A change management procedure is required to ensure that firewall configuration changes do not impact the business or generate any security vulnerabilities.
A firewall system must follow approved change management principles. This relates to hardware, software and configuration changes made on the firewall system(s).
A change management procedure is required to ensure that firewall configuration changes do not impact the business or generate any security vulnerabilities. An unauthorized security change may result in a firewall rule that inadvertently allows unauthorized access to the corporate internal network or that blocks key corporate services.
Latest security patches may be rushed to the market by consumer demand during the release of a security bulletin or publicized computer virus. It is critical that any new patches be tested prior to being deployed within the production environment. Sometimes a security vendor will release a patch without performing sufficient (security and stability) testing.
The minimum requirement with regards to “Firewall Change Control” is:
- All firewalls must follow approved change management principles and system management best practices. All firewall security changes must be documented within a change management system.
- Changes to the firewall security policy must be authorized and made by suitably trained and trusted security personal.
- All high-risk configuration changes (eg. software upgrades) must be tested before being implemented in the production environment.
- All firewall changes must have a roll-back procedure to reverse any changes made to the firewall system.
- The recommended requirement with regards to “Firewall Change Control” would need the following addition:
- All configuration changes (eg. software upgrades) must be tested and validated before being implemented in the production environment.
Firewall Change Control procedures must be followed at all times and approved by Information Owners. This will ensure that information processing facilities are operated and maintained correctly and securely.
External firewall has been discussed in the previous article, and another article about firewall physical security should be followed too in addition to this article. Firewall physical security assures the placement of any firewall system (or internal network) within a public accessible area is prohibited.