Firewall+Policy

=__Decepticon Manufacturing Firewall Policy__=

__1.0 Purpose__:
The purpose is to describe required minimal firewall configurations to protect all systems from unauthorized access.

__2.0 Scope__:
All equipment or devices deployed in a DMZ owned and/or operated by Decepticon Manufacturing (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by the company must conform to this policy.

3.1 Physical Security
//3.1.1// Only members of the Administrators to Network Devices may install, un-install, move, perform maintenance upon, or change the physical configuration of a firewall or router. //3.1.2// Any additions to the administrators group will require the Change Control Form ‘Add Administrators to Network Devices’ to be completed and approved by the IT Director. //3.1.3// Only the Administrators to Network Devices may make physical connections to a network device including direct access ports, console ports, etc. //3.1.4// The firewall should be located in a controlled environment, with access limited to the Administrators to Network Devices. The room in which the firewall is to be physically located must be equipped with heat, air-conditioner, and smoke alarms to assure the proper working order of the room. The placement and recharge status of the fire extinguishers shall be checked on a regular basis. //3.1.5// In the event a firewall suffers physical damage or there is evidence of tampering, it will be fully evaluated by hardware diagnostics and the physical configuration checked with existing documentation.

3.2 Incident Handling
//3.2.1// The firewall shall be configured to log all reports on daily, weekly, and monthly basis so that the network activity can be analyzed when needed. //3.2.2// Firewall logs should be examined on a weekly basis to determine if attacks have been detected. //3.2.3// The firewall administrator shall be notified at anytime of any security alarm by email, pager, or other means so that he may immediately respond to such alarm. //3.2.4// The firewall shall reject any kind of probing or scanning tool that is directed to it so that information being protected is not leaked out by the firewall. In a similar fashion, the firewall shall block all software types that are known to present security threats to a network (such as Active X and Java) to better tighten the security of the network.

3.3 Configuration Requirements
//3.3.1// Only members of the Administrators to Network Devices may do the following: //3.3.1.1// Log in directly to a network device’s console port or other direct access port //3.3.1.2// Assume administrative privileges on a network device //3.3.1.3// Log in to the network device remotely //3.3.2// Any configuration changes will be approved and implemented in accordance with the Decepticon Manufacturing Change Management Policy. //3.3.3// A demilitarized zone (DMZ) will be used to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic. //3.3.4// IP masquerading will be used to prevent internal addresses from being translated and revealed on the Internet such as port address translation (PAT) or network address translation (NAT). //3.3.5// Firewalls are to be placed at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. //3.3.6// Firewalls will restrict inbound Internet traffic to internal protocol (IP) addresses within the DMZ. //3.3.7// Personal firewall software will be installed on any mobile and employee-owned computers with direct connectivity to the Internet which are used to access Decepticon Manufacturing’s network.

3.4 Firewall Backup
//3.4.1// At least one firewall shall be configured and reserved (not-in-use) so that in case of a firewall failure, this backup firewall can be switched in to protect the network. //3.4.2// The backup firewall must be physically stored in an off-site location. The firewall must be locked up and inaccessible.

3.5 Firewall Upgrades
//3.5.1// To optimize the performance of the firewall, all vendor recommendations for processor and memory capacities shall be followed. //3.5.2// The Administrators to Network Devices must evaluate each new release of the firewall software to determine if an upgrade is required. //3.5.3// All security patches recommended by the firewall vendor should be implemented in a timely manner. //3.5.4// Any firewall specific upgrades shall be obtained from the vendor. //3.5.5// The Administrators to Network Devices shall monitor the vendor’s firewall mailing list or maintain some other form of contact with the vendor to be aware of all required upgrades. //3.5.6// Before an upgrade of any of the firewall component, the firewall administrator must verify with the vendor that an upgrade is required. //3.5.7// After any upgrade the firewall shall be tested to verify proper operation prior to going operational.

3.7 Monitoring
//3.7.1// All firewall rule sets will be reviewed on a quarterly basis. //3.7.2// The List of Approved Administrators to Network Devices will be reviewed on a quarterly basis.

__4.0 Firewall Rules__:
Default policy: Deny all incoming and outgoing traffic unless specified in the following table.
 * Port || Service || Status || Protocol || Policy || Description ||
 * 25 || SMTP || Accept || TCP || Allowing incoming and outgoing packets. || Enables outside and inside users to send/receive E-mail. ||
 * 53 || DNS || Accept || TCP || Allowing incoming, outgoing and forwarding packets. || Enables incoming and outgoing DNS requests. ||
 * 53 || DNS || Accept || UDP || Allowing incoming, outgoing and forwarding packets. || Enables incoming and outgoing DNS requests. ||
 * 80 || HTTP || Accept || TCP || Allowing incoming, outgoing and forwarding packets. || Enables outside/inside users to browse the Internet. ||
 * 110 || POP3 || Accept || TCP || Allowing incoming, outgoing and forwarding packets. || Enables outside/inside users to receive E-mail. ||
 * 443 || HTTPS || Accept || TCP || Allowing incoming, outgoing and forwarding packets. || Enables outside/inside users to securely browse the Internet. ||
 * 1194 || VPN || Accept || TCP || Allowing only incoming packets. || Enables outside users to connect to the network via VPN. ||
 * 1194 || VPN || Accept || UDP || Allowing only incoming packets. || Enables outside users to connect to the network via VPN. ||
 * - || GRE || Accept ||  || Accepting protocol 47 packets. || Enables General Routing Encapsulation. ||
 * - || TUN || Accept ||  || Accept tunnel interface connections to OpenVPN server. || Enables tunnel interface for OpenVPN. ||
 * - || TAP || Accept ||  || Accept TAP interface connections to OpenVPN server. || Enables TAP interface for OpenVPN. ||
 * - || ICMP || Accept ||  || Allows incoming, outgoing and forwarding for ICMP packets. || Enables outside/inside users to ping. ||
 * - || Established, Related || Accept ||  || Allows only established/related connections || Drops any packet that is not established/related ||

__**5.0 VPN Policy**__:
//5.1// It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Decepticon Manufacturing internal networks via their VPN. //5.2// VPN use is to be controlled using password authentication. //5.3// When actively connected to the administrative network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. //5.4// VPN gateways will be set up and managed by the Decepticon Manufacturing IT office. //5.5// All computers connected to Decepticon Manufacturing internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the administrative standard. Information on this software can be obtained from Decepticon Manufacturing Technical Support; this includes personal computers. //5.6// All computers connected to Decepticon Manufacturing internal networks via VPN must have the latest operating system security patches applied. Information on these patches can be obtained from Decepticon Manufacturing Technical Support. //5.7// Users of computers that are not Decepticon Manufacturing-owned equipment must configure the equipment to comply with Decepticon Manufacturing's VPN and Network policies. //5.8// Only approved VPN clients may be used. Information on this software can be obtained from Decepticon Manufacturing Technical Support //5.9// By using VPN technology with personal equipment, users must understand that their machines are an extension of Decepticon Manufacturing's network, and as such are subject to the same rules and regulations that apply to Decepticon Manufacturing-owned equipment, i.e., their machines must be configured to comply with all Decepticon Manufacturing Security Policies. //5.10// Peer-to-peer software is not allowed over VPN.

**__6.0 Proxy Policy__**
//6.1// Squid will be implemented as the proxy server. //6.2// All web traffic shall be routed through the proxy server. //6.3// Port 80 and 443 are blocked on the forward chain in order to enforce the proxy.

__7.0 Responsibility__:
The Security Officer is responsible for leading compliance activities that bring Decepticon Manufacturing into compliance with the PCI Data Security Standards and other applicable regulations and maintaining the documentation of the quarterly reviews.

__8.0 Enforcement__:
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

__9.0 Policy History__:
Initial effective date: Monday, June 8, 2009