Perimeter Security Policy

Version: 1.00Issue Date: 11/24/2014

A Perimeter Security Policy is required to define the requirements of the security perimeter. It also assures the security and control of changes to devices that are used to secure the network perimeter.

1.0 Overview

This Perimeter Security Policy describes or defines:

  • Security perimeter device requirements.
  • Security perimeter device configurations.
  • Network traffic flow core strategies discussing traffic allowed or not allowed across network zones.
  • Firewall rule change process and security perimeter device change process.
  • Data transmission strategies considering network zone security and data sensitivity.
  • Data storage strategies in network zones based on data sensitivity and zone security.

2.0 Purpose

This Perimeter Security Policy is designed to protect the data of the organization and its business partners or any data the organization is in custody of.

3.0 Definitions

  • DMZ - The term DMZ is an acronym for demilitarized zone. The DMZ is a part of a network where servers that may be accessed by the public are normally placed. The DMZ is normally between the internet and the "trusted network" and is separated by a firewall from the internet and from the trusted part of the network. The DMZ is considered to be a semi-trusted network and is more secure than the internet but less secure than the trusted part of the network since the servers accessed by the public have a higher risk with a greater chance of security incidents.
  • Untrusted network - Any network that is not trusted by your organization and a firewall must exist between it and your organization's semi-trusted or trusted network. Any network not managed by your organization should not be trusted since you cannot guarantee the security of that network.
  • Semi-trusted network - Another name for DMZ.
  • Trusted network - A part of the network protected from the internet and any untrusted network using a firewall. It is also protected from the semi-trusted network using a firewall. Normally workstations and servers that hold data are kept in the trusted network although there is good reason to keep the servers with sensitive data protected from the "trusted network" considering the state of security on many networks.

4.0 Scope

This Perimeter Security Policy applies to devices managed by the Information Technology Department including and LAN, MAN, or WAN components that are important to the security of organizational information systems. This policy covers data, systems, network zones, Intrusion Detection Systems (IDS), remote connectivity devices, and network components used for connectivity including firewalls, routers, files, databases, switches, and computer systems where applicable. This policy is effective as of the issue date and does not expire unless superceded by another policy.

5.0 Main Security Strategies

Several central security strategies will be used to secure the network including but not limited to:

  • Least Privilege Principle - All administrators, services, or other items requiring access shall have the minimum privileges needed to accomplish its required function.
  • Minimum Information Publication and Confidentiality - The minimum amount of information required to accomplish a task shall be published when sensitivity of information is involved.
    • Information about the security perimeter, its configuration and the devices and systems it is protecting shall be kept confidential.
    • All administrators of security perimeter devices including contractors and vendors must sign non disclosure or confidentiality agreements where appropriate.
    • The security perimeter shall be configured so its architecture and the network architecture it is protecting cannot be determined from outside the organization.
    • Warning banners shall be displayed on all systems according to the Logon Banner Policy that meet legal requirements for prosecution when systems are broken into by unauthorized parties.

6.0 Network Structure

The network will be protected using dedicated firewall technologies to limit attacks from untrusted sources. The structure of the network should provide a minimum of three security zones which will include:

  • An unsecured zone which is the internet.
  • A semi-secure zone which is designed for hosting servers that are public facing (directly accessed by the public) and may have higher than normal risk for compromise. These type of servers include mail, web servers, and FTP servers.
  • A secure zone which may contain internal workstations and servers that are not directly accessible by the public.

Other Security Devices shall include:

  • Network Intrusion Detection or Prevention Systems shall be deployed on all high security segments and at main locations where traffic passes between zones. Network intrusion systems should be capable of detecting abnormal network messages not following the rules of the protocol and also be able to detect attacks using signatures.
  • Host Intrusion detection or prevention software shall operate on all medium and high security computer systems according to the Server Security Policy.
  • Anti-virus and malware prevention software shall be deployed so inbound traffic and files are screened for all malware. All servers and workstations shall operate current anti-virus software according to the Virus Protection Policy and Workstation Configuration Policy.

7.0 Change Management

Change management processes shall be developed for the following:

  • Security perimeter device configurations.
  • Firewall rule change process and security perimeter device change process. Strong authentication is used for the management of the firewall.

The organizational parties responsible for security must also be responsible for devices that perform security functions. The responsibility may be in the form of authority to approve changes. The entitity responsible for security must be able to:

  • Discontinue the internet connection to the organization to prevent or limit security breaches.
  • Shutdown systems to prevent or limit security breaches.
  • Shutdown services to prevent or limit security breaches.

Any and all changes to all devices, that monitor or control traffic between zones or are used to enforce security, shall be logged. Logs of these devices must be kept secure from alteration and unauthorized changes.

8.0 Security Device Log Management and Protection

  • Logs of systems used as security devices or to control perimeter security shall be protected using one or more methods including but not limited to digital signatures, checksums, or encryption.
  • Logs of systems used as security devices or to control perimeter security shall be reviewed daily as a minimum during normal business days. The daily log reviews will help be sure the security perimeter is secure and may help detect threats or security breaches.
  • Any security threats requiring incident reporting or breaches shall be reported and documented according to the Security Incident Response Plan and Procedures.
  • When system logs are moved or copied to other systems that the original system, the process must be completed securely and in such a way to be able to prove integrity of data for admissibility in court.

9.0 Auditing

The configuration management process and firewall policy is reviewed and audited at least two times per year. The configuration management process provides for changing, adding, and removing firewall rules. Auditing is done to be sure penetration analysis of perimeter security devices and internal systems is done in a timely manner. Auditing will include:

  • Administrative practices of perimeter devices.
  • Enabled services on perimeter devices.
  • Allowed connectivity controlled through perimeter devices.
  • Review of security measures on perimeter devices.

External auditing shall be done annually to assess the effectiveness of internal auditing.

10.0 Device Requirements

Security perimeter device requirements.

  • Firewalls used for the organization shall use active monitoring of traffic to recognize patterns of attacks and protect themselves.
  • The design of perimeter security devices is kept secret but should not be vulnerable to compromise if the design is known.
  • Hardware that is used to keep security perimeter devices secure is resistant to attacks and any secret keys used to manage the device cannot be compromised by an attacker.
  • Firewalls are not used for any other purpose other than firewall functions. Firewalls have no more features than required to perform their function and the platform they operate on is hardened so unneeded services are turned off.
  • All patches to the firewalls and other perimeter defense devices must be patched in a timely manner and should be patched within two weeks.
  • The firewall architecture enforces protocol discontinuity at the transport layer. This means that network protocols at the transport layer that are not compatible will not go through the firewall. For example the protocol of the internet is TCP/IP. Traffic using TCP/IP from the internet will not be automatically translated to another type of protocol such as IPX/SPX.
  • The firewall must send alarms to administrators when suspicious activity is detected.

11.0 Traffic Flow

This section provides requirements for network traffic flow core strategies. It discusses traffic allowed or not allowed across network zones. It also considers data transmission strategies considering network zone security and data sensitivity.

  • Single Entry/Exit - A single point of entry from the internet to the organizational WAN or LAN is required. More than one point of entry into the network shall not be allowed. Points of entry from other unsecured networks into the semi-trusted network (DMZ) may be allowed as approved by the Chief Information Security Officer.
  • Deny All - Any network traffic including traffic to or from IP addresses and ports (services) that is not expressly permitted is not allowed. This apples to both inbound and outbound traffic.
  • External Connectivity refers to any data or network traffic leaving the organization or entering the organization from any other source including the internet or business partners.
    • No inbound or outbound external connectivity shall be allowed to the trusted network but only to the semi-trusted network.
    • Inbound or outbound external connectivity to the semi-trusted network that does not go through the single point of entry must be approved by Chief Information Security Officer.
    • Any inbound or outbound external connection not using the single point of entry must be managed and monitored to assure security.
    • Any external entity connecting to the organization must sign any applicable confidentiality agreements and agree to abide by applicable policies.
    • External partners are not allowed to connect to each other through the organization's network.
  • All network traffic used for firewall system management must be secured properly.
  • The firewalls and perimeter security devices must hide the architecture of the organisation's internal network. This can be done by firewalls using Network Address Translation (NAT) to mask the IP addresses of hosts behind the firewall.
  • All firewalls must provide an audit trail of all communications to or through the firewall system and generate alarms when suspicious activity is detected.
  • No host with multiple network connections may be connected across a firewall in any way including wireless connections.
  • Wireless connections from inside the network to external connections are not permitted.

12.0 Security Perimeter Device Maintenance and Monitoring

Maintenance and monitoring of security devices on the network is essential to network security. Prompt application of software patches and proper and secure configuration is part of the required maintenance. Also backups and monitoring functions or services is critical to the success of network security and stability. Full backups must be performed immediately before updates to security devices. Backups are not written to unprotected devices or network drives.

  • Patches to peripheral security and monitoring devices must be applied within two weeks if possible. Patches and configuration changes should be tested prior to implementation if possible.
  • Care must be taken to perform backups of any devices on the security perimeter in a secure manner. Care must also be taken to ensure that restoration to these devices can only be done by authorized personnel and done securely.
  • Administrators of security devices on the security perimeter must receive security bulletins with information about newly discovered vulnerabilities on devices they manage.
  • Monthly firewall penetration analysis shall be performed according to the Network and Server Scanning Policy.
  • Firewall policies shall be reviewed at least twice per year.

13.0 Sensitivity Requirements

Different data has different sensitivity requirements. Data that is stored in the DMZ or semi-trusted zone must be publically available or data that can be publically released without damage or embarassment to the organization or individuals. Any data that is sensitive or in any way confidential must be stored in the trusted network or a more secure zone. Data should be classified according to the Data Classification Policy

Depending upon the data classification and required levels of security for each class of data handled by the organization, it may be necessary to require that different subnetworks carry data with various sensitivity levels.

14.0 Security Scans and Assessments

Security perimeter devices and servers that provide services to the public across the internet must be scanned regularly (monthly) using external vulnerability scanning. Third parties that perform security vulnerability scanning must be bonded. Security flaws that are a medium level of severity or higher must be remediated within two weeks. Other systems that provide internal services must be scanned every other month and security flaws at a medium or higher level must be remediated within one month.

15.0 Remote Access

Remote access allows users to remotely connect to organizational resources. Normally remote access is gained using a dial-up connection to a networked server or through Virtual Private Networking (VPN). The following items are required for remote access connections:

  • Remote assess sessions that use an unsecured media such as the internet to connect to the organizational network or resource must be encrypted and meet the minimum encryption standards set in the encrption policy which requires a proven and secure encryption mechanism.
  • All remote access connections must connect through the security perimeter.
  • All remote access sessions must be logged and may be monitored.
  • Remote access connectivity rules for administration must be limited to a trusted source address rather than allowing any remote connection for the purposes of administration.
  • Remote access sessions must have time limits on idle sessions and may have time limits on active sessions.
  • All resources such as laptops, destop computers, and hand held devices must meet minimum security requirements to be allowed to remotely connect to organizational resources. Minimum security requirements include active and current virus protection, personal firewalls, and current system updates.
  • Remote access must use multifactor authentication such as a user password and a secure ID token (Something you know and something you have). Authentication mechanisms used must be approved by the Chief Information Security Officer.

16.0 Security Incident Response

A security incident response plan according to the Security Incident Response Policy must exist for the organization at various levels. The plan must include a minimum of:

  • Response to compromise of a security perimeter device.
  • Response to a compromise of a network routing device.
  • Response to a compromise of a server.
  • Response to a system failure or network device failure including failure of an internet service provider.
  • Response to a virus or worm threat.
  • Response to unauthorized changes to a website, defacing of a website, or breach of security associated with a public facing service.

Responses to compromise of servers and security devices must include activities required for securing evidence to determine how the intrusion was done to remediate the vulnerability along with securing evidense for possible prosecution of the subjects involved.

17.0 System and Resource Security

Access to resources that are used to keep the security perimeter security and resources inside the security perimeter must be managed to minimize risk. This includes the following minimum policies.

  • All accounts used to access resources, systems, or services must have unique passwords and no sharing of accounts is permitted.
  • User accounts will only have the minimum required permissions needed for the performance of their duties.
  • Administrators and service accounts will only have the minimum required permissions needed to perform their function.
  • Physical security to resources inside the security perimeter must meet minimum standards according to the Physical Security Policy.

18.0 Outsourcing

Equipment purchased through contractors or from any third party must meet the requirements of this policy. Contracts must specify that the requirements of this and other policies are met by vendors and contractors.

19.0 Additional Policies

Equipment covered by this Perimeter Security Policy must also meet the requirements of the Internet DMZ Equipment Policy.

  • Incident Response Policy
  • Remote Access Policy
  • Network and Server Scanning Policy

20.0 Enforcement

Organizational members that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

21.0 Additional Requirements

  • Security perimeter device configurations.
  • Firewall rule change process and security perimeter device change process.
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
  • Devices used to secure the network perimeter must be covered by the disaster recovery and business continuity plans.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________