Firewall should cover the use of a suitable firewall, firewall topology and firewall security policy
The use of a suitable firewall, firewall topology and security policy is critical in ensuring protection against network security threats. A secured firewall must be used to provide protection against threats from external public (un-trusted) networks, such as the Internet. Networks must be segmented if distinct security boundaries are to be enforced.
A firewall is a system than controls the flow of traffic between networks and provides a mechanism for protecting hosts against network based security threats. It should be noted that firewalls cannot control (and protect against) traffic that does not flow through the security gateway (eg. a dialup modem will bypass any firewall), nor can it protect against internal or authorized attacks. Firewalls are only as secure as the firewall system and the implemented security policy (firewall rule base). Due to the number and variety of developing threats and security vulnerabilities being easily distributed on the Internet firewalls can never provide 100% protection against all possible threats. A suitable firewall must be used to interconnect to any external, public or un-trusted network (i.e. the Internet). This is mandatory due to the security threats that exist and the sensitive nature of information located within the corporate. A DMZ (De-Militarized Zone) must be used to provide segmentation of the network when hosting public resources, such as Internet web servers.
External Firewall with DMZ
Multiple DMZ’s may be used if a requirement exists for multiple network segments with differing security policies (levels). This has applications for extranets, intranets, web hosting and remote access gateways (as shown below).
External Firewall with multiple DMZ
The use of internal firewalls within the corporate is not encouraged due to the complications associated with ensuring that corporate core services such as Active Directory and Exchange messaging are not affected. An internal firewall may inadvertently deny these core services which are critical to the operations of the corporate network.
If an internal firewall is to be used, it must be configured using an appropriate security policy (gateway rule base). This is a requirement to ensure that core services such as DNS, DHCP, Active Directory and Exchange messaging is globally available.
The minimum requirement with regards to “Firewall Topology” in the firewall security standards are:
1. A suitable firewall must be used for all external connections.
2. Networks with differing security requirements must be segmented and protected with a firewall (eg. Internal (trusted) vs. Internet (un-trusted)).
3. A DMZ is mandatory for systems (eg. web servers) that are accessible from any public (un-trusted) network. These externally accessed hosts must not be placed on the corporate internal (business) networks.
4. Multiple DMZ’s may be used to provide network segments with multiple security classifications (or zones).
5. All physical firewall connections must be secure and appropriately label. It is recommended to use a color coding scheme to differentiate between private, public or DMZ networks.
6. All Internet (external facing) firewalls must be configured to deny all traffic unless explicitly permitted.
A suitable firewall topology ensures the ability to identify security boundaries within the network and to apply a valid security policy (rule base) to the security gateway (firewall).
Another series of firewall security standards, you should read about firewall requirement.
