Many administrators spend their time securing Windows at just the network level or just the applications level -- and never cross the line from one group to the other. Where does your domain lie and how do you keep Windows data secure even if the perimeter is compromised? We asked those questions of our ITKnowledge Exchange members. Here is one of the responses, or return to the main page for the complete list of letters to the editor.
Enforcing a formal firewall exception policy
Perimeters become porous only partially because of business demands. More commonly, few organizations have a formal firewall exception and review policy in place – or, if they do, they fail to follow up on it.
For example, one place I worked had a Checkpoint Firewall-1 with over 200 rules. To cope with the increasing load on the firewall, attempts were made to shut down logging on most rules. When I noticed this, I suggested that we (me and the firewall administrator) go through all of the rules and analyze them for current need, duplication and reality check (rules that applied to long-gone objects). This was an iterative process -- too difficult to do in one fell swoop -- but the result was to cut the number of rules in half.
The other problem was the lack of a formal policy that defined who specify rules and what the lifetime of the rules should be. I've gotten management at a number of companies to abide by and support the following policy:
1. All requests for a firewall "hole" must be accompanied by a business justification and be approved by a director-level manager or above who will be listed as the responsible business owner for that rule.
2. All requests must include the technical owner's name and phone number.
3. All requests must include an estimated closure date for the rule.
Rule implementation must include the business/technical owners' names and the expiration date of the rule. Rule implementation must also include a search for relevant similar rules in order to group similar functions under the same rule (example: one rule for outbound SSH, all users fit in there).
There must be a semi-annual or annual formal review of all rules supported and participated in by management.
Return to the main page for all letters to the editor regarding network vs. data security -- or e-mail us your own comments.
This was first published in May 2005