A written Security Policy is becoming a requirement for some industries as mandated by government regulation, including financial and healthcare organizations. Parts of the Sarbanes-Oxley Act also apply to a corporation s Security Policy.
Having a written Security Policy can help the security manager and administrator perform their jobs better and receive executive-level support for technologies and training.
Developing a Security Policy before implementing security products will help to ensure that the deployed product meets the requirements of the business and is properly configured.
A written Security Policy will provide an organization with direction and accountability in the implementation and maintenance of an information security program.
One of the most important aspects of writing a Security Policy is community involvement. Everyone with a stake or interest should be involved in the writing of certain aspects of the Security Policy.
Writing a Security Policy should reflect your business needs and how you will manage the risks posed by those needs.
An Executive Information Security Policy should be simple, readable, and accessible to users.
An Information Security Policy is composed of an Executive Security Policy and specific standards, guidelines, and procedures. In addition to the Executive Security Policy, a Perimeter Network Security Policy or a Firewall Security Policy can detail specific standards for implementing a firewall and procedures for maintaining it.
The translation of a written policy to a Check Point NG AI policy is a step-by-step process. First, define your network objects. Then compose rules that enforce your written policy, specifying the actions to be taken when a packet matches the defined criteria.
When creating a rule base, the ordering of rules is critical. Because packets are evaluated against the rules in the rule base from the top to the bottom, incorrect positioning can have undesirable consequences.
The initial policy of Check Point NG AI is to deny everything. Use this to your advantage and configure your Security Policy from the perspective that you will only allow what is needed and everything else will be disallowed . This is much more secure than the approach to allow everything and only disallow that which you know is harmful .
Consider putting the most-often-matched rules near the top of the rule base to increase performance.
When you install a policy, it will be verified by Check Point NG AI and then compiled into INSPECT code.
When you choose install policy from the GUI, it executes the fw load command.
The *.W file is derived from the GUI rule base. It can be edited with a text editor.
The *.PFfile is INSPECT script created from the *.W file in the install process.
The objects_5_0.C file contains object definitions.
The rulebases_5_0.fws file is an aggregation of all the *.W files.