For IT security when it comes to implementation of firewall, the planning comes first. The base of planning is the security policy for your organization. The firewall should be capable enough to protect the LAN resources from harms on internet. In a recent article on introduction to firewalls, I discussed about firewall basics. Now I’m going to discuss about the desired security policy for the firewall implementation for your network.
What is Security Policy
The security policy is a set of rules for an organization which state about what can and can not be done on a computer or within a network of organization. The security policy does state all the desirable user actions in detail. This also states the penalties which a user may face when (S)he violates any rules setup according to the security policy or organization.
What Can Be Included In Security Policy
The security policy must include the following points:
- Rules for Network connection
- Equipments usage rules
- Rules for employees
Policy For Network Connection
The security policy should include the rules for installing and configuring equipments which are to be used for network connections. This can include few rules as below:
- Installation of Operating System and the features which can be used and what applications can be installed.
- What antivirus solution will be used and how to keep that updated. The antivirus solution must be installed and kept upto date.
- The IP addresses and subnet masks which can be used. Also it should specify whether to use static IP address or dynamic one using DHCP.
- There should be detailed guidelines and procedures about user creation, user rights and the user deactivation.
- Whom to contact for permission for installation of new hardware and software. Normally without the permission of network or system administrators no hardware/software should be permitted to be installed.
The list can go on and on depending upon the size of network and organization.
Equipment Usage Rules
The security policy should also include the rules for usage of work place equipments e.g desktop computers, laptops. This also includes the what websites can be opened, what applications can be used.
- No applications should be installed without prior approval from the system and network admins. Only those softwares should be installed by designated persons which are approved and supplied by the organization.
- The applications should be installed as per the licensing norms of the application vendors.
- Emails should be strictly used for official use only and that too with certain guidelines.
- No passwords sharing should be allowed.
- The equipment should be locked or logged out before leaving work place.
- The IT security department should be informed in case of any suspicious activity.
- The data which is not related to the respective users should not be accessible to them.
Rules For Employess
The regular on role employees can be given somewhat higher privileges, but the employees on contract and the service providers should be given stricter privileges to keep the possible insecurities to the minimum.
Next we’ll talk about the firewall policies to be used at the time of implementation and the strategies we must follow.