Security policies: Firewall policy

In upcoming tips, I'll continue to discuss and to provide examples of what goes into formulating and publishing various elements within an organization's collection of security policy documents -- what I call "the security policy document library."

Today's topic is firewall policy, a document that describes requirements for an organization's firewalls. In fact, multiple such documents may be required in larger operations. It's not unthinkable to have separate enterprise-wide, site-specific, branch office, home office and traveling employee firewall documents, instead of a single, monolithic firewall document covering all potential boundary scenarios through which individual systems or internal networks connect to the Internet.

The contents of such a document must include numerous headings and address numerous topics, including the following:

• A statement of purpose that indicates the document is intended to set standards and state rules and guidelines for firewalls, and the role(s) firewalls are intended to play within the organization.
• The roles or types of individuals who may be authorized to install and manage firewalls should be identified, including terms like employees, vendors, contractors, agents, business partners and so forth. The types of computers or dedicated systems that may be used should also be specified to indicate whether only computers that belong to the organization may be used for such purposes or whether personally-owned or third-party machines may also be used.
• Specify the types or kinds of firewalls to be used. This may require enumerating specific security appliances or firewall devices, or types of hardware configurations allowed, and what kind of software should be installed on them. Use of auxiliary or add-on components, such as content filters, proxies, VPN server software or other items should also be addressed.
• A general section that states the user's obligation to honor other security policy requirements, meet legal obligations, adhere to information protection and confidentiality requirements, and so forth. This is where numerous other documents in the library will typically be invoked, including Acceptable Use Policies, Encryption Policy, VPN Policy and so forth.
• A statement of requirements that must be met before a firewall can be deployed in a production environment, including access controls, baseline configurations, rules or filters for specific TCP and/or UDP ports, IP services and content restrictions where applicable, security and authentication details, and so forth. The idea is to create a minimum set of standards to ensure that firewalls impose the right kinds of barriers between the inside and outside worlds. It's also important to address issues related to requests from users to bypass firewall security (sometimes called "punching through the firewall") for specific protocols or services when outright filtering, blocks or proxy support would otherwise prevent their use.
• Enforcement provisions, usually in the form of warnings about consequences for failing to adhere to policy, with specific penalties described for specific offenses.
• Many such documents also include a glossary of all technical terms that appear in the text, to make it absolutely clear to users what's intended by the language used.

Other elements common to security policy documents of all kinds include various sign-offs, revision dates, identification of responsible parties, feedback solicitation and so forth. Make these points a part of your overall policy document design, too.

For discussions and some examples of firewall policy documents, see:

• Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations. A NIST document describing firewalls guidelines and policies.
• Designing an Academic Firewall: Policy, Practice, and Experience With SURF, by Michael B. Greenwald, Sandeep K. Singhal, Jonathan R. Stone and David R. Cheriton, Department of Computer Science, Stanford University.
• Firewall + Firewall Policy = Improved Security, by Etienne Greeff, Professional Services Director, MIS Corporate Defence Solutions, April 2, 2003.

Next time, I'll continue on with a description of what goes into formulating policy for virus handling and avoidance, and malware controls, and where to find some good examples of the same.

Please feel free to e-mail me with feedback, comments, or questions at etittel@yahoo.com.

About the author

Ed Tittel is VP of Content Services at iLearning, a CapStar company, and is based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.