Writing a security policy is a logical progression of steps. Briefly, the structure of the policy should include the following:
- Introduction. In this section, you should state the purpose of this policy. What is the objective of the policy? Why it is important to the organization?
- Guidelines. In this section, you should detail guidelines for choosing controls to meet the objectives of the policy. These are the basic requirements. Typically, you will see the word should in these statements.
- Standards. In this section, you should detail the standards for implementing and deploying the selected controls. For example, this section will state the initial configuration or firewall architecture. This section tends to detail the requirements given in the meeting with the interested departments and business units. This section is written with the words such as, “It is the policy that… .”
- Procedures. In this section, you should detail the procedures for maintaining the security solution, such as how often the logs should be reviewed and who is authorized to make changes.
- Deployment. The purpose of the deployment section is to assign responsibilities and specific steps for implementation of the policy. Think of it as a mini project plan. In a perimeter network security policy, this section translates the standards and guidelines into language the security administrator can enforce on the firewall.
- Enforcement. Although many policies lack this component, all policies require a method for enforcement. A popular and effective method for enforcement is auditing. In this section, you could state that the firewall rule base would be subject to an external audit yearly. In addition, this section should detail the enforcement and consequences if someone was to circumvent the firewall or its rules.
- Modification. or exceptions No policy is perfect, and the policy may require modifications or exceptions. In this section, you should detail the methods for obtaining modifications to the policy or exceptions.
The following series of headings could be considered a sample of a perimeter network security policy.
Due to Company X’s required connection and access to the public Internet, it is essential that a strong perimeter firewall exist that sufficiently separates the internal private LAN of CompanyX and the public Internet. The firewall should provide preventative and detective technical controls for access between the two networks.
The implementation of any firewall technology should follow these basic rules:
- The firewall should allow for filtering of communication protocols based on complex rule sets.
- The firewall should provide extensive logging of traffic passed and blocked.
- The firewall should be the only entry and exit point to the public Internet from the CompanyX LAN.
- The firewall operating system should be sufficiently hardened to resist both internal and external attacks.
- The firewall should fail closed.
- The firewall should not disclose the internal nature, names, or addressing of the CompanyX LAN.
- The firewall should only provide firewall services. No other service or application should be running on the firewall.
The implementation of any firewall must follow these basic rules:
- It is the policy that only the identified firewall administrator is allowed to make changes to the configuration of the firewall.
- It is the policy that all firewalls must follow the default rule: That which is not expressly permitted is denied.
In addition, the following standards for perimeter networks are as follows:
- The deployment of public services and resources shall be positioned behind the firewall in a protected service net.
- The firewall shall be configured to disallow traffic that originates in the service net to the general LAN.
- Any application or network resource residing outside the firewall and accessible by unauthorized users requires a banner.
Firewall will be configured to allow traffic as defined here:
- TCP/IP suite of protocols allowed through the firewall from the inside LAN to the public Internet is as follows:
- HTTP to anywhere
- HTTPS to anywhere
- TCP/IP suite of protocols allowed through the firewall from the inside LAN to the Service Net is as follows:
- HTTP to Web server
- SMTP to Mail server
- POP3 to Mail server
- DNS to DNS server
- TCP/IP suite of protocols allowed through the firewall from the Service Net to the public Internet is as follows:
- DNS from DNS server to anywhere
- TCP/IP suite of protocols allowed through the firewall from the public Internet to the LAN is as follows:
- TCP/IP suite of protocols allowed through the firewall from the public Internet with specific source, destination, and protocols is as follows:
- SMTP to Mail server
- HTTP to Web server
- FTP to Web server
The security administrator will define the rule base and configure the firewall as defined above, in addition to other industry standard properties as appropriate.
Traffic patterns will be enforced by the firewall’s technical controls as defined by the firewall administrator. Periodically, an external vulnerability assessment will be performed to assure the proper configuration of the firewall. Additionally, an independent third party will annually audit the configured firewall.
Modifications or Exceptions
Request for modification to the firewall configuration must be submitted via e-mail to the security manager and firewall administrator, accompanied by justification and the duration of the requested change.