How to Deploy Firewalls
|CIO Council Security Practices Subcommittee (SPS)|
Software Engineering Institute
Networked Systems Survivability Program
|1.7||Level of BSP|
|1.8||Security Processes or other Framework(s) Supported|
|Technical Security/Install & Turn on Firewall Controls (SPF 6.2.8; NIST SP800-14, par. 3.4.4)|
|1.10||Points of Contact|
Carnegie Mellon University
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213
|2.0||What This BSP Does|
BSP discusses guidelines for designing, installing, and deploying simple packet-filtering
firewalls. It does not cover policy, product selection, operations. Advanced firewall
capabilities (e.g., proxies, stateful (dynamic) packer filtering, network address
translation, etc.) are only covered briefly as design considerations. |
The steps are platform and OS independent. Product-specific documentation should be referenced for detailed implementation guidance.
The described approach has been used by the SEIs Networked Systems Survivability (NSS) Program.
|2.2||Requirements for this BSP|
|SEI NSS Program security policy. [Proprietary based on NSS and CERT/CC mission.]|
|3.0||What This BSP Is|
|3.1||Description of BSP|
|A more complete description of this BSP can be found in the Deploying Firewalls security improvement module (http://www.cert.org/security-improvement/modules/m08.html).|
|Prepare||1. Design the firewall system (5 steps).|
|Configure||2. Acquire firewall
hardware and software (4 steps).|
3. Acquire firewall documentation, training, and support (2 steps).
4. Install firewall hardware and software (5 steps).
5. Configure IP routing (2 steps).
6. Configure firewall packet filtering (3 steps).
7. Configure firewall logging and alert mechanisms (4 steps).
|Test||8. Test the firewall system (10 steps).|
Install the firewall system (2 steps). |
10. Phase the firewall system into operation (3 steps).
|3.2||Relationship to Other BSPs|
|Not applicable at this time|
|4.0||How To Use This BSP|
are a wide range of topics related to the design, installation, and deployment
of firewalls that are not covered in detail in this BSP. These include: |
Many of these topics are covered in other firewall references, several of which are included in the reference section of the SEIs security improvement module.
|4.2||Implementation Resource Estimates|
estimates were not collected during SEI NSS firewall deployment. However, the
following rough-order-magnitude timeframes represent the calendar time required
by 1 staff member to implement each of the practices described in Section 3.1.
This staff member was working on the firewall deployment on an approximately half-time
1. Design the firewall system 3 months
2. Acquire firewall hardware and software 2 months
3. Acquire firewall documentation, training, and support 1 month
4. Install firewall hardware and software 1 month
5. Configure IP routing 1 week
6. Configure firewall packet filtering 3 weeks
7. Configure firewall logging and alert mechanisms 2 weeks
8. Test the firewall system 2 weeks
9. Install the firewall system 1 week
10. Phase the firewall system into operation 2-3 months
|4.3||Performance Goals and Indicators (Metrics)|
|A variety of network monitoring and intrusion detection tools were used to verify proper firewall performance. These included snort, tcpdump, nmap, and syslog analysis. These tools can be used to see if the deployed firewall accepts, rejects, or denies packets as specified by the policy guiding its deployment.|
|See 4.3, above.|
|See the reference list provided in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html.|
|A||Executive Overview and Briefing|
|A summary of the SEI security improvement module contents can be found in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html. There is no equivalent briefing.|
|See the reference list provided in Deploying
Firewalls at http://www.cert.org/security-improvement/modules/m08.html
See also a NIST draft document titled, "Implementing Internet Firewall Security Policy," available at http://csrc.nist.gov/publications/drafts.html.
|The originator has reviewed the BSP on its 6 month anniversary and found the BSP remains technically current.|
|See the abbreviations contained in Deploying Firewalls at http://www.cert.org/security-improvement/modules/m08.html.|