The company I work for has just been pinged by the SOX auditors for not having a "standard config" to our firewall. They didn't accept our policy but couldn't relate why our ploicy failed their "standard" test. When I see "standard" I am thinking IEEE or ISO type documents ... Is there such a thing for firewalls? Any pointers to documents, FAQ to read would be appreciated.
Thanks in advance.
What about asking the auditors themselves?
Then the auditors failed the standard test and should be fired for absolute incompetence. It they do a test, but don't know what the test is, or can not explain it - they are totally worthless. Security procedures are not a tic-box on some stupid form. One size does NOT fit all.
Have you tried using a search engine?
Web Results 1 - 10 of about 413,000 for Firewall standard NIST. (0.21 seconds)
Web Results 1 - 10 of about 416,000 for Firewall standard NSA. (0.19 seconds)
Web Results 1 - 10 of about 2,050,000 for Firewall standard IEEE. (0.18 seconds) (much less useful)
Web Results 1 - 10 of about 2,520,000 for Firewall standard RFC. (0.22 seconds)
Web Results 1 - 10 of about 3,860,000 for Firewall standard ISO. (0.26 seconds)
The reason I looked for RFCs is relatively simple:
2196 Site Security Handbook. B. Fraser. September 1997. (Format: TXT=191772 bytes) (Obsoletes RFC1244) (Also FYI0008) (Status: INFORMATIONAL)2316 Report of the IAB Security Architecture Workshop. S. Bellovin. April 1998. (Format: TXT=19733 bytes) (Status: INFORMATIONAL)
2504 Users' Security Handbook. E. Guttman, L. Leong, G. Malkin. February 1999. (Format: TXT=74036 bytes) (Also FYI0034) (Status: INFORMATIONAL)2828 Internet Security Glossary. R. Shirey. May 2000. (Format: TXT=489292 bytes) (Also FYI0036) (Status: INFORMATIONAL)
3013 Recommended Internet Service Provider Security Services and Procedures. T. Killalea. November 2000. (Format: TXT=27905 bytes) (Also BCP0046) (Status: BEST CURRENT PRACTICE)You can find those RFCs on the web in dozens of sites. A _source_ would be:
Old guy
BTW: FullACK.
Yours, VB.
There is NO SOX firewall standard, don't let them tell you otherwise. I've taken companies through several SOX audits and it's a simple matter of no access unless proven necessary. You also have to document the rules and the reasons for them, and then any changes to the rules.
There is no "Standard Config" for any firewall, it's always based on the customer and their business needs.
Require the auditors to show you where the existing config fails and where the "Specific language" in the SOX requirements defines "standard config".
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.