Computer equipment. Firewalls.

Computer equipment. Firewalls. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information.

This guideline establishes a classification of firewalls (FW) by the level of protection against unauthorized access (UA) to information based on a list of security indicators and a set of requirements describing them.

In this document, computer networks and distributed automated systems (AS) are understood to mean data processing systems connected by communication channels and oriented toward a specific user.

The ME is a local (single-component) or functionally distributed tool (complex) implementing control over information entering the AS and/or leaving the AS, and ensures protection of the AS by filtering information, i.e. analyzing it according to a set of criteria and making a decision on its distribution to (from) the AS.

The guideline document has been developed in addition to the guideline documents of the State Technical Commission of Russia «Computer equipment. Protection against unauthorized access to information.

Indicators of protection against unauthorized access to information» and «Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection.»

The document is intended for customers and developers of ME, as well as computer networks, distributed automated systems for use in formulating and implementing requirements for their protection from unauthorized access to information.

1. GENERAL PROVISIONS

1.1. These indicators contain requirements for protection tools that ensure secure interaction of computer networks, AS by managing inter-network information flows, and implemented in the form of ME.

1.2. Security indicators are applied to the ME to determine the level of security that they provide during inter-network interaction.

Specific lists of indicators determine the security classes of the ME.

1.3. The division of the ME into appropriate classes according to the levels of control of inter-network information flows from the point of view of information protection is necessary for the purposes of developing and applying justified and economically justified measures to achieve the required level of information protection during the interaction of computer networks, AS.

1.4. The differentiation of the approach to the selection of protection functions in the ME is determined by the AS for the protection of which this screen is used.

1.5. Five classes of ME protection are established.

Each class is characterized by a certain minimum set of requirements for information protection.

The lowest protection class is the fifth, used for safe interaction of class 1D AS with the external environment, the fourth is for 1G, the third is 1V, the second is 1B, the highest is the first, used for safe interaction of class 1A AS with the external environment.

1.6. The requirements imposed on ME do not exclude the requirements imposed on computer equipment (CEE) and AS in accordance with the guidelines of the State Technical Commission of Russia «Computer Equipment. Protection from Unauthorized Access to Information. Indicators of Security from Unauthorized Access to Information» and «Automated Systems. Protection from Unauthorized Access to Information». Classification of automated systems and requirements for information security».

When including an information security element in an AS of a certain security class, the security class of the combined AS obtained from the original by adding an information security element to it must not be lowered.

For AS of class 3B, 2B, information security elements of at least class 5 must be used.

For AS of class 3A, 2A, depending on the importance of the information being processed, information security elements of the following classes must be used:

when processing information classified as «secret» — not lower than class 3;

when processing information classified as «top secret» — not lower than class 2;

when processing information classified as «special importance» — not lower than class 1.

2. REQUIREMENTS TO FIREWALLS

2.1. Security indicators

2.1.1. The list of indicators for the ME protection classes is given in the table.

Designations:

« — » — no requirements for this class;
« + » — new or additional requirements,
« = » — the requirements coincide with the requirements for the ME of the previous class.

2.2. Requirements for the fifth class of firewall security.

2.2.1. Access control.

The firewall must provide filtering at the network level.

The filtering decision may be made for each network packet independently based on at least the source and destination network addresses or other equivalent attributes.

2.2.2. Administration: Identification and Authentication.

The firewall shall ensure identification and authentication of the firewall administrator in his local access requests. The firewall shall provide the ability to identify and authenticate by identifier (code) and password of conditional-permanent validity.

2.2.3. Administration: Registration.

The ME must ensure registration of the ME administrator's entry (exit) into the system (from the system) or loading and initialization of the system and its software shutdown. Registration of the exit from the system is not carried out at the moments of hardware shutdown of the ME;

The registration parameters indicate:

• date, time and code of the registered event;

• result of the attempt to implement the registered event — successful or unsuccessful;

•  the identifier of the ME administrator presented when attempting to carry out the registered event.

2.2.4. Integrity.

The ME must contain means of monitoring the integrity of its software and information parts.

2.2.5. Recovery.

The ME must provide for a procedure for recovery from failures and equipment failures, which must ensure the restoration of the ME properties.

2.2.6. Testing.

The ME must provide the ability to routinely test:

• implementation of filtering rules (see section 2.2.1);

• the process of identifying and authenticating the ME administrator (see section 2.2.2);

• the process of registering the actions of the ME administrator (see section 2.2.3);

• the process of monitoring the integrity of the software and information part of the ME (see section 2.2.4);

• recovery procedures (see section 2.2.5).

2.2.7. Firewall Administrator's Guide.

The document contains:

• description of the controlled functions of the Firewall;

• guide to setting up and configuring the Firewall;

• description of starting the Firewall and procedures for checking the correctness of the start;

• guide to the recovery procedure.

2.2.8. Test documentation.

Must contain a description of the tests and trials to which the ME was subjected (in accordance with clause 2.2.6) and the test results.

2.2.9. Design (project) documentation.

Must contain:

• general diagram of the ME;

• general description of the principles of operation of the ME;

• description of the filtering rules;

• description of the means and process of identification and authentication;

• description of the registration tools and process;

• description of the tools and process for monitoring the integrity of the software and information part of the ME;

• description of the procedure for restoring the properties of the ME.

2.3. Requirements for the fourth class of ME security.

2.3.1. Access control.

These requirements fully include similar requirements of the fifth class (clause 2.2.1).

Additionally, the ME must ensure[1]:

• filtering of service protocol packets used for diagnostics and control of network devices;

• filtering taking into account the input and output network interface as a means of checking the authenticity of network addresses;

• filtering taking into account any significant fields of network packets.

2.3.2. Registration.

The ME must provide the ability to register and account for filtered packets. The registration parameters include the address, time, and filtering result.

2.3.3. Administration: identification and authentication.

These requirements are completely consistent with the similar requirements of the fifth class (clause 2.2.2).

2.3.4. Administration: registration.

These requirements include the similar requirements of the fifth class (clause 2.2.3).

Additionally, the ME must ensure registration of the launch of programs and processes (tasks, tasks).

2.3.5. Integrity.

These requirements are fully consistent with similar requirements of the fifth class (p.2.2.4).

2.3.6. Recovery.

These requirements are fully consistent with similar requirements of the fifth class (p.2.2.5).

2.3.7. Testing.

The ME shall provide the ability to routinely test:

• implementation of filtering rules (see section 2.3.1);

• registration process (see section 2.3.2);

• identification and authentication process of the ME administrator (see section 2.3.3);

• the process of registering actions of the ME administrator (see section 2.3.4);

• the process of monitoring the integrity of the software and information part of the ME (see section 2.3.5);

•  recovery procedures (see Sec. 2.3.6).

2.3.8. ME Administrator's Guide.

These requirements are fully consistent with similar requirements of the fifth class (Sec. 2.2.7).

2.3.9. Test documentation.

Should contain a description of the tests and trials to which the ME was subjected (in accordance with Sec. 2.3.7) and the test results.

2.3.10. Design (project) documentation.

These requirements fully coincide with similar requirements of the fifth class (clause 2.2.9) in terms of the composition of the documentation.

2.4. Requirements for the third class of ME security.

2.4.1. Access control.

These requirements fully include similar requirements of the fourth class (clause 2.3.1).

Additionally, ME must ensure:

•  filtering of requests for establishing virtual connections at the transport level. In this case, at least the transport addresses of the sender and recipient are taken into account;

• filtering of requests to application services at the application level. In this case, at least the application addresses of the sender and recipient are taken into account;

• filtering taking into account date/time.

2.4.2. Identification and authentication.

The firewall shall provide the ability to authentication of incoming and outgoing requests using methods that are resistant to passive and/or active network eavesdropping.

2.4.3. Registration.

These requirements include similar requirements of the fourth class (clause 2.3.2).

In addition, the firewall must ensure:

• registration and accounting of requests to establish virtual connections;

• local signaling of attempts to violate filtering rules.

implementation of filtering rules (see section 2.4.1);

registration process (see section 2.4.3);

• request identification and authentication process (see section 2.4.2);

• identification and authentication process of the firewall administrator (see section 2.4.4);

• firewall administrator actions registration process (see section 2.4.5);

• firewall software and information integrity monitoring process (see section 2.4.7);

•  recovery procedures (see 2.4.8.).

  2.4.10. ME Administrator's Guide.

  These requirements are fully consistent with similar requirements of the fifth class (2.2.7).

  2.4.11. Test documentation.

  Should contain a description of the tests and trials to which the ME was subjected (in accordance with 2.4.9) and the test results.

  2.4.12. Design (project) documentation.

  These requirements fully include similar requirements of the fifth class (clause 2.2.9) in terms of the composition of the documentation.

  Additionally, the documentation must contain a description of the means and process of centralized management of the components of the firewall.

  2.5. Requirements for the second class of firewall security.

  2.5.1. Access control.

  These requirements include similar requirements of the third class (clause 2.4.1).

  Additionally, the ME must ensure:

  • the ability to hide subjects (objects) and/or application functions of the protected network;

  • the ability to translate network addresses.

  2.5.2. Identification and authentication.

  These requirements are fully consistent with similar requirements of the third class (clause 2.4.2).

  2.5.3. Registration.

  These requirements include similar requirements of the third class (clause 2.4.3).

  Additionally, the firewall must provide:

  • remote signaling of attempts to violate filtering rules;

  • registration and accounting of requested application-level services;

  • programmable response to events in the firewall.

  2.5.4. Administration: identification and authentication.

  The ME must ensure identification and authentication of the ME administrator when he/she requests access. The ME must provide the ability to identify and authenticate by identifier (code) and temporary password. The ME must prevent access by an unidentified subject or a subject whose identity was not confirmed during authentication.

  For remote requests for administrator access to the ME, identification and authentication must be provided by methods that are resistant to passive and active interception of information.

  2.5.5. Administration: registration.

  These requirements are completely consistent with similar requirements of the third class (clause 2.4.5).

  2.5.6. Administration: ease of use.

  These requirements are completely consistent with similar requirements of the third class (clause 2.4.6).

  2.5.7. Integrity.

  The ME must contain means for monitoring the integrity of its software and information components using checksums both during the loading process and dynamically.

  2.5.8. Recovery.

  The ME must provide for a procedure for recovery after equipment failures and malfunctions, which must ensure prompt restoration of the ME properties.

  2.5.9. Testing.

  The ME must provide the ability to perform routine testing;

  • implement filtering rules (see clause 2.5.1);

  • identification and authentication process (see section 2.5.2);

  • registration process (see section 2.5.3);

  • identification and authentication process of the firewall administrator (see section 2.5.4);

  • firewall administrator actions registration process (see section 2.5.5);

  • firewall software and information integrity monitoring process (see section 2.5.7);

  •  recovery procedures (see Sec. 2.5.8).

  2.5.10. ME Administrator's Guide.

  These requirements are fully consistent with similar requirements of the fifth class (Sec. 2.2.7).

  2.5.11. Test documentation.

  Should contain a description of the tests and trials to which the ME was subjected (in accordance with Sec. 2.5.9) and the test results.

  2.5.12. Design (project) documentation.

  These requirements fully coincide with similar requirements of the third class (clause 2.4.12) in terms of the composition of the documentation.

  2.6. Requirements for the first class of ME security.

  2.6.1. Access control.

  These requirements fully coincide with similar requirements of the second class (clause 2.5.1).

  2.6.2. Identification and authentication.

  These requirements fully include similar requirements of the second class (clause 2.5.2).

  Additionally, the ME must ensure identification and authentication of all subjects of the application level.

  2.6.3. Registration.

  These requirements are completely consistent with similar requirements of the second class (p.2.5.3).

  2.6.4. Administration: identification and authentication.

  The ME must ensure identification and authentication of the ME administrator upon his/her access requests. The ME must provide the ability for identification and authenticationby biometric characteristics or special devices (tokens, cards, electronic keys) and a temporary password. The ME must prevent access by an unidentified subject or a subject whose identification was not confirmed during authentication.

  In remote requests for access by the ME administrator, identification and authentication must be provided by methods that are resistant to passive and active interception of information.

  2.6.5. Administration: registration.

  These requirements are completely consistent with similar requirements of the third class (p.2.4.5).

  2.6.6. Administration: ease of use.

  A multi-component firewall must provide the ability to centrally manage its components, including configuring filters, checking the mutual consistency of all filters, and analyzing registration information.

  A graphical interface for managing the ME must be provided.

  2.6.7. Integrity.

  The ME must contain means for monitoring the integrity of its software and information parts using the checksums of the certified algorithm both during loading and dynamically.

  2.6.8. Recovery.

  These requirements are completely consistent with similar requirements of the second class (p.2.5.8).

  2.6.9. Testing.

  The firewall shall provide the ability to routinely test:

  • implementation of filtering rules (see section 2.6.1);

  • identification and authentication process (see section 2.6.2);

  • registration process (see section 2.6.3);

  • identification and authentication process of the firewall administrator (see section 2.6.4);

  • registration process of the firewall administrator (see section 2.6.5);

  •  the process of centralized management of the components of the firewall and the graphical interface for managing the firewall (see section 2.6.6);

  •  the process of monitoring the integrity of the software and information part of the firewall (see section 2.6.7);

  •  recovery procedures (see section 2.6.8).

  2.6.10. Firewall Administrator's Guide.

  These requirements are completely consistent with similar requirements of the fifth class (section 2.2.7).

  2.6.11. Test documentation.

  Should contain a description of the tests and trials to which the ME was subjected (in accordance with clause 2.6.9) and the test results.

  2.6.12. Design (project) documentation.

  These requirements fully include similar requirements of the third class (clause 2.4.12) for the composition of the documentation.

  Additionally, the documentation must contain a description of the graphical interface for managing the ME.

  3. TERMS AND DEFINITIONS

  FW Administrator — a person responsible for FW maintenance.

  Remote control of FW components — performing functions to maintain FW (component) by the FW administrator from a network node (workstation) on which the FW (component) is not functioning using network protocols.

  Filtering criteria— parameters, attributes, characteristics, on the basis of which permission or prohibition of further transmission of a packet (data) is carried out in accordance with the specified access control rules (filtering rules). Service fields of packets (data) containing network addresses, identifiers, interface addresses, ports and other significant data, as well as external characteristics, such as time, frequency characteristics, data volume, etc. can be used as such parameters.

  Local (local) management of firewall components— performing functions to support firewall (component) by the firewall administrator on the same node (platform) on which firewall (component) operates using the firewall interface.

  Firewall (FW)— is a local (single-component) or functionally distributed software (hardware and software) tool (complex) that implements control over information entering and/or leaving the AS. The ME ensures protection of the AS by filtering information, i.e. analyzing it according to a set of criteria and making a decision on its distribution to (from) the AS based on specified rules, thus distinguishing between access of subjects from one AS to objects of another AS. Each rule prohibits or permits the transfer of information of a certain type between subjects and objects. As a result, subjects from one AS gain access only to permitted information objects from another AS. The set of rules is interpreted by a sequence of filters that permit or prohibit the transfer of data (packets) to the next filter or protocol level.

  Filtering rules — a list of conditions under which, using specified filtering criteria, further transmission of packets (data) is permitted or prohibited, and a list of actions performed by the ME to register and/or implement additional protective functions.

  A firewall can be built using screening agents that establish a connection between a subject and an object, and then forward information, monitoring and/or registering. Using screening agents allows for an additional protective function — hiding the true object from the subject. At the same time, the subject feels as if he is directly interacting with the object. Usually, the screen is not symmetrical; the concepts of «inside» and «outside» are defined for it. In this case, the screening task is formulated as protecting the internal area from an uncontrolled and potentially hostile external area.

  Network addresses— address data identifying subjects and objects and used by the network layer protocol of the International Organization for Standardization of Open Systems Interconnection (ISO OSI) model. The network protocol manages communication resources, routes packets, and assembles them for transmission in the network. These protocols resolve the possibility of access to a subnet, determine the transmission route, and broadcast the message. Access control at the network level allows you to reject unwanted calls and enables different subnets to manage the use of network layer resources. Therefore, these protocols can meet security requirements in terms of verifying the authenticity of network resources, the source and receiver of data, received messages, and controlling access to network resources.

  Address translation — a ME function that hides internal addresses of objects (subjects) from external subjects.

  Transport addresses— address data identifying subjects and objects and used by the transport layer protocol of the ISO OSI model. Transport layer protocols ensure the creation and operation of logical channels between programs (processes, users) in different network nodes, manage information flows between ports, and assemble packets of requests and responses.

  Centralized management of firewall components — execution from a single workstation (workstation, node) of all functions for maintaining the firewall (its components), only by an authorized administrator, including initialization, shutdown, recovery, testing, installation and modification of data filtering rules, registration parameters, additional security functions, and analysis of registered events.

  Shielding— a firewall function that allows maintaining the security of internal objects by ignoring unauthorized requests from the external area. As a result of shielding, the vulnerability of internal objects is reduced, since initially an outside intruder must overcome the shield, where the protective mechanisms are configured especially carefully and rigidly. In addition, a shielding system, unlike a universal one, can and should be arranged in a simpler and, therefore, more secure manner; it should contain only those components that are necessary to perform the shielding functions. Shielding also makes it possible to control information flows directed to the external area, which helps maintain confidentiality in the internal area. In addition to the access control functions, shields register information exchanges.

  [1] Further additional requirements are highlighted in bold font.