Networks - Internal Firewall Policy

Internal Firewalls at CWU: Definition, Rationale and Discussion - DRAFT

The External Firewall Policy describes the security posture at the point which traffic is exchanged between external networks (e.g. Internet) and hosts on the internal CWU network.

The Internal Firewall Policy describes the security posture taken with respect to traffic traversing the internal network between hosts inside the CWU network.

This document document lays the groundwork for the Internal Firewall Policy by identifying and discussing the requisite issues.The rationale for performing firewall operations on traffic within the internal network is as follows:

1. Hosts on the CWU network have widely differing exposure to risk and divergent security requirements.
2. For example: Desktop machines require liberal Internet connectivity and routinely become infected with viruses and spyware. Servers involved with administrative processing require limited or no external connectivity and must be carefully protected to secure confidential information from disclosure and/or corruption.
3. When full network connectivity is permitted between hosts likely to become compromised - and those requiring heightened security, network security is undermined. A single compromised desktop could be leveraged to effectively bypass the external firewall, allowing attackers direct access to all resources on the internal network.

The process for developing an internal firewall strategy involves classifying internal hosts into logical partitions based on the connectivity they require with other internal hosts, and then implementing mechanisms to enforce these connectivity requirements. In this way, substantially more of the internal network is insulated in the event of a compromise than if all internal hosts were permitted full network access to all other internal hosts.

The solution to this problem must be informed by accurate knowledge of the connectivity requirements presently existing and supported on the network. The disposition of servers relative to desktops is fairly straightforward; specific requirements for other groups may be more challenging to discern. An acceptable level of diminishing returns must be determined which balances security benefit with the complexity of the firewall configuration, maintenance overhead, and preserving required network functionality for each constituency.