Controls

Terug naar overzicht
Version

SB.11.006 Firewall Rule Management

Medium
Medium
Medium
Network Security
Organisation
v2.0 (Q1 2024)

Description

The network firewall is set up to protect hosts on the network against networkflows that are potentially insecure. The firewall is one part of a layered defense.

The firewall rules are set to deny all traffic that is not explicitly allowed by default. Rules that allow traffic necessary for functionality follow the architectural design.

All firewall rules are documented with a textual explanation of their purpose and a revision date. Firewall rules are revised on or before their revision dates.

Access to the firewall itself should be appropriately protected, has a safe configuration by default: filtering all traffic and not exposing administrative interfaces.

Firewalls log denied and allowed traffic for the purpose of investigating network problems or security incidents.

Firewall rules are consistent and syncrhonised for IPv4 and IPv6.

Specification

Firewalling is stateful by default: traffic that is in response to or clearly to an already allowed connection is allowed.

IP source routing information is not allowed.

Traffic with the Firewall as destination must be blocked for traffic other than intended administrative tasks.

Traffic with invalid source or destination addresses should must be dropped.

Firewall rules are kept synchronised for IPv4 and IPv6

Broadcast destination addresses aren't forwarded

Firewall performance should be sized according to SLA goals

Follow best practices in https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf “NIST Guidelines on Firewalls and Firewall Policy”