Previous
Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.
Author: Rich Selvidge, CISSP / Last Updated: 8/11/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Firewall: Any hardware and/or software designed to examine network traffic using policy statements (ruleset) to block unauthorized access while permitting authorized communications to or from a network or electronic equipment.
Firewall configuration: The system setting affecting the operation of a firewall appliance.
Firewall ruleset: A set of policy statements or instructions used by a firewall to filter network traffic.
Host firewall: A firewall application that addresses a separate and distinct host, such as a personal computer.
Internet Protocol (IP): Primary network protocol used on the Internet.
Network firewall: A firewall appliance attached to a network for the purpose of controlling traffic flows to and from single or multiple hosts or subnet(s).
Network topology: The layout of connections (links, nodes, etc.) of a computer network.
Simple Mail Transfer Protocol (SMTP): An Internet standard for electronic mail (e- mail) transmission across Internet Protocol (IP) networks.
Virtual private network (VPN): A network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with private, secure access to their organization’s network.
{COMPANY-NAME} operates network firewalls between the Internet and its private internal network to create a secure operating environment for {COMPANY-NAME}’s computer and network resources. A firewall is just one element of a layered approach to network security.
This policy governs how the firewalls will filter Internet traffic to mitigate the risks and losses associated with security threats to {COMPANY-NAME}’s network and information systems.
The firewall will (at minimum) perform the following security services:
All network firewalls, installed and implemented, must conform to the current standards as determined by {COMPANY-NAME}’s IT Department. Unauthorized or non-standard equipment is subject to immediate removal, confiscation, and/or termination of network connectivity without notice.
The approach adopted to define firewall rulesets is that all services will be denied by the firewall unless expressly permitted in this policy.
The firewalls will protect against:
A change control process is required before any firewall rules are modified. Prior to implementation, the Third Party Vendor and {COMPANY-NAME} network administrators are required to have the modifications approved by the Director of IT or the VP of IT. All related documentation is to be retained for three (3) years.
All firewall implementations must adopt the position of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic.
Firewall rulesets and configurations require periodic review to ensure they afford the required levels of protection:
{COMPANY-NAME} must review all network firewall rulesets and configurations during the initial implementation process and periodically thereafter.
Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained, to preserve the integrity of the data, should restoration be required.
Access to rulesets and configurations and backup media must be restricted to those responsible for administration and review.
The IT Department is responsible for implementing and maintaining {COMPANY-NAME} firewalls, as well as for enforcing and updating this policy. Logon access to the firewall will be restricted to a primary firewall administrator and designees as assigned. Password construction for the firewall will be consistent with the strong password creation practices outlined in the {COMPANY-NAME} Password Policy.
The specific guidance and direction for information systems security is the responsibility of IT. Accordingly, IT will manage the configuration of the {COMPANY-NAME} firewalls.
{COMPANY-NAME} has contracted with a Third Party Vendor to manage the external firewalls. This vendor will be responsible for:
Rich Selvidge is the Chief Information Security Officer at PurpleSec, providing singular accountability for all information security controls in the company. He brings over 21 years of information technology and security risk management experience.
Security Policies