DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

Firewall Configuration Standard

Version 1.1

Revision History:

Version Date Revision Author Summary of change

1.0 Dec 29, 2020 Mahammad Harif Shaik Initial Draft
1.1 Aug 29, 2022 Naresh Kambam Annual Review

Approval History:

Name Title Date Signature

Tony Jurica Sr. Director Cloud Sept 09, 2022
Solutions (acting CISO)

Released Date Sept 12, 2022

Firewall Configuration Standard Confidential Page 1

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

Table of Contents
1. Scope ................................................................................................................................................... 4
2. General Firewall Requirements ........................................................................................................ 4
2.1 Firewall Deployment ................................................................................................................... 4
2.2. Traffic Mediation ......................................................................................................................... 4
2.3. Firewall Configuration ................................................................................................................ 4
2.4. Firewall Integrity......................................................................................................................... 5
2.5. Firewall Properties...................................................................................................................... 5
2.6. Firewall Change Control (ISO / IEC 27001: 2013 A.12.1.2)..................................................... 5
2.7. Firewall Configuration Management ......................................................................................... 5
2.8. Authentication ............................................................................................................................. 6
2.9. Network Information .................................................................................................................. 6
2.10. Filtering...................................................................................................................................... 6
2.10.1 SMTP Rules .............................................................................................................................. 6
2.10.2 Reject and Drop Rules ............................................................................................................ 6
2.11. Port Restrictions ....................................................................................................................... 7
2.12. Port / services allowed (ISO / IEC 27001:2013 A.13.1.1) ..................................................... 7
2.13. Insecure services in use (ISO / IEC 27001:2013 A.13.1.1) .................................................... 7
3. Firewall Installation ........................................................................................................................... 7
3.1. Installation ................................................................................................................................... 7
3.2. Operating System Configuration ................................................................................................ 8
3.3. Authorized Administration......................................................................................................... 8
3.4 Testing the firewall ...................................................................................................................... 8
4. Firewall Logging and Alerting ........................................................................................................... 8
4.1. Connection Accounting ............................................................................................................... 9
4.2. Active Connections ...................................................................................................................... 9
4.3. Terminating a Session ................................................................................................................. 9

Firewall Configuration Standard Confidential Page 2

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

4.4. Multiple Alerting Capabilities ..................................................................................................... 9

4.5. Real-time Alerting Mechanisms ................................................................................................. 9
5. Firewall Administration................................................................................................................... 10
5.1. Assigned Administrators .......................................................................................................... 10
5.2. Network Access Control............................................................................................................ 10
6. Firewall Traffic Control.................................................................................................................... 10
7. Firewall Virtual Private Networks (VPNs) ..................................................................................... 10
7.1 Establishing VPNs ...................................................................................................................... 10
7.2 Firewall VPN Requirements ...................................................................................................... 11
7.3 VPN Connection Requirements ................................................................................................. 11
8. LDAP-related Communications ....................................................................................................... 12
9. Time Synchronization ...................................................................................................................... 12
10. Review of Firewall Rule Sets ......................................................................................................... 12
11. Firewall Maintenance .................................................................................................................... 12
11.1. Education and Training .......................................................................................................... 12
11.2. Administrative Requirements ................................................................................................ 12
12. Reporting Firewall Security Problems ......................................................................................... 12
13. Network Architecture Principles .................................................................................................. 12

Firewall Configuration Standard Confidential Page 3

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

1. Scope
This standard was developed to provide the primary building blocks for
implementation of a uniform standard for firewalls for all Voxai Solutions locations.
The requirements specified in this standard must be strictly followed to ensure
successful secure configuration of the firewall system.

2. General Firewall Requirements

2.1 Firewall Deployment

The deployment of firewalls must comply with and satisfy the requirements of
standards implemented by the Voxai Solutions Information Security Policy.
2.2. Traffic Mediation

All traffic coming from or going to addresses associated with networks interfaced to
the firewall must be mediated by the firewall. Only authorized traffic must be allowed
to pass through the firewall. All the rules pertaining to the traffic flow must be
configured on a business need-to-know basis.
2.3. Firewall Configuration

The firewall must be configured based on documented guidelines and procedures to

resist penetration from internal and external attacks. If the firewall is hosted by a
computer operating system, the underlying operating system must be configured to
be secure based on the requirements of the Voxai Solutions System Configuration
standard for Information Security. Any new configuration request must follow Voxai
Solutions change management procedure.

Firewall Configuration Standard Confidential Page 4

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

For a list of trusted users, the administrator can separately allow secure shell (SSH)
access to firewall CLI, and HTTPS or SSL access to the firewall browser-based
interface. Remote access features can be used for collecting system information and
performing additional configuration, but not to manage or install firewall policies.

2.4. Firewall Integrity

The firewall must employ an automatic mechanism to detect alteration of any files
used for firewall configuration.

2.5. Firewall Properties

The firewall’s rule base structure must support a “Deny all services except those
specifically permitted” design policy.

2.6. Firewall Change Control (ISO / IEC 27001: 2013 A.12.1.2)

Any change to the firewall configuration or firewall infrastructure must be

documented and should be in accordance with the Voxai Solution’s change
management procedure to include:

- Approval of firewall change/network connection from an authorized person

➢ Every change to the firewall configuration must be approved by an authorized
person and approval must be documented formally.

- Testing all network connections and changes to the firewall’s configuration (This
is to prevent security problems caused by misconfiguration of the network or
firewall without formal approval and testing of changes)
➢ Network Administrator/Firewall Administrator must test every change to the
firewall configuration/network connection to ensure it functions as per
business requirements and is securely configured to prevent any security
problem. All the results for testing network connections and changes to the
firewall configuration must be documented formally.

2.7. Firewall Configuration Management

Backup of all the running configurations must be maintained and should be updated
after every change according to the change process.

Backup of updated running configurations are classified as confidential and should be

stored securely/restricted to authorized users.

Firewall Configuration Standard Confidential Page 5

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

2.8. Authentication

The firewall must contain advanced authentication measures, e.g., use of biometrics
devices or smart cards, or be capable of supporting advanced Dual Authentication. All
remote users must be authenticated via a secure method at the firewall before being
granted access to internal network resources.

2.9. Network Information

The firewall system must not permit any internal network information to be exposed
through queries from external devices, i.e., DNS servers.
2.10. Filtering

The firewall must be capable of employing filtering techniques used to permit or deny
services, applications, and protocols to specified network addresses as needed. The
firewall shall provide a graphical user interface for the configuration of filtering based
on relevant attributes, such as, source and destination IP address, protocol type,
source, and destination TCP/UDP port, and inbound or outbound interfaces.

Inbound traffic filtering must be configured based on configuration guidelines, to

include blocking based on the following.

• Traffic from a non-authenticated source system with a destination address

of the firewall
• Traffic with a source address indicating that the packet originated on a
network behind the firewall
• Traffic containing ICMP traffic
• Non-IP traffic

2.10.1 SMTP Rules

When supporting SMTP, the SMTP relay must not be used as a relay for
“external only” messages.

2.10.2 Reject and Drop Rules

For security monitoring reasons, the firewall shall be configured so that if a

service request is “rejected,” the connection failure is reported and recorded
at the firewall. When a service request is “dropped,” the connection request is
discarded and not reported or recorded at the firewall.

Firewall Configuration Standard Confidential Page 6

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

2.11. Port Restrictions

Every six months a firewall port review is provided by ControlCase. Those results are
reviewed and documented in the Control Case portal.
2.12. Port / services allowed (ISO / IEC 27001:2013 A.13.1.1)

Every six months a firewall port review is provided by ControlCase. Those results are
reviewed and documented in the Control Case portal.

2.13. Insecure services in use (ISO / IEC 27001:2013 A.13.1.1)

If any insecure service is used in environment and/or scope network due to some valid
reasons and proper approval, then please document the security features implemented for
each for the insecure service to address the associated risk. Implemented Security features
should be documented in this section and, if not applicable, this section can be removed.

Insecure Service Security features implemented to address the associated

risk

3. Firewall Installation
3.1. Installation

Firewall Configuration Standard Confidential Page 7

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

The firewall must be installed on a dedicated platform, either as an appliance or on a

conventional computer, including optimized hardware and, where appropriate, a
licensed version of the recommended operating system. The firewall must have all
necessary patches installed.

3.2. Operating System Configuration

An operating system hosting a firewall must be configured based on documented

guidelines for the following:

• Removal or disabling of unused network protocols, services, and

applications.
• Removal or disabling of unnecessary user accounts, e.g., Administrator and
Guest.
• Replacement of vendor passwords.
• Implementation of appropriate access controls.
• Configuration of audit logging controls.
• Application of all relevant operating system patches and releases.

When configuring firewalls, the administration staff/IT Operations team must

consider the configuration of other network infrastructure components such as
routers, web servers, LAN servers, etc. to ensure no adverse effect in their operation
and configuration.

3.3. Authorized Administration

Only authorized administrators are allowed access to firewalls to set-up, maintain,

and modify security rules on Voxai Solutions’ firewalls. Access to firewall resources
must comply with the Voxai Solutions Access Control Policy.

3.4 Testing the firewall.

Every configuration must be thoroughly tested.

4. Firewall Logging and Alerting

Event log information related to the traffic passing through the firewall must be exportable
to reporting and analysis tools. Event logs (audit trails) shall be available on demand online
for analysis purposes for a minimum period of 90 days. Firewall event logs must be archived

Firewall Configuration Standard Confidential Page 8

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

offline for at least 365 days (one year). Event logs must be managed and maintained in a
manner compliant with the Voxai Solutions implemented audit and relevant standards for
Information Security. All the event logs must be monitored by the IT Operations Team and
trigger alerts if any.

4.1. Connection Accounting

Detailed log information shall be captured on every connection through the firewall.
This information must include a minimum but not limited to service type, time of
connection and termination of the connection, source port, destination port, source
IP address, destination IP address, packet type, and action taken. Logs must be
retained for at least 30 calendar days.

4.2. Active Connections

The installed firewalls or the related management server shall provide facilities to
view in real time all connections currently active through the gateway if there is a
need.

4.3. Terminating a Session

The firewall must provide automatic facilities to terminate single or multiple active
connections upon detection of intrusion. The firewall must also provide manual
facilities to terminate single or multiple active connections by any authorized
administrator.

4.4. Multiple Alerting Capabilities

The firewall shall provide integration of multiple administrator-selectable alerting

options including paging, audible alarms, e-mail notification and Simple Network
Management Protocol (SNMP) traps for integration with third party SNMP-based
network management systems. Only secure versions of SNMP must be used.

4.5. Real-time Alerting Mechanisms

Unauthorized access attempts from the external network must be reported via a real-
time alert.

Firewall Configuration Standard Confidential Page 9

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

5. Firewall Administration
5.1. Assigned Administrators

Physical and logical access to firewalls must be restricted only to assigned

administrators responsible for configuration and maintenance of the devices. Logical
access to a firewall must be mediated based on two-factor authentication. Logical
access must be centrally administered. (ISO / IEC 27001:2013 A.11.2.1; A 9.4.1;
A.9.1.1)

Group Name Role/ Responsibilities

Admin Group Voxai IT Operations Team/Insight Group

Monitoring Group Insight IT

5.2. Network Access Control

The installed firewall shall have the ability to define security rules using time
parameters.

6. Firewall Traffic Control

The firewall shall have the ability to guarantee reliability and quality of service by enabling
managers to define enterprise-wide traffic management standards that actively allocate
bandwidth for inbound and outbound traffic based on relative merit or importance. This
ensures the performance of high- priority applications without “starving out” lower priority
applications.

7. Firewall Virtual Private Networks (VPNs)

7.1 Establishing VPNs

Firewalls may be employed to establish VPNs. The following requirements shall be

considered when a firewall hosts a VPN. Other methods of establishing VPNs can be
utilized if they meet the same security requirements.

Firewall Configuration Standard Confidential Page 10

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

7.2 Firewall VPN Requirements

The primary technology requirements for VPNs shall be:

• Strong data encryption shall protect the privacy of sensitive information

for both gateway-to-gateway and client-to-gateway communications.
• Two-factor authentication is critical to verify remote and mobile user’s
identities in the most accurate and efficient manner possible.
• Technology shall support the prioritization of traffic associated with high
priority applications.
• VPNs between a company and its strategic partners, customers, and
suppliers shall be an open, standards-based solution to ensure
interoperability with the various solutions that the business partners
might implement.
• Traffic control and capacity planning must be implemented to eliminate
bottlenecks at network access points and guarantee swift delivery of and
rapid response times for critical data.

7.3 VPN Connection Requirements

7.3.1 Establishment of VPNs

A direct connection constituting a VPN between Voxai Solutions’ systems and
external users via the Internet or any other public network must be
established by methods and protocols approved by the network asset owner
or by management.

7.3.2 Degradation of Firewall Performance

The additional processing power requirements of encryption and
implementation of VPNs must not degrade firewall performance to an
unacceptable level.

7.3.3 Enterprise Management

Firewall VPNs must be managed from the same centralized and policy-based
management console of the firewall. Communications between the firewall
providing the VPN service and the console must be encrypted.
7.3.4 Encryption Requirement
All Voxai Solutions firewall VPNs must implement encryption methods
approved by the IT Group and implemented, managed, and maintained based
on the Voxai Solutions Encryption Policy.

Firewall Configuration Standard Confidential Page 11

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

8. LDAP-related Communications
All communications between the LDAP server and the firewall or VPN Gateway must be SSL
protected for maximum security.

9. Time Synchronization
Firewall must be synchronized against a common NTP Service. This is to make sure events
in the logs can be correlated accurately.

10. Review of Firewall Rule Sets

Firewall rule sets must be reviewed at least bi-annually. Vulnerability assessment scans shall
include scans of rule sets for common configuration errors.

11. Firewall Maintenance

11.1. Education and Training

Proper and adequate training must be provided to all system and security
administrators to insure appropriate maintenance and administration of the firewall.

11.2. Administrative Requirements

Firewall administrators must maintain the firewall configuration and rule bases
continuously in accordance with Voxai Solutions’ business requirements and
current policies. Change management must be performed in a manner compliant with
the requirements of the Voxai Solutions Change Management Policy.

12. Reporting Firewall Security Problems

The IT Operations Team shall interface with firewall administrators for the remediation of
firewall security problems identified as a result of a security incident.
13. Network Architecture Principles
a. Firewall must exist at each Internet connection and between any DMZ and the
Intranet.
b. Only firewalls capable of performing at least stateful inspection (dynamic packet
filtering) will be permitted in the organization. Connections will be allowed in only

Firewall Configuration Standard Confidential Page 12

DocuSign Envelope ID: E9BC1DFE-2F8B-4342-A74C-B8D2DA733D04

if they are associated with a previously established session, or they are connection
establishment requests.
c. Router configuration files must be secure and synchronized [for example, running
configuration files (used for normal running of the routers) and start-up
configuration files (used when machines are re-booted), must have the same,
secure configurations].
d. Mobile and/or employee-owned computers with direct connectivity to the
Internet (for example, laptops used by employees), which are used to access the
organization’s network, will have personal firewall software installed and active
which must be configured by the organization to specific standards and not
alterable by the employee.
e. NAT or other technology using RFC 1918 address space must be used by firewalls/
routers to restrict broadcast of IP addresses from the internal network to the
Internet (IP masquerading). This is to prevent any disclosure of private IP
addresses and routing information to unauthorized parties/internet (ISO / IEC
27001 :2013 A.13.1.1; A 13.1.2)

The Information Security Steering Committee is the owner of this document and is
responsible for ensuring that this policy document is reviewed in line with the review
requirements stated above.

A current version of this document is available to all members of staff.

Firewall Configuration Standard Confidential Page 13