Firewalls (9.6.1 - 9.6.6)

You should have a firewall at each boundary of your internal network to another network not in your control, for example to HSCN, the internet or a Community of Interest Network.

This should be in line with the HSCN requirement. 

Firewall admin interfaces are generally web based and would present a known attack vector to any potential threat actor, therefore, disable access to web interface of a firewall from the internet.

Consideration should be given if and how you manage access to the firewall web interface remotely, for example through a remote access session or Virtual Private Network (VPN).

Unauthenticated inbound connections are bad, block them by default.

Examples include:

• SMB
• NetBIOS
• Telnet
• TFTP
• RPC
• RDP
• Rlogish
• Rsh
• rexec

A single misinformed inbound firewall could present a tempting target to any threat actor. It is important that inbound firewall rules are business justified, documented and appropriately approved.

New or updated inbound firewall rules should be treated as standard pre-approved changes unless they are beyond tight pre-understood acceptable known configurations.

Where there is a conflict between business need and security, where appropriate, a risk should be raised for the Senior Information Risk Owner (SIRO) to consider.

Where a firewall rule is no longer required, for example where a system or process has been updated or retired, these rules should be removed or disabled as soon as possible.

It is understood for continuity reasons, that it is useful to disable a rule (for a period of time), so the option to re-enable is available as rollback before deletion.

As a part of your assurance process it is useful to review firewall rules to see if any rules do not have a least privileged approach or can be retired.

On top of a boundary firewall, having desktop PCs with personal firewalls represents another layer of defence. These should be configured to block unapproved connections by default.