The network perimeter of a datacenter consists of the ingress (entry) and egress (exit) gateways between the datacentre and the external network.
Below are the security protection recommendations for this component including: layer 3 and 4 datacenter firewall considerations, deep packet inspection needs, and network traffic metadata collection.
|Examples of Security Standard Controls met
|Administrative Acount Management
|The Administrator accounts on firewalls should be managed using a privileged account management service that prevents the creation of local accounts on the firewall and allows for the use of multifactor authentication methods as well as auditing and authorization for administrative access
|Patch / Update Management
|The firewall device must be monitored for security patches and updated as per criticality of vulnerability.
|The firewall device should have the ability to manage traffic by restricting / controlling traffic for any combination of the following:
|Review of Rulesets
|Firewall rulesets must be evaluated periodically to ensure that unneeded or expired access rules are removed.
|Changes to firewall rules must be implemented through an approved change management process.
|The firewall should be able to capture traffic logs containing sufficient detailed metadata to allow an external service to generate statistics which can be used for security incident and forensic investigations.
|The firewall should support the ability to add/remove/change rules configuration remotely via an application programming interface (API). This facilitates the interconnection of other security devices such as a SIEM that may generate rules based on event or incident detection.
|This facilitates the interconnection of other security devices such as a SIEM that may generate rules based on event or incident detection. td>
|The logs should also be stored in the central log service for a length of time as determined by data retention practice.
|The firewall should be configured to transmit security and audit logs to a central log management service under the control of the datacenter technical management group.
|IDS / IPS
|It is recommended that intrusion detection (IDS) or intrusion prevention (IPS) be deployed for networks or services at gateways to provide protection against internally generated attacks. The IPS and gateway visibility services at the University’s Internet gateway fulfill that recommendation and protect against external attacks, but provide minimal network protection against internally generated attacks. The likelihood of high impact attacks originating internally is assessed to be lower than externally originating attacks because of the ability to apply internal enforcement and consequences against attackers.