S 2.299 Drawing up a security policy for a security gateway

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer

Secure and proper operation of the security gateway is particularly important, as it is crucial to the security of the network. This can only be guaranteed if the procedure is integrated in the existing security requirements.

The central security requirements (the target security level) follow from the organisation-wide security guidelines and should be formulated in a specific security policy relating to the operation of the security gateway so as to specify and apply the higher-level and general security guidelines in the present context.

In this context, it must be examined whether there are any other overriding specifications, for example IT policies, password policies, and specifications for internet usage, that must be taken into account in addition to the organisation-wide security guidelines.

All persons and groups participating in the purchasing and operation of the security gateway must be familiar with the security policy and follow it while working. Like all policies, its contents and its implementation should be examined regularly within the framework of a general audit.

The security policy should first specify the overall security level to be reached and provide basic information on the operation of the security gateway. Some points which should be taken into account are listed below:

• General configuration strategy: Given that the security gateway is crucial to the security of the network, its own secure configuration (and that of its individual components) is particularly essential.
• Rules for the work of the administrators and auditors:
  • Via which access channels may administrators and auditors access the systems (e.g. local access at the console only, via a separate administrator network, or via encrypted connections)?
  • Which processes will need to be documented? In which form should the documentation be drawn up and maintained?
  • Does the dual-control principle apply to certain changes? This is strongly recommended for changes to the security gateway settings which are particularly critical in terms of security.
  • According to which schema are administrator rights assigned?

• Specifications regarding the purchase of equipment based on requirement profiles
• Specifications for the installation and configuration of individual components of the security gateway
  • Procedure during initial installation
  • Review of default settings with regard to security threats
  • Policies on physical access control
  • Use and configuration of console and other types of access
  • Regulations governing user administration and role management, authorisation structures (sequence and methods of authentication and authorisation, permissions to perform installations, updates, configuration changes, etc.). A role concept should be drawn up as far as possible for administration.
  • Regulations regarding the preparation and maintenance of documentation, form of documentation: procedural instructions, operating manuals.
• Specifications for secure operation
  • Protection of systems administration (e.g. access via trusted connections only)
  • Use of encryption (standards, key strengths, application areas)
  • Guidelines on password usage (password rules, areas designated as password-protected, rules and situations for password changes and, where applicable, escrow of passwords)
  • Tools for operation and maintenance, integration in existing network management
  • Authorisations and procedures regarding software updates and configuration changes
• Logging
  • Which events are logged?
  • Where are the log files stored?
  • How are the logs evaluated and how often?
• Data backup and recovery
  • Integration in the organisation-wide data backup policy
• Fault management, error handling, incident handling
  • Regulations regarding the response to malfunctions and technicalfaults (local support, remote maintenance)
  • Regulations regarding security incidents
• Contingency planning
  • Integration in the organisation-wide contingency planning concept
  • Review and audit (responsibilities, procedures, integration in a global audit concept)

The security management team is responsible for the security policy, changes to and deviations from which must only be performed upon consultation with the security management team.

When drawing up a security policy, it is recommended to proceed in such a way that the maximum requirements and specifications for the security of the systems are stated initially. These may then be adapted to the actual circumstances. Ideally, you will be able to take all aspects necessary into account. For every step rejected and specification relaxed in the second step, the reasons for the rejection or relaxation of the specification should be documented.

Review questions:

• Does a security policy regarding the security gateway exist that documents the requirements and specifications for secure operation in a comprehensible manner?