Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
1. PURPOSE The purpose of an Enterprise Firewall Design Standard is to enable an efficient and effective design and implementation of firewalls while providing the desired secure access and data sharing between all business partners. The adoption of the Enterprise Firewall Design Standard will expedite the Firewall Change Requests (FCRs) lifecycle from the request, approval, implementation, and testing. OIT is statutorily obligated and authorized (§ 24‐37.5 C.R.S., see “References”) to provide IT support and services to the State and its stakeholders in the most effective and efficient manner possible. This standard is created in general support of this and the specific purposes stated above. 2. SCOPE The Enterprise Firewall Design Standard applies to all firewalls that are under OIT control or any provider of IT services to a/any state agency. These standards apply to OIT and OIT supported agencies. This Standard shall be used by employees of OIT, agencies supported by OIT, and vendors contracted by OIT or its stakeholders as a means to enforce technology standardization and assist in making the usage, support, and/or purchase of technologies more consistent and efficient and applies to any OIT unit or contracted entity providing these services to customers. 3. REFERENCES a. C.R.S. 24‐37.5: "COLORADO REVISED STATUTES, TITLE 24. GOVERNMENT ‐ STATE GOVERNOR'S OFFICE, ARTICLE 37.5. OFFICE OF INFORMATION TECHNOLOGY b. Colorado Information Security Policies (CISP’s) c. Payment Card Industry (PCI) Data Security Standard 3.1 d. Firewall Change Request video (link) e. Firewall Change Request Customer Portal (link) ‐ click on "My Services" tab, and then select, "Firewall Change." f. Internet Engineering Task Force RFCs: 768, 783, 791‐793, 816, 826, 854, 862‐865, 867, 894, 919, 922, 950, 959, 1001, 1002, 1009, 1034, 1035, 1042, 1055, 1065, 1112, 1122, 1123, 1144, 1157, 1179, 1188, 1191, 1201, 1256, 1323, 1332, 1518, 1519, 1534, 1542, 1552, 1661, 1662, 1748, 1749, 1812, 1828, 1829, 1851, 1852, 1878, 1886, 1994‐1996, 2018, 2085, 2104, 2131, 2136, 2181, 2236, 2308, 2401, 2402, 2406, and 2581. State of Colorado | Governor’s Office of Information Technology | Standard
Page 1 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
4. DEFINITIONS a. 3rd‐party Service Provider Traffic: Network traffic which flows between a 3rd‐party service provider and the state network irrespective of direction. b. Authorization: The action or fact of authorizing or being authorized; or a document giving permission or authority. c. Bidirectional Firewall Rule: A bidirectional firewall rule allows either the source or the destination devices to initiate the connection. d. DMZ Traffic: Network traffic which originates either from the state resource network or from the Internet that connects to devices inside an isolated network which is protected from the Internet by a firewall, and also isolated from the state resource and user networks by a second firewall. e. Exception Request: A document requesting an exception to a recognized standard, requiring a business or technical justification for granting the exception. Typically an exception request is subject to review and approval by an authority in the area. f. Firewall: A network security system, either hardware or software based, that controls incoming and outgoing network traffic based on a set of rules. g. Standard: A rule that specifies a particular course of action or response to a given situation. Standards are mandatory directives to carry out management’s policies and are used to measure compliance with policies. Standards serve as specifications for the implementation of policies. Standards are designed to promote implementation of high‐level organization policy rather than to create new policy in themselves. h. Intra‐Agency Traffic: Network traffic which originates inside the agency’s network and connects to another device, which is logically located inside the same agency’s network. i. Intra‐DataCenter Traffic: Network traffic which is confined to one of the state data centers. j. NAT: Network Address Translation ‐ a methodology used to remap IP addresses from one IP address space to another by modifying network address information in an IP packet headers while they are in transit across a traffic routing device, typically a firewall. k. Perimeter Traffic: Network traffic which crosses a network perimeter. l. Positive Policy: A firewall policy that allows network connections from source addresses which appear on a whitelist (see definition of whitelisting, below). m. Protocol: A protocol is the special set of rules that devices in a telecommunication connection use when they communicate with one another. Protocols specify interactions between the communicating devices. n. Service: A network service is functionality that is provided to users of the network that is of some utility to network users; e.g. file storage, file transfer, browser access to an interface, etc. o. Standard Allowed Ports: Ports which carry network traffic for defined services which are allowed by standards; e.g. port 443 for HTTPS, port 22 for SSH2, port 25 for SMTP, etc. State of Colorado | Governor’s Office of Information Technology | Standard
Page 2 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
p. Stateful Firewall Rules: A stateful firewall keeps track of the state of network connections and only allows streams of packets, that are a part of an active connection, to be delivered from the destination device to the device which initiated the conversation. q. Trusted Network: An internal network that resides behind a firewall. r. Trusted Link: This is a link within the Trusted Network defined above. s. Virtual Routing & Forwarding (VRF): Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously, allowing network paths to be segmented without using multiple devices. Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; thus the technology is also referred to as VPN routing and forwarding. t. Whitelisting: A firewall uses a whitelist policy where communication from an approved list of network addresses are accepted, but all other connections are refused. If the communication source address does not appear on the approved list, the communication is denied. u. Zone (Domain): A zone is made up of multiple interfaces with the same or similar security requirements that are logically grouped together. 5. ROLES & RESPONSIBILITIES ● Architecture Review Board (ARB): ○ Engage stakeholders and subject matter experts to determine standard ○ Review/Approve Standard (this document) ● Enterprise Architecture ‐ Chief Enterprise Architect: ○ Update effective / last review date ○ Publish the Standard to OIT’s public facing website and employee intranet (OIT Plaza) ● Chief Information Security Office ‐ Enterprise Security Architect: ○ Owner of Standard ○ Engage stakeholders and subject matter experts to determine standard ○ Update document standards and version number ○ Present to Architecture Review Board for approval and adoption 6. STANDARD REQUIREMENTS a. Architecture Diagram: The diagram below depicts the high level view of the potential choke points where a firewall must be put in place and a positive (whitelisting approach) firewall policy must be implemented to support a secure business enabling flow of traffic between different zones (Domains). State of Colorado | Governor’s Office of Information Technology | Standard
Page 3 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA)
Document ID: TS‐CISO‐004
Technical Area: CISO Version: 1.0
Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
b. Traffic Access Requirements: i.
Common Requirements: 1. Firewall implementation and operation must enable business functions while ensuring business compliance and achieving protection needs
State of Colorado | Governor’s Office of Information Technology | Standard
Page 4 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
2. 3. 4. 5.
All access (cross boundaries) must be based on business needs Implement and enforce firewall Positive Policy and Whitelisting concepts Use defined standard ports and protocols Deviation from the use of defined standard ports and protocols must be supported by vendor's documentation 6. The use of custom ports and protocols must be reviewed and approved by the Security Architecture team 7. Use encrypted version of services 8. Deviation from the use of encrypted version of services must be reviewed and approved by the Security Architecture team ii.
iii.
Perimeter Traffic: 1. To the Internet Traffic: a. All outbound connections from servers must be NAT’d b. Direct access to the Internet from servers in the trusted network is prohibited c. Access to the Internet from servers in the trusted network must be reviewed and approved by the Security Architecture team 2. From the Internet Traffic: a. All inbound traffic must be terminated in a DMZ b. All inbound traffic from the Internet to the servers in the trusted network must be reviewed and approved by the Security Architecture team DataCenter Traffic: 1. To DataCenter Traffic: a. All traffic allowed to an agency data center must originate in the agency’s DMZ or VRF b. All inbound traffic direct access to an agency DataCenter must be reviewed and approved by the Security Architecture team
2. Out of DataCenter Traffic: a. All outbound traffic from an agency’s data center must be approved by the Security Architecture team 3. Intra‐DataCenter Traffic: a. All traffic between zones within the DataCenter must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard State of Colorado | Governor’s Office of Information Technology | Standard
Page 5 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
iv.
v.
4. Inter‐DataCenter Traffic a. All traffic between one agency’s data center and another agency’s data center must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard Agency traffic: 1. To the Agency Traffic: a. All traffic allowed from the Internet to the agency’s user vlans must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard 2. From the Agency Traffic: a. All outbound traffic from the agency must be explicitly authorized.Otherwise, it should be denied b. All source addresses of the traffic from the the agency must be masqueraded/nated 3. Inter Agency Traffic: a. All traffic between one agency’s data center and another agency’s data center must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard DMZ Traffic: 1. To the Internet Traffic: a. All outbound traffic from a DMZ to the Internet must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard 2. From the Internet traffic: a. All inbound traffic to a DMZ from the Internet must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard 3. To the Trusted Network Traffic: a. All inbound traffic from a DMZ to the Trusted Network must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard b. The trusted link VLAN is a protected VLAN and should only be allow outbound behind the agency firewall hide NAT. No DMZ traffic should be allowed into the Trusted Link
vi.
3rd Party Service Provider traffic: 1. To the Internet Traffic:
State of Colorado | Governor’s Office of Information Technology | Standard
Page 6 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA)
Document ID: TS‐CISO‐004
Technical Area: CISO Version: 1.0
Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
a. All outbound traffic from a 3rd party service provider to the Internet must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard 2. From the Internet Traffic: a. All inbound traffic from a the Internet to the 3rd party service provider must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard 3. From the State Network Traffic: a. All traffic from State Network to 3rd party service provider must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard 4. To the State Network Traffic: a. All traffic from State Network to 3rd party service provider must be approved by the Security Architecture team, except traffic that is specifically allowed by this standard c. Standard (Pre‐Approved) Ports and Protocol table: *The Standard (Pre‐Approved) Ports and Protocol table will be maintained and updated by the Security Architecture Team. Entries/Updates will come from the outputs of the Firewall Change Request process as qualified standard changes. Existent standard changes will be reviewed and added as requested. The empty and/or incomplete cells will updated periodically. ** This is for custom pre‐approved port and protocols
Service:Protocol‐Port / Direction Web Based: TCP 443, TCP 8443*, TCP 80, TCP 8080*,
Perimeter Internet → DMZ DMZ → Internet
DataCenter
Agency
Provider/Partner
Data Center → Internet
User vlans → Agency Resource vlans
User vlans → Provider/Partner
Remote Support: ICMP,
*
Intra Data Center → Agency Agency → Data Center
Data Center → Agency Agency → Data Center
*
Active Directory: ● LDAP TCP/UDP 389 ● Kerberos authentication TCP/UDP 88
*
User vlans → Data Center
Agency → Data Center
*
State of Colorado | Governor’s Office of Information Technology | Standard
Page 7 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA)
Document ID: TS‐CISO‐004
Technical Area: CISO Version: 1.0
Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
● ● ● ●
LDAPS (SSL) TCP 636 LDAP GC TCP 3368 LDAP GC SSL TCP 3369 Kerberos Password Change/Set TCP/UDP 464
File Transfer: ● SFTP TCP 22 ● FTPS TCP 992
User vlans → Data Center Data Center → Data Center
*
*
Agency → Data Center
*
*
*
*
Internet → data center Data Center → Data Center
Data Center → Provider/Partner
Network Management Services: ● SNMP v3 UDP 161 polling/UDP 162 traps ● SSH v2 TCP 22 ● Syslog UDP 514 ● Terminal Emulation ****** ● Network Time Protocol UDP 123 ● DHCP TCP/UDP 67, 68 ○ UDP 67 (Client‐>Server) ○ UDP 68 (Server‐>Client)
NTP: Data Center → Trusted Time Source SSHv2: Agency → Data Center Syslog: Data Center → Data Center
Terminal Emulation ‐ Agency → Data Center
VMware ‐ vRealize Ops Mgr ● SSH TCP 22 ● HTTP (redirect) TCP 80 ● NTP UDP 123 ● HTTP TCP 443 ● xDB TCP 1235
*
Intra Data Center → Data Center Data Center → Data Center
Datacenter ‐> Agency*
*
Terminal Services: ● RDP TCP/UDP 3389 ● RDPS TCP 443 VPN: ● ●
●
SSL ○ IPSec ○ ○ ○ ○ ○
SSTP TCP 443 PPTP TCP 1723 L2TP UDP 500 L2TP UDP 4500 IKEv2 UDP 500 IKEv2 UDP 4500
Internet → DMZ DMZ→ Internet
State of Colorado | Governor’s Office of Information Technology | Standard
Page 8 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
● ● ● ● ● ● ● ●
V4V TCP 3091‐3094 DB TCP 5433 GemFire TCP 6061 Cassandra TCP 7001 Cassandra TCP 9042 GemFire TCP, UDP 10000‐10010 GemFire TCP, UDP 20000‐20010 Hyperic Agent, Outbound TCP/2144,Inbound TCP/7443
VMware ‐ vRealize Config Mgr FTP TCP 21 DNS TCP / UDP 53 DHCP UDP 68 TFTP UDP 69 HTTP TCP 80 Kerberos TCP, UDP 88 NTP TCP 123 RPC TCP, UDP 135 NetBIOS TCP, UDP 137, 138 SNMP UDP 162 LDAP TCP, UDP 389 HTTPS TCP 443 SMB TCP, UDP 445 ISAKMP TCP, UDP 500 LDAP/SSL TCP 636 MSSQL TCP 1433 MSSQL DBMS UDP 1434 MSSQL AS TCP, UDP 2383 LDAP GC TCP 3268 LDAP/SSL GC TCP 3269 RDP TCP, UDP 3389 NAT TCP, UDP 5355 EMC TCP 8882 * 21307 * 21309 HTTP * 26542 DCOM * 40610 DCOM * 47001 DCOM * 49152‐49154 DCOM * 49176 DCOM * 49178, 49179 DCOM * 54294 DCOM * 58613
Data Center → Intra Data Center
*
State of Colorado | Governor’s Office of Information Technology | Standard
Intra Data Center → Data Center Data Center → Data Center Data Center → Intra Data Center
*
*
Page 9 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA)
Document ID: TS‐CISO‐004
Technical Area: CISO Version: 1.0
Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
DCOM * 58615 DCOM * 61615 Messaging Protocols: ● SMTP TCP 25 ● IMAP TCP 143 ● IMAPS 993
*
*
*
*
DataBase Management Services: ● MS SQL TCP 1433 ● Informix TCP 1526 ● Oracle TCP 1620
*
DMZ → Resource vlan in Data Center
*
*
Domain Name Service ● DNS Zone Transfer TCP 53 ● DNS Name Resolution UDP 53
*
*
UDP Agency → Data Center
*
Windows NetBIOS ● NetBIOS Name Resolution UDP 137 ● NetBIOS Datagram Svc UDP 138 ● NetBIOS Session Svc TCP 139
*
*
Data Center → Agency Agency → Data center
*
Windows File Service ● SMB/CIFS TCP 445
*
*
Data Center → Agency Agency → Data Center
*
7. STANDARD REQUIREMENTS EXCEPTION AND UPDATES a. All deviations from this standard must be documented following the Secure Configuration Exception Request process . The template for the Exception Request is available on Google Drive. The purpose of the Exception Request process is to address business or technical reasons for the inability to adhere to one or more requirements in this standard. Requests for exceptions should include compensating controls, that is, processes, technologies or procedures that are proposed to be used to mitigate any deviation from the standard requirement. State of Colorado | Governor’s Office of Information Technology | Standard
Page 10 of 11
Technical Standard
OIT Firewall Design Standard Document Owner: Office of Enterprise Architecture (OEA) Technical Area: CISO Version: 1.0
Document ID: TS‐CISO‐004 Effective Date: 2016‐03‐17 Last Reviewed Date: 2016‐03‐17
The Secure Configuration Exception Request form must be submitted to the Office of Information Security, using the
[email protected] email address. For help in completing the form, please request assistance through the
[email protected] mailbox. Exception requests will be processed and recommended for approval, conditional approval or denial to the State Chief Information Security Officer. b. The Standard (Pre‐Approved) Ports and Protocol table will be maintained and updated by the Security Architecture Team. Entries/Updates will come from the outputs of the Firewall Change Request process as qualified standard changes. Existent standard changes will be reviewed and added as requested. 8. REVISION HISTORY This standard is to be reviewed annually by the document owner and remains in effect until otherwise noted. REVISION #
REVISED BY
BRIEF DESCRIPTION OF CHANGES
APPROVED BY
NEXT REVIEW DATE
0.1
Mohamed Malki, Chris Schock, and Richard Steving
Initial Publication
Architecture Review Board
0.3
Casey Carlson
Copied to format for collaboration and review by ARB
0.4
Casey Carlson
Ports added to table
Infrastructure Services
1.0
Casey Carlson
All changes resolved
ARB
2017‐03
State of Colorado | Governor’s Office of Information Technology | Standard
Page 11 of 11