About Us

Home > Focus > Full Story

Enforcing a corporate security policy

How you can tackle enterprise security issues with adequate firewalls and access control along the guidelines of a well-framed security policy. by Rakesh Raghudharan

Logs shall be automatically analyzed with critical errors generating alarms

The core of corporate security policy design revolves around the network, the computer, and remote access policies along with the incident handling functions. The corporate policy document should provide a sound reference point for the policy administrator, so that the implementation and adherence becomes easy.

Network policy

A significant threat to security arises when information is transmitted between computers. A well-defined network policy is a must before a firewall or another tool is implemented. There are two levels of network policy that directly influences the design, installation and use of a firewall system. The higher-level policy is an issue-specific, network access policy that defines those services that will be allowed or explicitly denied from the restricted network. How these services will be used and the conditions for usage are exceptions to this policy. The lower level policy describes how the firewall will actually go about restricting the access and filtering the services that were defined in the higher-level policy.

Baseline system architecture
This is the process of auditing and documenting the physical and logical architecture of the system. During this audit, you can gather information regarding hardware platforms, operating systems, DBMSs (DataBase Management Systems), applications (functional uses), network type/architecture, and connectivity. In a nutshell, you gather a thorough understanding of the system architecture.

The result is a complete diagram of the system at the functional level and a description of all major hardware and software resources functions. This information is critical in developing a security policy that can be integrated and implemented. Tools such as network diagramming tools, lists, and matrices are all used during this process.

Review existing policies/ procedures
You should examine any existing security relevant policies, procedures, or guidelines to understand the current requirement. An existing document can become the starting point for your enterprise wide security policy.

Service access policy
The service access policy should focus on the Internet, its specific use issues, and all outside network access like dial-in policy, SLIP and PPP connections. For a firewall to be successful, the service access policy must be realistic and sound, and should be drafted before implementing a firewall. If a firewall system denies or restricts services, it usually requires the strength of the service access policy to prevent the firewall's access control from being modified.

Only a managed and backed sound policy can provide this. A firewall can implement number of service access policies, however a typical policy may be to allow no access to a site from the Internet but, allow access from the site to the Internet. Another typical policy would be to allow access form the Internet, but only to selected systems such as public information servers and e-mail servers. Firewalls always implement service access policies that allow some user access from the Internet to selected internal hosts, but this access would be granted only if necessary and only if it could be combined with advanced authentication.

Firewall design
The firewall design policy defines the rules used to implement the service access policy. Firewalls generally implement one of the two basic design policies. The policies are:

  • Permit any service unless it is expressly denied, and deny any service unless it is expressly permitted.
  • A firewall that implements the first policy allows all services to pass into the site by default.
  • With the exception of those services that the service access policy has identified as disallowed.
  • A firewall that implements the second policy denies all services by default, but passes those services that have been identified as allowed.
  • This second policy follows the classic access model used in all areas of information security.
  • The first policy is less desirable, since it offers more avenues for getting around the firewall.
  • The second policy is stronger and safer, but it is more difficult to implement and may impact users more because services like the ones mentioned above may have to be blocked or restricted more heavily.
  • The effectiveness of the firewall system in protecting the network depends on the type of implementation, the use of proper firewall procedures, and the service access policy.
  • The service access policy is the most significant component of the four policies mentioned.
  • The other three components are used to implement and enforce the policy.

How Firewalls tackle the security issues
Setting restrictions on packet traversing the Firewall, based on protocol type, destination address, user origin address , port number, time of day, URLs, etc.

  • Hiding the internal network numbering scheme-port address translation, network address translation.
  • Http content filtering, Java, active X, URL, keyword content.
  • Scanning for viruses on incoming data streams.

The firewall design policy is generally to deny all services except those that are explicitly permitted or to permit all services except those that are explicitly denied. The former is more secure and is therefore preferred, but it is also more stringent and causes fewer services to be permitted by the service access policy. The firewall design policy start with the most secure. i.e., deny all services except those that are explicitly permitted. The following documentation should be done for an efficient firewall policy to be set up:

  • What all Internet services the corporate plans to use? e.g: TELNET, www, mail, nfs, etc.
  • Where the services will be used, e.g., on a local basis, across the Internet, dial in from home, or from remote organizations.
  • Additional need such as encryption or dial in support.
  • What are the risks associated with providing these services and access?
  • What is the cost in terms of controls and impact on network usability to provide protection?
  • Assumptions about security versus usability: addressing if security wins out if a particular service is too risky or too expensive to secure.

The parameters Assurance:
The firewall policy and configuration should be accurately documented and the firewall devices must be subject to regular monitoring and yearly audits.

Identification and authentication:
Strong authentication systems are used for the incoming user connections from the Internet like one time passwords, challenge-response, and use of certificates. The administrative accounts also use encrypted login sessions or one-time password mechanisms.

Accountability and Audit:

  • Firewall devices and Proxy Machines should be securely installed.
  • All unnecessary services would be stopped in the operating system.
  • The Firewall logs should be archived at least for one year and should be detail in nature on a dedicated server.
  • Logs shall be automatically analyzed with critical errors generating alarms.

Access Control :

  • All Internet access from the corporate network must occur over proxies situated in a Firewall.
  • Classified content should not be sent out by mail or FTP.
  • Default configuration: unless otherwise specified, services are forbidden.
  • All users are allowed to exchange e-mail with the Internet.
  • R&D department users are allowed to use World Wide Web and ftp (over proxies). Other users require authorization.
  • Users may not provide services to the Internet.
  • Research and development departments requiring full Internet access for experimental services should not install these services on the corporate network, but on a separate network outside the Firewall.
  • Users should not be able to logon directly onto Firewall machines.
  • Internet access to illicit material should be prevented where possible.

Rakesh Raghudharan can be reached at rakeshraghudharan@rediffmail.com

Page 1 2


- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD