|
|
|
Date Submitted:
06/18/05
Hits: 46 Rating:  based on 0 votes
Enclave Boundary Defense PolicyAdded by Papergrl
By: Mitchell Rowton Purpose This policy presents the required administrative and technical steps to ensure secure communication among network enclaves within the Company network. Two guiding themes in Company's use of firewalls are Defense in Depth (DiD) and the Principal of Least Access. Scope This policy includes the use of firewalls, router access control list, and other hardware or software that restricts network access. This policy does not include defining the security classification of enclaves. Terms Enclaves- For the purpose of this policy an enclave is defined as a system which requires an independent security classification from other systems. Example enclaves could include: DMZ(s), server networks, host networks, or extranet systems. Firewall- For the purpose of this policy a firewall is any device that is used to restrict access among enclaves. Policy Principal of Least Access: All network traffic not specifically needed to conduct Company business will be denied by the firewall. Defense in Depth (DiD): Firewalls cannot only be placed at the perimeter of the Company network; firewalls must also be strategically placed among enclaves in the Company network in which management decides that the benefits of this protection overcome the resources involved in installing and managing the firewall. Perimeter: Every connection between a(n) Company controlled network and a non-Company controlled network must use a firewall. VPN: Firewalls cannot examine network traffic that is encrypted inside of a Virtual Private Network (VPN) therefore VPNs will be terminated in such a way as to allow at least one firewall to enforce Company's security requirements upon this traffic. Firewall Criteria: Firewalls must examine the network source address, network destination address, protocol session, and to some extent application use, when enforcing access restrictions. Logging: Firewalls must log all denied traffic and all traffic originating from untrusted or less trusted networks, including internet and extranet traffic that is destined to Company controlled network. Retention: Firewall logs must be maintained online for at least 7 days, and offline for at least 30 days. Rules: Firewall rules must be tracked and audited semiannually to ensure that unneeded rules are removed. Changes: Firewall changes must be approved by management, in addition; all firewall changes must follow a procedure to ensure verification, tracking, and retention. Unused services: Any unused network services or applications should be removed or disabled from the firewall. Unused system accounts: Any unused user or system accounts should be removed or disabled. Unused physical Interfaces: Unused physical interfaces should be shut down or removed from the firewall. Patches: Firewalls must have all relevant operating system and software patches installed. Firewall patches must always be tested on non-production systems prior to a rollout to any production system. Time: In order to accurately audit and analyze firewall logs, the firewall time must be synchronized with a known accurate time source. Availability: Firewall availability is considered critical. All firewalls should have routine backups performed. All firewalls must have a hot standby or secondary failover firewall in case the primary firewall becomes unavailable. Procedures: Detailed procedures covering firewall installation, configuration management, change control, and operations will be maintained and audited on a semi-annual basis. Responsibilities Corporate Security Officers are responsible for:
Line Management is responsible for:
The Information Technology Group is responsible for:
You don't have permission to post replies. Please login or register. |