> Focus > Full Story
a corporate security policy
you can tackle enterprise security issues with adequate
firewalls and access control along the guidelines of a well-framed
security policy. by Rakesh Raghudharan
shall be automatically analyzed with critical errors generating
core of corporate security policy design revolves around
the network, the computer, and remote access policies along
with the incident handling functions. The corporate policy
document should provide a sound reference point for the
policy administrator, so that the implementation and adherence
A significant threat to security arises when information
is transmitted between computers. A well-defined network
policy is a must before a firewall or another tool is implemented.
There are two levels of network policy that directly influences
the design, installation and use of a firewall system. The
higher-level policy is an issue-specific, network access
policy that defines those services that will be allowed
or explicitly denied from the restricted network. How these
services will be used and the conditions for usage are exceptions
to this policy. The lower level policy describes how the
firewall will actually go about restricting the access and
filtering the services that were defined in the higher-level
Baseline system architecture
This is the process of auditing and documenting the
physical and logical architecture of the system. During
this audit, you can gather information regarding hardware
platforms, operating systems, DBMSs (DataBase Management
Systems), applications (functional uses), network type/architecture,
and connectivity. In a nutshell, you gather a thorough understanding
of the system architecture.
The result is a complete diagram of the system at the functional
level and a description of all major hardware and software
resources functions. This information is critical in developing
a security policy that can be integrated and implemented.
Tools such as network diagramming tools, lists, and matrices
are all used during this process.
Review existing policies/ procedures
You should examine any existing security relevant policies,
procedures, or guidelines to understand the current requirement.
An existing document can become the starting point for your
enterprise wide security policy.
Service access policy
The service access policy should focus on the Internet,
its specific use issues, and all outside network access
like dial-in policy, SLIP and PPP connections. For a firewall
to be successful, the service access policy must be realistic
and sound, and should be drafted before implementing a firewall.
If a firewall system denies or restricts services, it usually
requires the strength of the service access policy to prevent
the firewall's access control from being modified.
Only a managed and backed sound policy can provide this.
A firewall can implement number of service access policies,
however a typical policy may be to allow no access to a
site from the Internet but, allow access from the site to
the Internet. Another typical policy would be to allow access
form the Internet, but only to selected systems such as
public information servers and e-mail servers. Firewalls
always implement service access policies that allow some
user access from the Internet to selected internal hosts,
but this access would be granted only if necessary and only
if it could be combined with advanced authentication.
The firewall design policy defines the rules used to
implement the service access policy. Firewalls generally
implement one of the two basic design policies. The policies
Permit any service unless it is expressly denied, and
deny any service unless it is expressly permitted.
A firewall that implements the first policy allows all
services to pass into the site by default.
With the exception of those services that the service
access policy has identified as disallowed.
A firewall that implements the second policy denies
all services by default, but passes those services that
have been identified as allowed.
This second policy follows the classic access model
used in all areas of information security.
The first policy is less desirable, since it offers
more avenues for getting around the firewall.
The second policy is stronger and safer, but it is more
difficult to implement and may impact users more because
services like the ones mentioned above may have to be
blocked or restricted more heavily.
The effectiveness of the firewall system in protecting
the network depends on the type of implementation, the
use of proper firewall procedures, and the service access
The service access policy is the most significant component
of the four policies mentioned.
The other three components are used to implement and
enforce the policy.
How Firewalls tackle the security issues
Setting restrictions on packet traversing the Firewall,
based on protocol type, destination address, user origin
address , port number, time of day, URLs, etc.
Hiding the internal network numbering scheme-port address
translation, network address translation.
Http content filtering, Java, active X, URL, keyword
Scanning for viruses on incoming data streams.
The firewall design policy is generally to deny all services
except those that are explicitly permitted or to permit
all services except those that are explicitly denied. The
former is more secure and is therefore preferred, but it
is also more stringent and causes fewer services to be permitted
by the service access policy. The firewall design policy
start with the most secure. i.e., deny all services except
those that are explicitly permitted. The following documentation
should be done for an efficient firewall policy to be set
What all Internet services the corporate plans to use?
e.g: TELNET, www, mail, nfs, etc.
Where the services will be used, e.g., on a local basis,
across the Internet, dial in from home, or from remote
Additional need such as encryption or dial in support.
What are the risks associated with providing these services
What is the cost in terms of controls and impact on
network usability to provide protection?
Assumptions about security versus usability: addressing
if security wins out if a particular service is too
risky or too expensive to secure.
The parameters Assurance:
The firewall policy and configuration should be accurately
documented and the firewall devices must be subject to regular
monitoring and yearly audits.
Identification and authentication:
Strong authentication systems are used for the incoming
user connections from the Internet like one time passwords,
challenge-response, and use of certificates. The administrative
accounts also use encrypted login sessions or one-time password
Accountability and Audit:
Firewall devices and Proxy Machines should be securely
All unnecessary services would be stopped in the operating
The Firewall logs should be archived at least for one
year and should be detail in nature on a dedicated server.
Logs shall be automatically analyzed with critical errors
Access Control :
All Internet access from the corporate network must
occur over proxies situated in a Firewall.
Classified content should not be sent out by mail or
Default configuration: unless otherwise specified, services
All users are allowed to exchange e-mail with the Internet.
R&D department users are allowed to use World Wide
Web and ftp (over proxies). Other users require authorization.
Users may not provide services to the Internet.
Research and development departments requiring full
Internet access for experimental services should not
install these services on the corporate network, but
on a separate network outside the Firewall.
Users should not be able to logon directly onto Firewall
Internet access to illicit material should be prevented
Raghudharan can be reached at firstname.lastname@example.org