMZ is considered a part of the firewall, while other circles consider the DMZ the land of the sacrificial hosts. One way to think of a DMZ is as a group of hosts that are guided by a unique security policy. This policy balances some of the strictest controls against public access and availability requirements.
When putting in a firewall, CERT recommends a four-part approach: prepare, configure, test and deploy. To prepare, design the firewall system and have a written firewall security policy for each one that identifies who is allowed to log in to it, configure and update it. It should also outline the logging and management practices. The next step is critical: configure. Here you will acquire the firewall hardware and software; acquire the documentation, training and support; install the firewall hardware and software; configure IP routing, packet filtering, and logging and alert mechanisms. DISA's Network Infrastructure Security Checklist, Version 5 release 2.2, is a combination of minimum security requirements and best practices designed to ensure a system is locked down as much as possible while still being useful. The Checklist requires, for example, that firewalls placed in the network infrastructure are only those having a Common Criteria (CC) Protection Profile evaluation of EAL4 or greater. Check out the CC Protection Profile evaluation product ratings. The Network Infrastructure Security Checklist discusses, among other things, which features of Cisco's IOS and Juniper's JUNOS systems should be present or absent for a more secure network setup. Next, test the firewall and deploy the system into operation. Considerations to fold into your planning and configuration include proxies, stateful inspection or dynamic packet filtering, network address translation, virtual private networks, IPv6 or other non-IP v4 protocols, network and host intrusion detection and prevention technologies, routing and route management, switching and virtual local area networks, and encryption technologies
More information
Helpful checklists can be found at the NIST Web page. A nifty feature of this page is a sign-up for e-mail notifications when a checklist or implementation guide has been updated. And William R Cheswick & Steven M Bellovin's "Firewalls and Internet Security" will help you appreciate how far we've come and yet how little we've accomplished in firewall technology and practices in 10 years.
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
