NIST Guidelines on Firewalls and Firewall Policy
Firewall technology has matured to the extent that today's firewalls can coordinate security with other firewalls and intrusion detection systems. They can scan for viruses and malicious code in electronic mail and web pages. Firewalls are now standard equipment for Internet connections. Home users who connect to commercial Internet service providers via dial-up or via cable/DSL are also using personal firewalls and firewall appliances to secure their connections.
Firewalls protect sites from exploitation of inherent vulnerabilities in the TCP/IP protocol suite. Additionally, they help mitigate security problems associated with insecure systems and the problems inherent in providing robust system security for large numbers of computers. There are several types of firewalls, ranging from boundary routers that can provide access control on Internet Protocol packets, to more powerful firewalls that can close more vulnerabilities in the TCP/IP protocol suite, to even more powerful firewalls that can filter on the content of the traffic.
The type of firewall to use depends on several factors, including the size of the site, the amount of traffic, the sensitivity of systems and data, and the applications required by the organization. The choice of firewall should largely be driven by its feature set, rather than the type of firewall, however. A standard firewall configuration involves using a router with access control capability at the boundary of the organization's network, and then using a more powerful firewall located behind the router.
Firewalls are vulnerable themselves to misconfigurations and failures to apply needed patches or other security enhancements. Accordingly, firewall configuration and administration must be performed carefully and organizations should also stay current on new vulnerabilities and incidents. While a firewall is an organization's first line of defense, organizations should practice a defense in depth strategy, in which layers of firewalls and other security systems are used throughout the network. Most importantly, organizations should strive to maintain all systems in a secure manner and not depend solely on the firewall to stop security threats. Organizations need backup plans in case the firewall fails.
This document, provided by NIST, contains numerous recommendations for choosing, configuring, and maintaining firewalls.
The attached Zip file includes:
- Intro Page.doc
- Cover Sheet and Terms.pdf
- Guidelines on Firewalls and Firewall Policy.pdf