FSTEC: firewall requirements - 2

Last time we reviewed the requirements of the FSTEC of the Russian Federation for personal firewalls — firewalls at the node level (type “B”) installed on the workstations of the protected network. We continue the conversation and consider the requirements for solutions to protect web servers.

Recall that a web server-level firewall (type “G”) can be used on the server serving the sites, web services and web applications, or on the physical boundary of the segment of such server servers). Firewalls of type “G” can have software or software and technical execution and should provide control and filtering of information flows using the hypertext transfer protocol transmitted to the web server and from the web server.

Already there is a question. Apparently, this ME is considered to be ME for a specific application (such as a Web application firewall) and the network should be the main ME. It is assumed that this main ME is not able to parse HTTP. But for the work and the web server need other protocols. At least due to the need to upload files there is FTP / SFTP / SCP (SSH), many servers have mail distribution functions and other functionality. It is assumed that the main ME does not know how to parse HTTP, but it can parse other protocols? But for type A, only the type of protocol is spelled out:

the ability to filter based on the following types of information security attributes: a network protocol that is used for interaction; attributes indicating packet fragmentation; the transport protocol that is used for communication, the source and destination ports within the session (s); allowed (prohibited) commands, allowed (prohibited) mobile code ...

Requirements for type G firewalls are posted here . Since, for type G, as already mentioned, class 4 is maximal, we consider it exactly.
')
The DOE should ensure the neutralization of the following information security threats:

• unauthorized access to the web server information as a result of the establishment of network connections by the web server, which are not provided by the information processing technology;
  
  
• denial of service to the server, the serving site, the web service and the web application as a result of the establishment of network connections to the web server not provided by information processing technology in the information system for sending a large number of network packets (requests) before they fill the network bandwidth of the data transmission channel or sending specially formed anomalous network packets (requests) of large size or non-standard structure. The threat is possible due to the presence of network protocol vulnerabilities, deficiencies in the configuration of protection mechanisms, vulnerabilities in the software of software and hardware of the IC;
  
  
• unauthorized impact on the ME, the purpose of which is to disrupt its operation, including overcoming or circumventing its security functions by sending specially formed network packets to the interfaces of the ME, leading to the disconnection, circumvention or overcoming of the ME protection mechanisms using standard tools or specialized tools.

The truth in the definition of a ME ego task is narrowed - according to the ME Profile "is a software or software-technical tool that implements the functions of control and filtering in accordance with the specified rules of information flows passing through it, and is used to ensure protection (non-cryptographic methods) of restricted access information ". But for type A, only knowledge of the type of protocol is spelled out:

the ability to filter based on the following types of information security attributes: a network protocol that is used for interaction;
attributes indicating packet fragmentation; the transport protocol that is used for communication, the source and destination ports within the session (s); allowed (prohibited) commands, allowed (prohibited) mobile code ...

The following safety functions must be implemented in the DOE:

• control and filtering;
• identification and authentication;
• registration of security events (audit);
• ensure smooth operation and recovery;
• integrity testing and control;
• management (administration);
• interaction with other means of information protection.

Among other things, the DOE should operate in an environment that ensures the safe operation of the DOE.

Type 4 MEs must provide:

• the ability to filter network traffic for senders of information, recipients of information and all transmissions of monitored ME information to a web server and from a web server. the ability to ensure that in the firewall filtering extends to all operations of moving through the MEs information to the web server and from the web server. An interesting item. Judging by the definition, the requirements relate to the DOE, which is designed to protect specifically the web server and is additional to the primary DOE. If so, and by definition “firewalls of type“ G ”should provide control and filtering of information flows using the hypertext transfer protocol” - then why is this and others flowing from this position in the Profile? It is not logical to merge these items or edit the appointment of ME ?;
  
  
• the ability to support monitoring and analyzing requests and responses via the hypertext transfer protocol of certain versions. It is logical if we consider this ME as an additional means of protecting Web applications in the presence of the main ME, filtering down to the packet level;
  
  
• the ability to support monitoring and analysis of messages sent by a web browser to a web server and containing textual content of certain encodings and non-textual content of certain types (images, audio information, video information, programs). It is not entirely clear whether actions to modify messages should be included here, including the removal of unresolved content. Not defined and the level of analysis;
  
  
• the ability to support monitoring and analysis of specific interaction markers (cookies) of certain types sent by the web server to the web browser and returned by the web browser to the web server containing personalized information about the user’s interaction with the web server based on certain attributes of the cookie - it’s not clear what should cookies be analyzed on ;;
  
  
• the ability to support the sending and receiving of user data of the information system (including cookies - pieces of information containing user data) in a way that is protected from unauthorized disclosure / integrity violation;
  
  
• the ability to explicitly allow or prohibit information flow, based on the set of filtering rules established by the administrator of the ME, based on the identified attributes, block all information flows, including the attributes set by interacting information protection tools for monitored network traffic and indicating the absence or presence of security breaches information;
  
  
• the ability to check the presence of mobile code fragments in requests, including fragmented and compressed, to the site and (or) another web application to enter data by searching such queries for specific regular expression fragments (tags, commands in the format of mobile code languages) used when initializing a mobile code or performing unwanted actions. The ability to block information flows with such requests;
  
  
• the ability to filter packets based on control commands from other types of information security interacting with ME, based on attributes indicating signs of a security breach in network traffic information is a very interesting requirement, and other types of profiles. FSTEC intends to standardize a protocol for the interaction of protection ?;
• in case of detection of unauthorized information flow via the hypertext transfer protocol - blocking a request, breaking / restarting a connection, blocking interaction with a specific network address, blocking a session at a specific application level, blocking interaction at a specific user level of an application, sending a control signal to another ME for blocking Unresolved information flow, sending a notification to the administrator / user about the action taken;
  
  
• the ability to support the virtualization of the external representation of web server applications at the level of network port translation, the translation of uniform resource identifiers;
  
  
• the ability to determine virtualized (visible for a web browser) network ports of applications and their comparison with real (visible for a web server) network ports of applications;
  
  
• the ability to determine virtualized (visible for a web browser) and resource identifiers and their comparison with real (visible for a web server) unified resource identifiers;
  
  
• the possibility of ensuring the transition to emergency support mode, which provides the ability to return the ME to the normal operating mode, the ability to complete the work or restore (for the foreseen failure scenarios) to the normal operating mode of the ME. Perhaps the requirement means the appointment of a specific policy in case of some situations;
  
  
• the ability to support a trusted channel of interaction between the ME and the web server / user (using a web browser) to be able to access the original data transmitted via the hypertext transfer protocol using cryptographic methods for protecting information in accordance with the legislation of the Russian Federation for analysis and provision their further secure transmission using cryptographic methods of information protection in accordance with the legislation of the Russian Federation;
  
  
• the possibility of recording and recording the performance of inspections of network traffic information and events that, in accordance with the national standard of the Russian Federation, GOST R ISO / IEC 15408-2-2013, “Information Technology. Methods and means of security. Criteria for assessing the security of information technology. Part 2. Security Functional Components ”is included in the baseline audit level. The ability to read audit records or sample them (search, sort, organize audit data) to authorized administrators;
  
  
• support of certain roles for the management of ME, the Possibility of identification and authentication of the administrator and the ME until the resolution of any action (administration) performed through the mediation of the ME on behalf of this administrator;
  
  
• the possibility of identifying and authenticating the user before allowing the transmission of the information flow associated with this user through the ME to the web server (from the web server);
  
  
• the ability of administrators of FEM to control the mode of execution of security functions of FW, manage security attributes, manage data of FW, used by security functions of FW.

Well, that's all. The list of requirements is less than a quarter of the document.

It is interesting to compare the difference in requirements between the fourth and sixth classes:

• Safety alarms appear in 5th grade. A product without notifications of violations looks weird;
• selective viewing of audit data also appears in fifth grade. Users of this product are invited to look for the right in tons of records manually?
• in fifth grade, there is a requirement for virtualization;
• Basic confidentiality of data exchange (FDP_UCT.1) should only be in 4th grade, as well as the ability to interact with other security systems (basic data consistency of security functionality between security functionality - FPT_TDC.1) and the requirement for the presence of trusted channels and transmission route ( FPT_ITC.1 and FPT_TRP.1) - channels of communication with the web server and remote user, respectively. FDP_UCT.1 includes the requirement to block unauthorized information flow using the hypertext transfer protocol in one or several ways. It is not necessary for the 5th and 6th grades? User requests for checking data transmitted to and from a web server are constantly encountered, as is the requirement that data transfer channels be intercepted protected by hackers. It is strange that these requirements are absent for the 5th and 6th grades;

Interestingly, the list of what should be implemented as part of the security features does not match the requirements described. So, in the first list there is testing of security functions - and then according to the document with regard to the product this requirement is absent (this is by the way about the dangers of total secrecy. The DSP version clearly shows what should be from the functional). There are other similar discrepancies.

Also, the requirements for the DOE are present in the Methodological document of the FSTEC "Measures to protect information in state information systems." Recall that according to this document, the ME should apply anti-virus protection, anti-spam protection and an intrusion detection (prevention) system. DOE must support clustering. In turn, the means of protection against intrusions should be able to analyze traffic, update the rules and centralized management. Rules must be editable.

Let's sum up:

1. The document is very high level. There is no description of possible types and variants of filtering. In fact, the only indication is the requirement to have a system for monitoring and analyzing requests and responses over HTTP of certain versions, as well as the requirement to check for the presence of mobile code in requests. The absence of clear requirements gives both the possibility of submitting only formally qualifying products for certification and refusal of certification for purely formal reasons;
2. A trusted channel is required for HTTPS analysis using encryption allowed in Russia;
3. There is no list of controlled protocols. Only one is mentioned - HTTP;
4. Although this type of DOE should be used as part of an information system, there are no requirements for centralized management. It is only required to provide a trusted control channel as part of the operational environment;
5. There are no requirements for network attack protection functionality;
6. Despite the requirement for updating procedures, there are no requirements for the availability of update functions in the functional;
7. Completely incomprehensible requirement for interaction with other means of protection. There is no single protocol for protection — although the manufacturers of the very same SIEM would not have refused it. Perhaps this requirement for a specific product?

According to the requirements of FSTEC, from December 1, 2016, firewalls being developed, manufactured and supplied should comply with the requirements described in the Profiles. Firewalls installed before December 1, 2016 can be operated without re-certification for compliance.

I thank all users (especially imbasoft ) who made valuable comments on the previous article.