How to use firewalls in ISO 27001 and ISO 27002 implementation
A firewall is basically software that manages connections between different networks (internal or external), and has the ability to accept a connection, reject it, or filter it under certain parameters. Because this is a key component in any organization, we can consider it as if it were the door of our house. Our house would be safer if we had two locks and the doors were armored, wouldn’t it? For a network security perimeter, the concept is basically the same.
ISO 27001 does not set the technical details, so it needs the security controls of ISO 27002 to reduce risks related to loss of confidentiality, integrity, and availability. A company must perform risk assessment to find out which kind of protection it needs, and set its own rules on how to mitigate those risks. It is important to know how to implement the controls that are related to firewalls, because they protect us from threats related to connections and networks, and can therefore help us to reduce risks.
To see differences between the standards, read this article ISO 27001 vs. ISO 27002.
Policies of the firewall
Firewall policies are related to the global operating mode of the firewall, and most of them have two basic configuration policies:
- Acceptance policy: All connections are accepted by default, and IT personnel have to establish parameters (or rules) for the configuration of the firewall to reject certain connections.
- Rejection policy: All connections are rejected by default, and IT personnel have to establish parameters to accept only certain connections.
The first is much easier and more comfortable, but more dangerous because all is accepted by default, while the second is much harder and requires more set-up time, but it is much safer (security and comfort are not compatible: more security = more uncomfortable, and less security = more comfortable).
Finally, both policies are related to the operating mode of the firewall, but you can include it as a document (for example “Policy Firewall”) in the Information Security Management System (ISMS) that is established by ISO 27001. After all, technology is an important part of the ISMS, and firewalls are related to the security controls of Annex A of ISO 27001.
Mode of operation and event log
Another important option when setting up a firewall involves its mode of operation. There are two basic choices:
- Stateless: The firewall examines each connection, but does not maintain traceability of the status of connections. We can therefore say that it makes a static analysis.
- Stateful: The firewall examines each connection, and in this case maintains traceability of the status of connections, allowing dynamic analysis of connections.
These options are available in most firewalls, and will help you to know the functions of the firewall and to have a proper configuration. From an ISO 27001 point of view, you need to reduce risks related to information security, and there are many risks related to networks, so you likely will need a firewall (well configured) to reduce all these risks related to networks.
On the other hand, it is highly recommended to always enable event logging, to maintain traceability in the event of an incident (see control A.12.4.1 Event logging). Usually, the firewall allows you to configure the level of detail of the event log, but be aware that higher detail requires more storage capacity.
Procedures and rules
Back to ISO 27001, the standard has no control that explicitly indicates the need to install a firewall on the organization (the closest is A.13.1.2 Security of network services), but it seems rather obvious – as firewalls come standard on any system.
When you configure a firewall, you need to include rules for each connection, and when you create a rule, the parameters that usually have to be considered are the following:
- Source: It can be an IP, or a complete network.
- Destination: It can be an IP, or a complete network.
- Service/port: Typical ports: 80 (HTTP), 443 (HTTPS), etc.
- Action: The options we have here are basically accept or reject.
It is also important to note here that the order of the rules is very important: the first is usually higher priority than the rest.
Keep in mind that this is only basic information about the configuration of a firewall, and ISO 27001 does not specify how to configure it, but again, it is important that you have basic knowledge to configure firewalls and reduce the risks you identified for your network.
Therefore, the next step is to develop a procedure that shows how to manage the firewall. Although this is not mandatory, it’s recommended for mid-sized or larger companies. (To learn which documents are mandatory, see List of mandatory documents required by ISO 27001 (2013 revision)). You can name this procedure “Firewall Policy” or “Firewall Technical Instruction,” and it should include how to configure it, including the policies mentioned above, and also how to configure parameters of the connections: rules, operation mode, etc. (The firewall will work based on these.) This procedure will be very useful for IT personnel, but also will be helpful for the ISMS, because you can use it as technical instruction.
To conclude, your key takeaway should be that firewalls are very important in any organization, because they are the digital door of your business, and you need to know basic information about their configuration. Furthermore, firewalls will help you to implement security controls that help you to reduce risk in ISO 27001, so both (firewalls and ISO 27001) make a good team!
Read the white paper ISO 27001 Case study for data centers if you want to see how ISO 27001 can contribute to the security of a data center in which firewalls play a significant role.