IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
Establishment of the Consoles, Devices with exchangeable data media, and
printers.
- A firewall is based on a security policy defined for the network requiring
protection and allows only the connections contained herein. It must be
possible to permit these connections separately according to IP address,
service, time, direction and user.
- Suitable personnel must be available for the planning and operation of a
firewall. The time required to operate a firewall must not be
underestimated. Experience has shown that an analysis of the accumulated
log data alone is very time consuming. A firewall administrator must have
a detailed knowledge of the IT components used and be trained
accordingly.
- The users of the local network should only be affected by the use of a
firewall to the smallest possible extent.
A firewall can protect the internal network against many of the dangers
encountered when connecting to the Internet, but not against all of them. Thus,
when a firewall is established and a firewall security policy is elaborated, it is
necessary to be aware of the firewall's limits.
- Protocols are tested, not the contents. Testing the protocol confirms, for
example, that an E-mail was delivered using commands that comply with
the rules, but cannot provide any information about the actual content of
the E-mail.
- The filtering of active contents may only be partially successful.
- As soon users are allowed to communicate over a firewall, they can create
a tunnel from the protocol they are using for any other protocol. An
internal perpetrator could thereby enable an external party to access
internal computers.
- In reality, it is not possible to restrict Internet access to certain Web servers
because too many WWW servers can be used as proxies, making it easy to
bypass the blockage of particular IP addresses.
- The filter software is often still immature. For instance, it possible that
some forms of address are not included. The following example with the
BSI Web server shows which possible forms of address are available. The
list is far from complete, as individual letters can also be represented by
escape sequences.
WWW.BSI.BUND.DE
WWW.BSI.DE
194.95.176.226
3261051106
- The filtering of spam mails is not yet fully developed. No firewall can
determine beyond doubt whether a user wishes to receive a particular Email
or not. Spam mails will only disappear when it is possible to be sure
who the sender is, and it will take a while before this happens.
- Firewalls do not safeguard systems against all denial of service attacks. For
example, if a perpetrator disables the connection to the provider, even the
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000