180 likes | 262 Vues
Explore key regulations like SOX, PCI DSS, ISO27001, and more. Learn how firewalls enforce compliance and best practices to manage risk, changes, and infrastructure. Discover the AlgoSec Firewall Analyzer.
E N D
The Regulation Zoo: Dealing With Compliance Within The Firewall World Avishai Wool CTO & Co-Founder, AlgoSec
Agenda • Introduction • Relevant Regulations • Common Themes • Demo
The Regulations Zoo • Sarbanes Oxley Act (SOX) • Japanese Financial Instruments (JSOX) • Euro-SOX – Company Law Directive 8 - Coming soon (?) • PCI DSS – Payment Card Industry Data Security Standard • ISO27001 • FISMA – US federal agencies • HIPAA – US Healthcare Industry • Basel-II – Banking Confidential
Sarbanes Oxley Act (SOX) • Goal: Protect Accuracy of Financial Data • Background: Financial scandals (Enron, …) • Affects public companies on US stock exchange, multinational corporations • Financial data is on computers, • … Computers are on networks • … Firewalls enforce access to networks … Firewalls become regulated Confidential
Working with SOX • Law is very “high-level” (10,000 meter altitude…) • Very hard to act based on it • COSO framework : 6 major “Components” • More grounded than law (5,000 meter…) • CobiT framework: 34 “Control Objectives” • Almost something you can work with (2,000 meter…) Confidential
SOX “cousins and relatives” • Japan (J-SOX) : “Japanese Financial Instruments Law” • Equivalent to SOX + COSO, but in Japanese • Seems to accept CobiT framework • EU: “Company Law Directive 8” • Approved by EU institutes (very high level) • Implementation Framework ? • Sent to member countries for implementation guidelines • Coming soon ? Confidential
PCI DSS – Payment Card Industry • Goal: Protect credit card information • Background: Credit Card fraud / theft • Affects any organization that handle credit cards (in stages, from large down to small) • Enforced aggressively by credit card companies • Credit card data is on computers, • … Computers are on networks • … Firewalls enforce access to networks … Firewalls become regulated Confidential
Working with PCI DSS Includes very specific “commandments” for firewalls: • Thou shall have a DMZ on your firewall • Thou shall NOT allow services other than HTTP, SSL, SSH and VPN through the firewall (without convincing documentation) • Thou shall use NAT and avoid routable addresses • Thou shall have a connectivity diagram of Firewall • Thou shall Assess / Scan your firewalls quarterly Etc etc. Confidential
ISO 27001 • General Standard – for any Information Security Management System (ISMS). • Voluntary compliance – but wide-spread in Europe • British standard BS 7799 ISO 17799 ISO 27001/2 • Moto: Plan / Do / Check / Act [PDCA] • Firewalls are clearly part of any ISMS, … Firewalls become regulated Confidential
More Regulations: • HIPAA • Goal: Control privacy of personal medical information • Affects any US organization in healthcare industry (hospitals, clinics, insurance companies, pharmaceutical) • Basel-II • Goal: Control banking (and inter-banking) data • Affects any bank (that wants to do business with other banks) • FISMA • Affects US federal agencies Confidential
Common Themes – for Firewalls • Control the Risk • Control the Changes • Control the Infrastructure • Compliance Reporting Confidential
Control the Risk • Define a Security Policy • Or use industry best practices as your policy • Review your rule-base for security policy violation • Periodic • Internal / External audit • Software systems • Scan (PCI mandates scan by a “QSA”) • Avoid high risks • PCI, FISMA give specific requirements about risky services Confidential
Control the Changes • Have a firewall rule change process • Request / Plan / Implement / Validate • Track firewall changes • At least: Who did What, Where, When • Better: also Why Confidential
Control the Changes – Cont. • Alerting / Monitoring • Set up e-mail / syslog / snmp • Send alerts when changes are detected • Better: integrate with SIM system • Audit • Keep change records for a long time Confidential
Control the Infrastructure • Connectivity Diagram • Maintain an up-to-date diagram • Firewall Management • Avoid Default Passwords • Avoid Default Settings Confidential
Compliance Reporting • Each regulation has its own reporting requirement • Lengthy forms, require a long time to complete Confidential
The AlgoSec Firewall AnalyzerLive demo – Compliance Confidential
Questions? • E-mail: • yash@eng.tau.ac.il • avishai.wool@algosec.com • http://www.algosec.com