IT Baseline Protection Manual - Chapter 7.3 Firewall
7.3 Firewall
Description
Firewalls are used to control communication between two
networks. Usually a firewall protects a network against
attacks originating from networks requiring a lower degree
of protection, e.g. when a sub-network requiring
protection is connected to an institution-wide network or
when a company network is connected to the Internet.
In this chapter, a firewall is a combination of hardware
and software which acts as the sole junction between two
separate TCP/IP networks, one of which requires a higher
degree of protection. As a firewall of this kind is often used to protect the internal network from attacks
through the Internet, it is also called an Internet firewall.
In this chapter, only the threats and safeguards specific to a firewall are described. Furthermore, the
threats and safeguards specific to the IT system with which the fire wall is implemented are also to be
considered. It is assumed that a firewall is implemented on a Unix system, i.e. the threats and
safeguards described in Chapter 6.2 should be observed in addition to those contained below.
Threat Scenario
The following typical threats are assumed for a firewall as part of IT baseline protection:
Organisational Shortcomings:
T 2.24 Loss of confidentiality of sensitive data of the network to be protected
For the implementation of IT baseline protection, selection of the required packages of safeguards
("modules") as described in chapters 2.3 and 2.4, is recommended.
A firewall protects the internal network against attacks from outside. In order to protect the internal
network against attacks from inside, all necessary safeguards should also be taken even when a firewall
is in place. If the internal network is a Unix or a PC network, for example, the safeguards described in
Chapter 6.1 and Chapter 6.2 should also be implemented.
The firewall should be sited in a separate server room. The appropriate measures are described in
Chapter 4.3.2. If no server room is available, the firewall can alternatively be set up in a server cabinet
(see chapter 4.4 Protective Cabinets).
In order to successfully set up a firewall, a series of measures should be taken, including the conception,
purchase and operation of a firewall. The steps and measures involved are described below:
1. Concept of the network coupling using a firewall:
(c.f. S 2.70Developing a Firewall Concept)
Determining the security objectives
Adapting the network structure
Basic requirements
2. Security policy of the firewall:
(c.f. S 2.71Determining a Security Policy for a Firewall)
Selecting the communications requirements
Selection of Services
(Prior to the selection of services, the
chapter S 5.39Safe use of protocols and services
should be consulted)
Organisational regulations
3. Procuring the firewall:
Selecting the type of firewall
(c.f. S 2.72Demands on a Firewall and
S 2.73Selecting a Suitable Firewall)
Procurement criteria
(c.f. S 2.74Selection of a Suitable Packet Filter and
S 2.75Selection of a Suitable Application Gateway).
4. Implementation of the firewall:
Establishing and implementation of filter rules
(c.f. S 2.76Selection and Implementation of
Suitable Filter Rules)
Implementation of the IT baseline protection safeguards for firewall
computers (see Chapter 6.2)
Check implementation of the IT baseline protection safeguards for the IT systems of the
internal network (c.f. Chapter 6.1 6.2 and 6.3, for example)
Observe the conditions for the correct use of the various protocols and
services (c.f. S 5.39Safe use of protocols and services)
Inclusion of other components
(see S 2.77Correct Configuration of Other Components)
5. Operating the firewall:
(see S 2.78Correct Operation of a Firewall)
Regular checks
Adaptation to changes and tests
Logging of firewall activities
(c.f. S 4.47Logging of firewall activities)
Contingency planning for the firewall (see also Chapter 3.3)
Data backup (see also Chapter 3.4 Data Backup Policy)
6. Operation of clients connected to the firewall:
Alongside the safeguards described in chapter 5 additional safeguards outlined
in S 5.45Security of WWW-browsers should be observed
There can be various reasons for deciding against the installation of a firewall. For example, not only
the purchase costs or the high administration expenditure, but also the fact that the existing remaining
risks cannot be accepted. If an Internet connection is nonetheless desired, a stand-alone system can
alternatively be installed
(see S 5.46Installing stand-alone systems for Internet usage).
The safeguards package for "Firewall" is presented in the following.