Firewall Guidelines

PREFACE: Objectives for requesting schematic and written documentation;

  1. The schematic should provide a sketch of the setup of the GCIC terminals to the state router. If the terminals are to be setup to a hub or a server, then connected to the state router this should be shown in the schematic. If there is an internal network or Internet access this should be included in the schematic. For network security purposes, the location of the firewall should be shown in the schematic. The firewall should be placed between the state router and any agency connections.

    If a firewall and/or some other network security methodology (such as VLAN) will be used to protect and segregate traffic, please document in the written documentation and in the schematic.

  2. The written documentation should support the schematic with providing the written information of what the schematic is showing, the firewall policy (how the firewall will be used to protect the GCIC data), if Internet or other non-GCIC users/applications are a part of the network, explain how the firewall will be used to segregate the traffic and ensure that the Internet and non-GCIC user will be not be allowed to have access to the GCIC CJIS connections.

    The written documentation is a backup to the schematic and helps when the schematic has to be reviewed by others. Information that can't be explained fully in the schematic can be explained and elaborated more in the written documentation. This allows the vendor or IS personnel to provide as much information as possible to help assist GCIC with reviewing the setup and providing approval.

GCIC understands that in most cases, the serial number of the firewall and other hardware that will be used before the installation is not known initially. However, if the type and model is known, please provide this information in the written documentation. The type of cabling that will be used is not required.

Please be advised that the vendor or IS personnel should provide the serial number, model number, etc., on all hardware, and a copy of the schematic and written documentation, to the GCIC agencies for their files upon completion of the installation. The FBI has mandated that GCIC begin performing technical audits of the physical setups at the GCIC CJIS agencies. The agencies will need to have this information on file for the GCIC auditors when this occurs. The serial numbers, model numbers, etc., is not required for the CJIS Connectivity Unit's review at this time, but is helpful when available.

If you have any further questions regarding this issue, please let us know.

GCIC Firewall Guide
Revised July 30, 2002

Summary

This document is intended to serve as a guide for criminal justice agencies in Georgia who are working to satisfy the requirements specified by the FBI for connection to CJIS data sources. This document focuses on the requirements and considerations regarding the selection, installation, configuration, and maintenance of firewall appliances, but it should not be considered as a replacement for vendor-supplied user guides and revised CJIS requirements.

Introduction

A firewall is a protection device designed to shield vulnerable computer resources from unauthorized network access and other vulnerabilities arising from improper configurations and from protocols and services that can be abused from hosts on the outside of the subnet. A firewall system is usually located at a higher-level gateway, such as a site's connection to the Internet, however firewalls can be located at lower-level gateways to provide protection for some smaller collection of hosts or subnets.

The general reasoning behind firewall usage is that without a firewall, a subnet's systems are more exposed to inherently insecure services and to probes and attacks from hosts elsewhere on the network. Without a firewall appliance network security relies on each host on the network and cooperation among the hosts is necessary to achieve a uniformly high level of security. The larger the subnet, the more difficult it is to maintain all hosts at the same level of security. As mistakes and lapses in security become more common, break-ins can occur, not necessarily as the result of complex attacks, but because of simple errors in configuration and inadequate passwords.

A firewall can greatly improve network security and reduce risks to hosts on the subnet by filtering inherently insecure services and by providing the capability to restrict the types of access to subnet hosts. As a result, the subnet network environment poses fewer risks to hosts, since only selected protocols will be able to pass through the firewall and only selected systems, within a subnet, will be able to be accessed from the rest of the network. Eventual errors and configuration problems that reduce host security are better tolerated and as a result risk management becomes more effective.

CJIS Firewall Requirements

"A firewall appliance must be utilized to protect all CJIS-accessible workstations that are physically connected to a network. The firewall device must be located immediately between the CJIS workstation(s) and the network connection. The firewall that is used must be configured to be compliant with the U.S. Government Application Level Firewall Protection Profile for Low Risk Environments and U.S. Government Traffic Filter Firewall for Low Risk Environments." (CJIS Security Policy)

Since 1997, NIST and NSA have co-sponsored an effort to develop protection profiles for firewall devices. These efforts resulted in the development of a traffic filter firewall profile and an application level firewall profile. A summary is provided below or they can be viewed in their entirety at http://csrc.nist.gov/cc/pp/. The file at this site to download is fw-ppa.zip and includes the Application Level and Traffic Filter firewall protection profiles in Adobe Acrobat .pdf format.

U.S. Government Application Level Firewall Protection Profile for Low Risk Environments

As stated by NIST, "This application-level firewall Protection Profile defines the basic security requirements of U.S. Government organizations handling unclassified information in a low-risk environment. Firewalls may consist of one or more devices that serve as part of an organization's overall security defense by isolating an organization's internal network from the Internet or other external networks. Firewalls pass and block information flows based on a set of screening rules defined by an authorized administrator. This Protection Profile applies to firewalls that are capable of screening network traffic at the network, transport, and application protocol levels, authenticating users who attempt to initiate information flows through the device for certain services, authenticating the authorized administrator for actions at the firewall, and auditing security-relevant events that occur."

U.S. Government Traffic Filter Firewall for Low Risk Environments

As stated by NIST, "This traffic-filter firewall Protection Profile defines the basic security requirements of U.S. Government organizations handling unclassified information in a low-risk environment. Firewalls may consist of one or more devices that serve as part of an organization's overall security defense by isolating an organization's internal network from the Internet or other external networks. Firewalls pass and block information flows based on a set of screening rules defined by an authorized administrator. This Protection Profile applies to firewalls that are capable of screening network traffic at the network and transport protocol levels, authenticating the authorized administrator for actions at the firewall, and auditing security-relevant events that occur."

In general law enforcement user agencies in Georgia should not be concerned with the details of the specific Common Criteria requirements. Firewall appliance vendors who have satisfied the requirements of the U.S. Government Application Level Firewall Protection Profile for Low Risk Environments and U.S. Government Traffic Filter Firewall for Low Risk Environments should have certificates (Figure 1 - next page) for their products. User agency representatives should request to see copies of these certificates for verification of compliance prior to purchasing any firewall appliance.

Figure 1: Common Criteria Certificate

Trust Technology Assessment Program
Common Criteria Certificate
Checkpoint

The IT product identified in this certificate has been evaluated at an authorized laboratory for conformance to the Common Criteria for IT Security Evaluation (Version 2.0). This certificate applies only to the specific version and release of the product in its evaluated configuration. The product's functional and assurance security specifications are contained in its security target. The evaluation has been conducted in accordance with the provisions of the Trust Technology Assessment Program Scheme and the conclusions of the testing laboratory in the evaluation technical report are consistent with the evidence adduced. This certificate is not an endorsement of the IT product by any agency of the U.S. Government and no warranty of the IT product is either expressed or implied.

Product Name: Firewall-1

Version and Release Numbers: Version 4.0

Protection Profile Identifier: U.S Government Traffic-Filter Firewall Protection Profile for Low-Risk Environments, Version 1.1 and U.S Government Application-Level Firewall Protection Profile for Low-Risk Environments, Version 1.d

Evaluation Platform: Windows NT 4. Service Pack 4

Assurance Level: EAI.2

Name of TTAP Laboratory: Computer Science Corporation

Validation Report Number TTAP-CC-0006
Date Issued: 15 October 1999


Deputy Director
for
Information Systems Security
National Security Agency

Configuration Considerations

In addition to the requirement for a firewall appliance to achieve NIST security guidelines, there are a variety of additional issues that should be considered in selecting, installing, configuring, and maintaining a firewall appliance. The information is listed by connection profile:

Connection Profile #1:

GCIC dedicated workstation(s) in a Criminal Justice facility with direct connection to GCIC

Description:

  • Workstation using QuickWare QTerm (Tnuts) terminal emulation software, Attachmate Infoconnect terminal emulation software, or another Windows-based application to connect to the GCIC Unisys mainframe.
  • No other software is run on the workstation.
  • Physical security is enforced at the law enforcement facility.
  • Access to the workstation is limited to authorized personnel who have access to the secure facility

Firewall Considerations:

  • The firewall should contain mechanisms for logging traffic and suspicious activity, and should contain mechanisms for log reduction so that logs are readable and understandable.  These logs should be available for review by GCIC personnel during technical audits of user agencies.

  • The firewall should be flexible; it should be able to accommodate new services, including VPNs

  • The firewall should contain advanced authentication measures or should contain the hooks for installing advanced authentication measures.

  • The firewall and any corresponding operating system should be updated with patches and other bug fixes in a timely manner.

  • The firewall should have the capability to support installation of an intrusion detection component (IDC).

Connection Profile #2:

GCIC shared workstation in a Criminal Justice facility with Internet access via direct connection to state router.

Description:

  • Workstation using QuickWare QTerm (Tnuts) terminal emulation software, Attachmate Infoconnect terminal emulation software, or another Windows-based or Interface application to connect to the GCIC Unisys mainframe.
  • Workstation may include other non-GCIC applications
  • Internet access is provided through the GTA network via the state router
  • Physical security is enforced at the law enforcement facility.
  • Access to the workstation is limited to authorized personnel who have access to the secure facility

Firewall Considerations:

  • Limit firewall accounts to only those absolutely necessary, such as for the administrator. If practical, disable network logins.

  • Use authentication tokens to provide a much higher degree of security than that provided by simple passwords. Challenge-response and one-time password cards are easily integrated with most popular operating systems.

  • Remove compilers, editors, and other program-development tools from the firewall system(s) that could enable a cracker to install Trojan horse software or backdoors.

  • Do not run any vulnerable protocols on the firewall such as tftp, NIS, NFS, UUCP, finger, or X.

  • Do not permit the firewall systems to "trust" other systems; the firewall should not be equivalent to any other system.

  • Disable any feature of the firewall system that is not needed, including other network access, user shells, applications, and so forth.

  • Turn on full-logging at the firewall.  These logs should be available for review by GCIC personnel during technical audits of user agencies.

  • The firewall should be able to support a "deny all services except those specifically permitted'" design policy, even if that is not the policy used.

  • The firewall should be flexible; it should be able to accommodate new services, especially VPNs.

  • The firewall should contain advanced authentication measures or should contain the hooks for installing advanced authentication measures.

  • The firewall should employ filtering techniques to permit or deny services to specified host systems as needed.

  • The IP filtering language should be flexible, user-friendly to program, and should filter on as many attributes as possible, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface.

  • The firewall should use proxy services for services such as FTP and TELNET, so that advanced authentication measures can be employed and centralized at the firewall. If services such as NNTP, X, http, or gopher are required, the firewall should contain the corresponding proxy services.

  • The firewall should contain the ability to centralize SMTP access, to reduce direct SMTP connections between site and remote systems. This results in centralized handling of site e-mail.

  • The firewall and any corresponding operating system should be updated with patches and other bug fixes in a timely manner.

  • The firewall should have the capability to support installation of an intrusion detection component (IDC).

Connection Profile #3:

GCIC shared workstation in a Criminal Justice facility on shared government network

Description:

  • Workstation using QuickWare QTerm (Tnuts) terminal emulation software, Attachmate Infoconnect terminal emulation software, or another Windows-based or Interface application to connect to the GCIC Unisys mainframe.
  • Workstation may include non-GCIC applications
  • Internet access is provided through the GTA network via a local area network that includes other local/state/federal government users
  • Physical security is enforced at the law enforcement facility.
  • Access to the workstation is limited to authorized personnel who have access to the secure facility

Firewall Considerations:

  • The firewall should be under the direct control of the law enforcement user agency, not a vendor or other government employee.

  • Limit firewall accounts to only those absolutely necessary, such as for the administrator. If practical, disable network logins.

  • Use authentication tokens to provide a much higher degree of security than that provided by simple passwords. Challenge-response and one-time password cards are easily integrated with most popular operating systems.

  • Remove compilers, editors, and other program-development tools from the firewall system(s) that could enable a cracker to install Trojan horse software or backdoors.

  • Do not run any vulnerable protocols on the firewall such as tftp, NIS, NFS, UUCP, finger, or X.

  • Do not permit the firewall systems to "trust" other systems; the firewall should not be equivalent to any other system.

  • Disable any feature of the firewall system that is not needed, including other network access, user shells, applications, and so forth.

  • Turn on full-logging at the firewall.  These logs should be available for review by GCIC personnel during technical audits of user agencies.

  • The firewall should be able to support a "deny all services except those specifically permitted" design policy, even if that is not the policy used.

  • The firewall should be flexible; it should be able to accommodate new services, especially VPNs.

  • The firewall should contain advanced authentication measures or should contain the hooks for installing advanced authentication measures.

  • The firewall should employ filtering techniques to permit or deny services to specified host systems as needed.

  • The IP filtering language should be flexible, user-friendly to program, and should filter on as many attributes as possible, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface.

  • The firewall should use proxy services for services such as FTP and TELNET, so that advanced authentication measures can be employed and centralized at the firewall. If services such as NNTP, X, http, or gopher are required, the firewall should contain the corresponding proxy services.

  • The firewall should contain the ability to centralize SMTP access, to reduce direct SMTP connections between site and remote systems. This results in centralized handling of site e-mail.

  • The firewall and any corresponding operating system should be updated with patches and other bug fixes in a timely manner.

  • The firewall should have the capability to support installation of an intrusion detection component (IDC).

Conclusion

When selecting and configuring a firewall appliance as part of the design of a CJIS-approved infrastructure the most important consideration for a user agency is to insure that the firewall complies with the NIST requirements provided above. Beyond this technical requirement there are a variety of issues that should be considered in the selection and configuration of a firewall for the different forms of CJIS connection, but the most important consideration should be that no security measure, including a firewall, can provide complete security. Effective security requires a combination of trained personnel, secure operations, and properly configured and maintained security tools.