Firewalls shall be installed and activated on all the organization's networks.
Guidance
Consider the following:
- Install and operate a firewall between your internal network and the Internet. This may be a function of a (wireless) access point/router, or it may be a function of a router provided by the Internet Service Provider (ISP).
- Ensure there is antivirus software installed on purchased firewall solutions and ensure that the
administrator’s log-in and administrative password is changed upon installation and regularly thereafter.
- Install, use, and update a software firewall on each computer system (including smart phones and
other networked devices).
- Have firewalls on each of your computers and networks even if you use a cloud service provider or a
virtual private network (VPN). Ensure that for telework home network and systems have hardware
and software firewalls installed, operational, and regularly updated.
- Consider installing an Intrusion Detection / Prevention System (IDPS). These devices analyse network
traffic at a more detailed level and can provide a greater level of protection.
Where appropriate, network integrity of the organization's critical systems shall be protected by incorporating network segmentation and segregation.
Guidance
- Consider creating different security zones in the network (e.g. basic network segmentation through
VLAN’s or other network access control mechanisms) and control/monitor the traffic between these zones.
- When the network is "flat", the compromise of a vital network component can lead to the compromise of the entire network.
Where appropriate, network integrity of the organization's critical systems shall be
protected by
(1) Identifying, documenting, and controlling connections between system components.
(2) Limiting external connections to the organization's critical systems.
Guidance
Boundary protection mechanisms include, for example, routers, gateways, unidirectional gateways,
data diodes, and firewalls separating system components into logically separate networks or
subnetworks.
The organization shall implement, where feasible, authenticated proxy servers for defined
communications traffic between the organization's critical systems and external networks.
The organization shall monitor and control connections and communications at the external
boundary and at key internal boundaries within the organization's critical systems by
implementing boundary protection devices where appropriate.
Guidance
Consider implementing the following recommendations:
- Separate your public WIFI network from your business network.
- Protect your business WIFI with state-of-the-art encryption.
- Implement a network access control (NAC) solution.
- Encrypt connections to your corporate network.
- Divide your network according to security levels and apply firewall rules. Isolate your networks for
server administration.
- Force VPN on public networks.
- Implement a closed policy for security gateways (deny all policy: only allow/open connections that
have been explicitly pre-authorized).
The organization shall ensure that the organization's critical systems fail safely when a border protection device fails operationally.
The data processing environment is separated from public data networks and other environments with a lower security level in a sufficiently safe manner.
Separation of data systems is one of the most effective factors in protecting confidential information. The goal of separation is to delimit the processing environment of confidential information into a manageable entity, and in particular to be able to limit the processing of confidential information to sufficiently secure environments only. Separation of environments can be implemented, for example, with the help of a firewall solution.
The organisation must have the following firewall rules configured and documented:
Tietoliikenneverkon vyöhykkeistäminen ja suodatussäännöstöt on toteutettava monitasoisen suojaamisen periaatteen mukaisesti.
Tietoliikenneverkon jakaminen ko. turvallisuusluokan sisällä erillisille verkkoalueille (vyöhykkeet ja segmentit) voi tarkoittaa esimerkiksi tietojen suojaamisen näkökulmasta tarkoituksenmukaista työasema- ja palvelinerottelua, kattaen myös mahdolliset hankekohtaiset erottelutarpeet.
Vaatimus voidaan täyttää alla mainituilla toimenpiteillä:
An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.
The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).
An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.
Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:
Separation can be implemented either with physically separate networks or with logically separate networks.
In case of a connection loss or a fault in the network systems, such as:
The organization should ensure that their critical systems fail safely, to reduce further damage.
The organization deploys authenticated proxy servers to manage and secure communication traffic between the organization’s critical systems and external networks. Review existing network architecture, identify communication channels that connect critical systems to external entities, and implement proxy servers where feasible. Secure authentication protocols should be used to secure the traffic.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
