S 2.78 Secure operation of a firewall

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator

For secure operation of a security gateway, it is necessary to check regularly if the security safeguards implemented are being followed properly. In particular, the organisational regulations established for operating the security gateway must be checked regularly/sporadically for compliance. It should be checked regularly whether new accesses bypassing the security gateway have been created.

Moreover, regular tests must be performed in order to check that all filter rules have been implemented properly. In doing so, it must be tested that only those services are permitted highlighted as permitted in the policy of the security gateway.

If the policy requires later changes, these must be strictly controlled and checked for side effects in particular.

The requirements regarding the procurement of packet filters and/or application level gateways must be implemented. These must be updated regularly and checked for completeness.

The default setting of the filter rules and the arrangement of the components must ensure that all connections not expressly permitted are blocked. This must also be the case during complete failure of the components of the security gateway.

The rule "everything not expressly permitted is prohibited" must be implemented. For example, a user without an entry in an access list must not be provided with any option of using the internet services.

Furthermore, the following items must be taken into consideration:

• All devices (computers, routers, or appliances) that are part of a security gateway must be configured particularly carefully and securely.
• The components used must only contain programs required for the functionality of the security gateway. The use of these programs must be documented and justified comprehensively. For example, services not required should be disabled and drivers not required should be removed. If possible, drivers should also be removed from the operating system core. If software is kept, this must be documented and justified.

• In order to prevent the authentication information from being read or modified, administrators and auditors must only access the security gateway using a trustworthy path, for example directly via the console, using an encrypted connection, or using a separate administration network (out-of-band management).

• It must be ensured that the operating systems and programs on the components of the security gateway are characterised by secure patch status at any time. Therefore, the system administrators must regularly obtain information about published software weaknesses and promptly install security-critical with particular care (see also S 2.35 Obtaining information on security weaknesses of the system, S 2.273 Prompt installation of security-relevant patches and updates, as well as S 4.177 Assuring the integrity and authenticity of software packages).

• Integrity tests of the software used must be performed at regular intervals (see also S 4.93 Regular integrity checking). If a violation is detected, the security gateway must be switched off.
• The response of the security gateway to a system crash must be tested. In particular, no automatic restart should be possible and it must be possible to store the access lists to a read-only medium.
  
  The access lists contain the essential data for operating the security gateway. Therefore, corresponding protection must be used to ensure that no outdated or erroneous access lists are used even if an attacker manages to cause a restart of the security gateway or individual components.
• In the event of a failure of the security gateway, it must be ensured that no network connections from or to the network to be protected can be established during this period (see also S 2.302 Security gateways and high availability and S 6.94 Contingency planning for security gateways).
• When restoring backed up data resources, it must be ensured that the files relevant for the secure operation of the security gateway such as access lists, password files, and filter rule files are up to date.

Review questions:

• Are the safeguards implemented on the security gateways checked for correctness at regular intervals?
• Are changes to the filter rules checked for possible security-relevant effects in advance?
• Have the programs and services used on the security gateway been reduced to the required extent?
• Are the components of the security gateway exclusively accessed for administration purposes using trustworthy paths?
• Are the settings performed on the security gateways backed up regularly?