How to Deploy Firewalls
1.0 | Identification Data |
1.1 | BSP Number |
00009 | |
1.2 | BSP Title/Name |
1 | |
1.3 | Version Number |
1.1 | |
1.4 | Adoption Date |
02/16/2001 | |
1.5 | Approving Authority |
CIO Council Security Practices Subcommittee (SPS) | |
1.6 | Responsible Organization |
Carnegie
Mellon University Software Engineering Institute Networked Systems Survivability Program |
|
1.7 | Level of BSP |
Candidate | |
1.8 | Security Processes or other Framework(s) Supported |
Technical Security/Install & Turn on Firewall Controls (SPF 6.2.8; NIST SP800-14, par. 3.4.4) | |
1.9 | Reserved |
1.10 | Points of Contact |
BSP
Owner: Julia Allen Carnegie Mellon University Software Engineering Institute 4500 Fifth Avenue Pittsburgh, PA 15213 Telephone: 412-268-6760 Fax: 412-268-4823 Email: jha@sei.cmu.edu | |
2.0 | What This BSP Does |
2.1 | BSP's Purpose |
This
BSP discusses guidelines for designing, installing, and deploying simple packet-filtering
firewalls. It does not cover policy, product selection, operations. Advanced firewall
capabilities (e.g., proxies, stateful (dynamic) packer filtering, network address
translation, etc.) are only covered briefly as design considerations. The steps are platform and OS independent. Product-specific documentation should be referenced for detailed implementation guidance. The described approach has been used by the SEIs Networked Systems Survivability (NSS) Program. | |
2.2 | Requirements for this BSP |
SEI NSS Program security policy. [Proprietary based on NSS and CERT/CC mission.] | |
2.3 | Success Stories |
Not applicable. | |
3.0 | What This BSP Is |
3.1 | Description of BSP |
A more complete description of this BSP can be found in the Deploying Firewalls security improvement module (http://www.cert.org/security-improvement/modules/m08.html). |
Area | Recommended Practice |
Prepare | 1. Design the firewall system (5 steps). |
Configure | 2. Acquire firewall
hardware and software (4 steps). 3. Acquire firewall documentation, training, and support (2 steps). 4. Install firewall hardware and software (5 steps). 5. Configure IP routing (2 steps). 6. Configure firewall packet filtering (3 steps). 7. Configure firewall logging and alert mechanisms (4 steps). |
Test | 8. Test the firewall system (10 steps). |
Deploy | 9.
Install the firewall system (2 steps). 10. Phase the firewall system into operation (3 steps). |
3.2 | Relationship to Other BSPs |
Not applicable at this time | |
4.0 | How To Use This BSP |
4.1 | Implementation Guidance |
There
are a wide range of topics related to the design, installation, and deployment
of firewalls that are not covered in detail in this BSP. These include:
Many of these topics are covered in other firewall references, several of which are included in the reference section of the SEIs security improvement module. | |
4.2 | Implementation Resource Estimates |
Detailed
estimates were not collected during SEI NSS firewall deployment. However, the
following rough-order-magnitude timeframes represent the calendar time required
by 1 staff member to implement each of the practices described in Section 3.1.
This staff member was working on the firewall deployment on an approximately half-time
basis: 1. Design the firewall system 3 months 2. Acquire firewall hardware and software 2 months 3. Acquire firewall documentation, training, and support 1 month 4. Install firewall hardware and software 1 month 5. Configure IP routing 1 week 6. Configure firewall packet filtering 3 weeks 7. Configure firewall logging and alert mechanisms 2 weeks 8. Test the firewall system 2 weeks 9. Install the firewall system 1 week 10. Phase the firewall system into operation 2-3 months | |
4.3 | Performance Goals and Indicators (Metrics) |
A variety of network monitoring and intrusion detection tools were used to verify proper firewall performance. These included snort, tcpdump, nmap, and syslog analysis. These tools can be used to see if the deployed firewall accepts, rejects, or denies packets as specified by the policy guiding its deployment. | |
4.4 | Tools |
See 4.3, above. | |
4.5 | Training Materials |
See the reference list provided in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html. | |
Appendices | |
A | Executive Overview and Briefing |
A summary of the SEI security improvement module contents can be found in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html. There is no equivalent briefing. | |
B | Reference List |
See the reference list provided in Deploying
Firewalls at http://www.cert.org/security-improvement/modules/m08.html See also a NIST draft document titled, "Implementing Internet Firewall Security Policy," available at http://csrc.nist.gov/publications/drafts.html. |
|
C | Procurement Information |
Not applicable. | |
D | Evaluation Information |
E | Recommended Changes |
The originator has reviewed the BSP on its 6 month anniversary and found the BSP remains technically current. | |
F | Glossary |
See the abbreviations contained in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html. |