Antonio Jose Segovia
May 25, 2015
A firewall is basically software that manages connections between different networks (internal or external), and has the ability to accept a connection, reject it, or filter it under certain parameters. Because this is a key component in any organization, we can consider it as if it were the door of our house. Our house would be safer if we had two locks and the doors were armored, wouldn’t it? For a network security perimeter, the concept is basically the same.
ISO 27001 does not set the technical details, so it needs the security controls of ISO 27002 to reduce risks related to loss of confidentiality, integrity, and availability. A company must perform risk assessment to find out which kind of protection it needs, and set its own rules on how to mitigate those risks. It is important to know how to implement the controls that are related to firewalls, because they protect us from threats related to connections and networks, and can therefore help us to reduce risks.
To see differences between the standards, read this article ISO 27001 vs. ISO 27002.
Firewall policies are related to the global operating mode of the firewall, and most of them have two basic configuration policies:
The first is much easier and more comfortable, but more dangerous because all is accepted by default, while the second is much harder and requires more set-up time, but it is much safer (security and comfort are not compatible: more security = more uncomfortable, and less security = more comfortable).
Finally, both policies are related to the operating mode of the firewall, but you can include it as a document (for example “Policy Firewall”) in the Information Security Management System (ISMS) that is established by ISO 27001. After all, technology is an important part of the ISMS, and firewalls are related to the security controls of Annex A of ISO 27001.
Another important option when setting up a firewall involves its mode of operation. There are two basic choices:
These options are available in most firewalls, and will help you to know the functions of the firewall and to have a proper configuration. From an ISO 27001 point of view, you need to reduce risks related to information security, and there are many risks related to networks, so you likely will need a firewall (well configured) to reduce all these risks related to networks.
On the other hand, it is highly recommended to always enable event logging, to maintain traceability in the event of an incident (see control A.12.4.1 Event logging). Usually, the firewall allows you to configure the level of detail of the event log, but be aware that higher detail requires more storage capacity.
Back to ISO 27001, the standard has no control that explicitly indicates the need to install a firewall on the organization (the closest is A.13.1.2 Security of network services), but it seems rather obvious – as firewalls come standard on any system.
When you configure a firewall, you need to include rules for each connection, and when you create a rule, the parameters that usually have to be considered are the following:
It is also important to note here that the order of the rules is very important: the first is usually higher priority than the rest.
Keep in mind that this is only basic information about the configuration of a firewall, and ISO 27001 does not specify how to configure it, but again, it is important that you have basic knowledge to configure firewalls and reduce the risks you identified for your network.
Therefore, the next step is to develop a procedure that shows how to manage the firewall. Although this is not mandatory, it’s recommended for mid-sized or larger companies. (To learn which documents are mandatory, see List of mandatory documents required by ISO 27001 (2013 revision)). You can name this procedure “Firewall Policy” or “Firewall Technical Instruction,” and it should include how to configure it, including the policies mentioned above, and also how to configure parameters of the connections: rules, operation mode, etc. (The firewall will work based on these.) This procedure will be very useful for IT personnel, but also will be helpful for the ISMS, because you can use it as technical instruction.
To conclude, your key takeaway should be that firewalls are very important in any organization, because they are the digital door of your business, and you need to know basic information about their configuration. Furthermore, firewalls will help you to implement security controls that help you to reduce risk in ISO 27001, so both (firewalls and ISO 27001) make a good team!
Read the white paper ISO 27001 Case study for data centers if you want to see how ISO 27001 can contribute to the security of a data center in which firewalls play a significant role.