Developing a Security Policy

Chapter 2
Learning Objectives
Understand why a security policy is an important
part of a firewall implementation
Determine the goals of your firewall and
incorporate them into a security policy
Follow the seven steps to building a security
policy
Account for situations the firewall can’t handle
Define responses to security violations
Work with administration to make your security
policy work
What Is a Security Policy?

A set of organization-level rules governing:

 Acceptable use of computing resources
 Security practices
 Operational procedures
Example of a Security Policy
Essential Information in a
Security Policy

Date last updated

Name of office that developed the policies
Clear list of policy topics
Equal emphasis on positive points (access
to information) and negative points
(unacceptable policies)
Why Is a Security Policy
Important?
Essential component of a fully functional firewall
 Defines what needs to be done when firewall is
configured
 Defines intrusion detection and auditing systems that
are needed
Minimizes impact of a “hack attack” on:
 Staff time
 Data loss
 Productivity
Setting Goals for an Effective
Security Policy
Describe a clear vision for a secure networked
computing environment
Be flexible enough to adapt to changes in the
organization
Be consistently communicated and implemented
throughout the organization
Specify how employees can and cannot use the
Internet
Define appropriate and inappropriate behavior as
it pertains to privacy and security
Seven Steps to Building a
Security Policy
 Develop a policy team
 Determine organization’s overall approach to
security
 Identify assets to be protected
 Determine what should be audited for security
 Identify security risks
 Define acceptable use
 Provide for remote access
Develop a Policy Team
Members (5-10 people)
 Senior administrator
 Member of legal staff
 Representative from rank-and-file employees
 Member of IT department
 Editor or writer who can structure and present the
policy coherently
Identify one person to be the official policy
interpreter
Determine Overall Approach to
Security
Two primary activities for overall approach:
 Restrictive
 Permissive
Specific security stances:
 Open
 Optimistic
 Cautious
 Strict
 Paranoid
Identify Assets to Be Protected
Physical assets
 Actual hardware devices
Logical assets
 Digital information that can be viewed and misused
Network assets
 Routers, cables, bastion hosts, servers, firewall
hardware and software
System assets
 Software that runs the system (ie, server software and
applications)
Example of Assets to Be
Protected
Determine What Should Be
Audited for Security
Auditing
 Process of recording which computers are accessing a
network and what resources are being accessed
 Includes recording the information in a log file
Specify types of communication to be recorded
and how long they will be stored
Use Tripwire to audit system resources
Use a firewall log to audit security events
Auditing with Tripwire
Auditing with a Firewall Log
Determine What Should Be
Audited for Security

Auditing log files

Auditing object access
Identify Security Risks

Specify the kinds of attacks the firewall

needs to guard against
 Denial of service attacks
 Disclosure of information due to fraud
 Unauthorized access
Define Acceptable Use

Define acceptable computing and

communications practices on the part of
employees and business partners
Aspects
 E-mail
 News
Provide for Remote Access
Specify acceptable protocols
Determine use of Telnet or Secure Shell (SSH)
access to internal network from Internet
Describe use of cable modem, VPN, and DSL
connections to access internal network through the
firewall
Require remote users to have a firewall on their
computer
Accounting for What the Firewall
Cannot Do
A firewall sandwich or load balancing switches
can be compromised by:
 Brute force attack
 Sending an encrypted e-mail message to someone
within the network with a virus attached
 Employees who give out remote access numbers;
unauthorized users can access company network
 Employees who give out passwords
Other Security Policy Topics

Passwords Secure use of

Encryption office-owned
Restrictions on laptop computers
removable media Wireless security
ASPs Use of VPNs
Acceptable users Key policy
Defining Responses to Security
Violations

Gather information on an incident response

form
Define disciplinary action to be pursued if
employees access the Internet improperly
Identify who to contact in case of intrusion
Defining Responses to Security
Violations
Overcoming Administrative
Obstacles
Educating Employees

Security User Awareness program

Advise workers of expectations and
consequences
Make policies available on local network
Presenting and Reviewing the
Process

Keep reports short and concise

Give people ample time to respond after
policy statement is issued
Amending the Security Policy

Change the security policy when:

 The organization makes substantial changes in
hardware configuration, or
 The firewall is reconfigured in response to
security breaches
Chapter Summary
What a security policy is; why they are important
Setting goals that govern how a firewall is
configured to protect a network
Seven steps to building a security policy
Defining responses to attacks and other intrusions
Guiding your security policy through corporate
bureaucracy to gain management support and
achieve security policy goals