The network perimeter of a datacenter consists of the ingress (entry) and egress (exit) gateways between the datacentre and the external network.
Below are the security protection recommendations for this component including: layer 3 and 4 datacenter firewall considerations, deep packet inspection needs, and network traffic metadata collection.

#

Topic

Requirement

  Examples of Security Standard Controls met
1 Administrative Acount Management The Administrator accounts on firewalls should be managed using a privileged account management service that prevents the creation of local accounts on the firewall and allows for the use of multifactor authentication methods as well as auditing and authorization for administrative access
2 Patch / Update Management The firewall device must be monitored for security patches and updated as per criticality of vulnerability. OPS-FW-02; IFS-DC-05;
3 Firewall Requirements The firewall device should have the ability to manage traffic by restricting / controlling traffic for any combination of the following:

  • IP address
  • Protocol
  • port
  • inbound
  • outbound
  • IPV4
  • IPV6
 AS-ND-04;FW-05; DC-01;02;
4 Review of Rulesets Firewall rulesets must be evaluated periodically to ensure that unneeded or expired access rules are removed.  OPS-FW-03
5 Change Management Changes to firewall rules must be implemented through an approved change management process.
6 Log Generation The firewall should be able to capture traffic logs containing sufficient detailed metadata to allow an external service to generate statistics which can be used for security incident and forensic investigations. IFS-SL-05
7 API Interface The firewall should support the ability to add/remove/change rules configuration remotely via an application programming interface (API). This facilitates the interconnection of other security devices such as a SIEM that may generate rules based on event or incident detection. This facilitates the interconnection of other security devices such as a SIEM that may generate rules based on event or incident detection. td>
8 Log Retention The logs should also be stored in the central log service for a length of time as determined by data retention practice. IFS-SL-05
9 Log Managament The firewall should be configured to transmit security and audit logs to a central log management service under the control of the datacenter technical management group. IFS-SL-05
10 Traffic Accounting
  • An external service should be available to provide network traffic accounting that encompasses statistics or metadata grouped by TCP connections: source and destination IP address, source and destination ports and byte and packet counts.
  • The external service must collect, store and analyze the generated data (e.g. NetFlow)
  OPS-PM
11 IDS / IPS It is recommended that intrusion detection (IDS) or intrusion prevention (IPS) be deployed for networks or services at gateways to provide protection against internally generated attacks. The IPS and gateway visibility services at the University’s Internet gateway fulfill that recommendation and protect against external attacks, but provide minimal network protection against internally generated attacks. The likelihood of high impact attacks originating internally is assessed to be lower than externally originating attacks because of the ability to apply internal enforcement and consequences against attackers. IFS-DP-02