How to Deploy Firewalls

1.0 Identification Data
1.1 BSP Number
00009
1.2 BSP Title/Name
1
1.3Version Number
1.1
1.4 Adoption Date
02/16/2001
1.5Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
Carnegie Mellon University
Software Engineering Institute
Networked Systems Survivability Program
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
Technical Security/Install & Turn on Firewall Controls (SPF 6.2.8; NIST SP800-14, par. 3.4.4)
1.9 Reserved
1.10 Points of Contact
BSP Owner:
Julia Allen
Carnegie Mellon University
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213
Telephone: 412-268-6760
Fax: 412-268-4823
Email: jha@sei.cmu.edu
2.0 What This BSP Does
2.1 BSP's Purpose
This BSP discusses guidelines for designing, installing, and deploying simple packet-filtering firewalls. It does not cover policy, product selection, operations. Advanced firewall capabilities (e.g., proxies, stateful (dynamic) packer filtering, network address translation, etc.) are only covered briefly as design considerations.
The steps are platform and OS independent. Product-specific documentation should be referenced for detailed implementation guidance.
The described approach has been used by the SEI’s Networked Systems Survivability (NSS) Program.
2.2 Requirements for this BSP
SEI NSS Program security policy. [Proprietary based on NSS and CERT/CC mission.]
2.3 Success Stories
Not applicable.
3.0 What This BSP Is
3.1 Description of BSP
A more complete description of this BSP can be found in the Deploying Firewalls security improvement module (http://www.cert.org/security-improvement/modules/m08.html).
AreaRecommended Practice
Prepare1. Design the firewall system (5 steps).
Configure 2. Acquire firewall hardware and software (4 steps).
3. Acquire firewall documentation, training, and support (2 steps).
4. Install firewall hardware and software (5 steps).
5. Configure IP routing (2 steps).
6. Configure firewall packet filtering (3 steps).
7. Configure firewall logging and alert mechanisms (4 steps).
Test 8. Test the firewall system (10 steps).
Deploy9. Install the firewall system (2 steps).
10. Phase the firewall system into operation (3 steps).
3.2 Relationship to Other BSPs
Not applicable at this time
4.0 How To Use This BSP
4.1 Implementation Guidance
There are a wide range of topics related to the design, installation, and deployment of firewalls that are not covered in detail in this BSP. These include:
  • the creation of a detailed security policy including the policy to be enforced by the firewall
  • the evaluation and selection of specific firewall products
  • post-deployment operation and maintenance of firewalls
  • the design and deployment of more advanced firewall capabilities, such as - proxies (including SOCKS)
    - stateful inspection or dynamic packet filtering
    - network address translation
    - virtual private networks
    - Internet Protocol version 6 or other non-Internet Protocol version 4 protocols
    - network and host intrusion detection technologies
  • networking fundamentals, such as
    - specific Internet protocols
    - routing and route management
    - switching and VLANs (virtual local area networks)
  • system management fundamentals, such as - operating systems installation and maintenance
    - application software installation and maintenance
    - host intrusion detection technologies
  • cryptography and encryption technologies

Many of these topics are covered in other firewall references, several of which are included in the reference section of the SEI’s security improvement module.

4.2 Implementation Resource Estimates
Detailed estimates were not collected during SEI NSS firewall deployment. However, the following rough-order-magnitude timeframes represent the calendar time required by 1 staff member to implement each of the practices described in Section 3.1. This staff member was working on the firewall deployment on an approximately half-time basis:
1. Design the firewall system 3 months
2. Acquire firewall hardware and software 2 months
3. Acquire firewall documentation, training, and support 1 month
4. Install firewall hardware and software 1 month
5. Configure IP routing 1 week
6. Configure firewall packet filtering 3 weeks
7. Configure firewall logging and alert mechanisms 2 weeks
8. Test the firewall system 2 weeks
9. Install the firewall system 1 week
10. Phase the firewall system into operation 2-3 months
4.3 Performance Goals and Indicators (Metrics)
A variety of network monitoring and intrusion detection tools were used to verify proper firewall performance. These included snort, tcpdump, nmap, and syslog analysis. These tools can be used to see if the deployed firewall accepts, rejects, or denies packets as specified by the policy guiding its deployment.
4.4 Tools
See 4.3, above.
4.5 Training Materials
See the reference list provided in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html.
Appendices
A Executive Overview and Briefing
A summary of the SEI security improvement module contents can be found in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html. There is no equivalent briefing.
B Reference List
See the reference list provided in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html
See also a NIST draft document titled, "Implementing Internet Firewall Security Policy," available at http://csrc.nist.gov/publications/drafts.html.
C Procurement Information
Not applicable.
D Evaluation Information
E Recommended Changes
 The originator has reviewed the BSP on its 6 month anniversary and found the BSP remains technically current.
F Glossary
See the abbreviations contained in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html.