FSTEC: firewall requirements

So, a long-awaited event occurred and the FSTEC of the Russian Federation in addition to the previously released Anti-virus Protection Profiles released (or more precisely posted on the site ) the requirements for firewalls. Including software for installation on workstations. Unfortunately, not all documents are laid out - Profiles of the fourth, fifth and sixth class of protection are traditionally laid out. The rest of the protection classes are described in documents marked with chipboard and are not available to the general public.

What should be able to firewalls according FSTEK?

According to the Information Message “On Approval of Methodological Documents Containing Firewall Protection Profiles” dated September 12, 2016 N 240/24/4278, the following types of protection profiles have been developed:

• firewall network level (type "A") - a firewall used on the physical border (perimeter) of the information system or between the physical boundaries of the segments of the information system. Type-A firewalls can only have software and hardware;
  ')
  
• firewall level logical boundaries of the network (type "B") - a firewall used on the logical boundary (perimeter) of the information system or between the logical boundaries of the segments of the information system. Firewalls of type "B" may have a program or software and technical execution;
  
  
• firewall site level (type "B") - a firewall used on the site (host) information system. Firewalls of type "B" can only have software execution and are installed on mobile or stationary technical means of a specific information system node;
  
  
• firewall of the web server level (type “G”) (firewall used on the server serving the sites, web services and web applications, or on the physical border of the segment of such server servers). Firewalls of type “G” can have software or software and technical execution and should provide control and filtering of information flows using the hypertext transfer protocol, passing to the web server and from the web server;
  
  
• firewall level industrial network (type "D") - a firewall used in the automated control system of technological or production processes. Firewalls of type "D" can be of software or software and technical execution and should provide control and filtering of industrial data transmission protocols (Modbus, Profibus, CAN, HART, Industrial Ethernet and (or) other protocols).

For types A, B and C there are requirements for firewalls from the first to the sixth class of protection, for types D and D - only from the sixth to the fourth

First of all, about the levels of security. According to the Informational Message “On Approving Firewall Requirements” dated April 28, 2016 No 240/24/1986.

Firewalls corresponding to class 6 protection are used in state information systems of classes 3 and 4 of protection *, in automated systems for managing production and technological processes of class 3 of protection **, in information systems of personal data if necessary to ensure 3 and 4 levels of protection of personal data * **

Firewalls that correspond to protection class 5 are used in state information systems of protection class 2 *, in automated production and process control systems of protection class 2 ***, in personal data information systems if necessary to provide 2 levels of personal data protection **

Firewalls corresponding to class 4 protection are used in state information systems of protection class 1 *, in automated control systems for production and technological processes of class 1 protection **, in information systems of personal data if necessary to ensure level 1 of personal data security ***, in public information systems of class II ****.

Firewalls corresponding to classes 3, 2 and 1 of protection are used in information systems in which information containing information constituting state secrets is processed.

* Installed in accordance with the Requirements for the Protection of Information, not constituting a state secret contained in state information systems, approved by order of the Federal Service for Technical and Export Energy of Russia dated February 11, 2013 No17.

** Installed in accordance with the Requirements for ensuring the protection of information in automated systems for managing production and technological processes at critical facilities, potentially hazardous facilities, as well as facilities representing an increased danger to life and health of people and the environment, approved by order of the Federal Technical Commission for Russia dated March 14, 2014 No 31.

*** Established in accordance with the Requirements for the protection of personal data when they are processed in personal data information systems, approved by the Government of the Russian Federation on November 1, 2012, No 1119.

**** It is installed in accordance with the Requirements for the Protection of Information Contained in Public Information Systems, approved by order of the Federal Security Service of Russia and the Federal Service for Technical and Export Energy Cooperation of Russia dated August 31, 2010 No 416/489.

It can be predicted that, as in the case of antivirus software, there will be no certified products for protection classes below the fourth. Therefore, we consider the Protection Profile for the fourth class of protection. It must be said that the requirements for all types are quite similar, so for an example of the requirements we take the Type B profile (if there is interest, we can add differences for other types). This profile is available here.

What is a firewall according to the profile?

software that implements the functions of control and filtering in accordance with the given rules of information flows passing through it.

According to the Profile, the DOE should counteract the following information security threat:

• unauthorized access to information contained in the information system due to the presence of uncontrolled network connections to the information system;
  
  
• denial of service of the information system and / or its individual components due to the presence of uncontrolled network connections, vulnerabilities of network protocols, shortcomings in configuring protection mechanisms, vulnerabilities in software of IP hardware and software. Here is an interesting way to implement the threat - “the establishment of information network connections with the information system and (or) its individual components that are not provided by information processing technology to send multiple network packets (requests) before they fill the network bandwidth of the data transmission channel or send specially formed anomalous network packages (requests) of large size or non-standard structure ". It turns out that the ME should have DDoS protection? It is strange that there are no other possibilities for realizing the threat of establishing unauthorized connections;
  
  
• unauthorized transfer of information from an information system to information and telecommunication networks or other information systems in connection with the introduction of malicious software for unauthorized sending of protected information to the intruder’s computer equipment or sending protected information to the intruder’s computer equipment by the information system user;
  
  
• unauthorized impact on the ME, the purpose of which is to disrupt its operation, including overcoming or circumventing its security functions in connection with sending specially formed network packets to the interfaces of the ME.

Including the following safety functions must be implemented in the FW:

• control and filtering;
• identification and authentication;
• registration of security events (audit);
• ensure smooth operation and recovery;
• integrity testing and control;
• management (administration);
• interaction with other means of information protection - certified for compliance with the information security requirements for the corresponding protection class.

Expand these requirements in more detail:

• The DOE should “filter the network traffic for senders of information, recipients of information and all operations of moving the monitored ME to the information system nodes and from them”. At the same time, the filtering should apply to “all operations of moving information through the MEs to the nodes of the information system and from them”. If the first part of the requirements is quite logical, then the second is utopian, since it requires the firewall to disclose all protocols and any undocumented possibilities of moving information (for example, the transfer of information by malicious programs via DNS).
  
  Interestingly, the FW_ARP_EXT.2 section specifies that the DOE should be able to block unauthorized information flow using the hypertext transfer protocol - there are no indications about other protocols. Should the DOE block the transfer of information on them? By the way, it is quite possible that this item got into a document from a Profile of type G - there is a lot of attention paid to this particular protocol;
  
  
• ME should filter by the following criteria: the network address of the sender's node, the network address of the recipient's node, the network protocol, transport protocol, source and recipient ports within the session (session), allowed (prohibited) commands, allowed (prohibited) mobile code, allowed prohibited) application layer protocols. The DOE should also be able to "implement a packet filtering policy, taking into account control commands from other types of information security tools interacting with ME". Also, the DOE should be able to determine the software performing the connections and assign permissive and / or prohibitive security attributes to it for the purpose of subsequent filtering;
  
  
• The DOE should be able to “check each packet on the state table to determine if the state (status, type) of the packet is in conflict with the expected state”;
  
  
• The DOE should have “the ability to verify the use of network resources containing mobile code for which the administrator of the DOE has security permissions or restraining attributes”. Does this mean that ME should be able to remotely check network resources "containing specific types of mobile code"? Strange requirement, applicable more to antiviruses. Most likely this should be a separate operation made on request. According to the results of the audit, the DOE should be able to allow and deny access to such resources;
  
  
• The DOE should have “the ability to allow / prohibit the information flow based on the results of the checks”. It is not specified on the basis of which checks the information flow should be prohibited or allowed. It would be logical if prohibitions or permissions were at the level of predefined rules;
  
  
• DOE should have the ability to register and record the performance of checks on network traffic information, and the ability to read such records — including with the ability to use search and filtering. In accordance with the Profile, events must be recorded ", which in accordance with the national standard of the Russian Federation GOST R ISO / IEC 15408-2-2013" Information technology. Methods and means of ensuring security. Criteria for evaluating the safety of information technologies. Part 2. Functional components of security " included in the basic audit level ";
  
  
• The DOE must support the roles of administrators and the ability to identify and authenticate an administrator in order to carry out actions permitted by that administrator;
  
  
• DOE should be able to create and assign different profiles (settings);
  
  
• A DOE should be able to maintain a state table for each connection with its status;
  
  
• The DOE should have “the ability to provide transition to emergency support mode, which provides the possibility of returning the ME to the normal operation mode” and “the ability to test (self-test) ME security functions (integrity monitoring of the executable ME code)”;
  
  
• The DOE should have the "ability to issue warning messages to the user of the ME", allowing the opportunity to "block access to computer equipment".

Well, that's all. The requirements for functionality end on page 28 and until the end of the document (78 pages in size) are repeated earlier written and requirements for software release, documentation and support procedures.

The profile indicates that the functional safety requirements for the ME are based on the requirements of GOST R ISO / IEC 15408-2-2013 “Information Technology. Methods and means of security. Criteria for assessing the security of information technology. Part 2. Functional components of security "and quite closely resemble the requirements of anti-virus protection profiles.

Unfortunately, there were no diagrams in the open part indicating where the certified ME of Type B should be located. But even from the list of functionality, it can be seen that the protection of home users, mobile users, as well as the protection of mobile devices by FSTEC is not currently considered.

Due to the fact that MEs designed to protect workstations and fall under type B often have an intrusion protection functionality, it is interesting to have requirements for this functionality. In the reviewed Profiles there are no such requirements, but they are in the Methodological document of the FSTEC “Measures to protect information in state information systems”. According to this document ME:

• anti-virus protection and anti-spam protection should be applied on firewalls (requirements AVZ.1 and OTsL.4);
  
  
• the information system should cluster information security tools (when it is technically possible), including firewalling tools;
  
  
• detection (prevention) of intrusions should be carried out on the outer edge of the information system (network level intrusion detection system) and (or) on internal nodes (node ​​level intrusion detection systems) of information system segments (automated workplaces, servers and other nodes) defined by the operator

It is stated that the means of protection against intrusions should be able to analyze traffic, update the rules and centralized management. Rules must be editable.

Total, what do we have? At first glance, the basic functionality of a personal firewall is described. But:

• Although this type of DOE should be used as part of an information system, there are no requirements for centralized management. It is only required to provide a trusted control channel as part of the operating environment. Recall that in the profiles of anti-virus solutions there are separate profiles for centrally managed solutions and for free-standing ones;
  
  
• Despite the requirement to filter connections from specific applications, there are no requirements for the presence of application profile databases. Without such rule bases, the administrator will have to configure each new connection. Not eating well and comfortably;
  
  
• There are no requirements for modes of operation - everything is prohibited / allowed / training mode. It is supposed to configure each connection one by one ?;
  
  
• There is no list of controlled protocols. Only one is mentioned - HTTP. Let us say how to control connections by allowed protocols (such as DNS), whether it is necessary to filter connections that are encapsulated into allowed protocols — there are many questions;
  
  
  source image
  
  
• There are no requirements for protection against network attacks. It is natural to expect no DDoS inside the network, but notifications from, say, port busting are not too unnecessary. In fact, now most personal firewalls have this functionality. The question is not idle. For any certification take money - and quite large. But more on that below;
  
  
• Despite the requirement for updating procedures, there are no requirements for the availability of update functions in the functional. We will not talk about vulnerabilities, but the same malware does not stand still and the list of protocols used by them changes;
  
  
• Completely incomprehensible requirement for interaction with other means of protection. There is no single protocol for protection — although the manufacturers of the very same SIEM would not have refused it. Perhaps this requirement for a specific product? Perhaps this requirement under the ME with antivirus plugin. But such products do not make up the majority in the market. As a rule, the situation is the opposite - anti-virus programs with a firewall module are installed to protect stations;
  
  
• Messages should be sent to users. Why do they need them in the corporate network? Usually such notifications are sent to administrators, and for users they hide. There are no requirements for types of notifications to administrators - or, according to FSTEC, should they sit around the monitors of workstations around the clock, waiting for notifications?

According to the requirements of FSTEC, from December 1, 2016, firewalls being developed, manufactured and supplied should comply with the requirements described in the Profiles. Firewalls installed before December 1, 2016 can be operated without re-certification for compliance.

And here consumers expect an ambush. Prior to the release of Profiles, it was possible to use a certified antivirus for protecting workstations, which included a firewall - as a component of the antivirus, also certified. Now it is impossible. It turns out that either the antivirus vendors pay another certification cost (and beat it off of course) - and then it is possible another for IDS or users to buy three separate products - and thus require management to increase the budget. Opportunities for antivirus vendors to extend the certificate are not provided, which means there are not so many options:

• budget funds for both certified antivirus and certified ME;
• extend the previously purchased certified antivirus for many years to come, as previously purchased MEs can continue to be used;
• hope that the FSTEC will come to its senses.

Pyachal in any variants.

Until December 1, there are few, wondering who will have time to carry out certification