SMB Secure

Make Security easier for Small and Medium Business

SMB Secure provides a solid framework for Small & Medium Business administrators in the process of implementing the right security perimeter with more importance given to firewall technologies.
HOME / Services

Firewall Design Decision Making (FDDM) - step 1

1. Scope of the company

The firewall design is more or less dependent on the specificity of the company: its size, its sector of activity, its geography, the complexity of its network, its personnel, its business objective... A company with ten employees won’t have the same requirements as a 500 employee company as well as company with highly confidential data will need more secure infrastructure that a company with non valuable information. As a result, before making any firewall decision, it is important to have a global picture of the scope of the company. In addition, it is important to understand the motives behind the need for a firewall: what triggered the need for a new firewall design (more security, more performance, change in a policy, change in the personnel...). All these elements place the need in its context, so it is fundamental start from this point.

This step will evaluate the following criteria:

a. The size

The size of the company (or more specifically the numbers of users that the firewall solution must protect) has an incidence on the firewall solution. Different class of products exist depending on the size of the company. Furthermore, the firewall architecture for a small company won’t necessarily fit the one for a large company.

FDDM Methods relies on three standards for the size. The related question is as follow:

What is the size of the site that is going to be protected behind the firewall?
Very Small Office (<10 users)
Small Office Home Office (<50 users)
Small Business (<250 users)
Medium Business (<1000 users)

b. The sector

The sector of activity of the company may play as well a role. A banking, health care or governmental firm will not have the same needs as a home office business. This criteria gives a first idea of the security level that may be required within the company but is not determining in itself to come up with a firewall solution.

FDDM related question is as follow:

What sector correspond the most to the activity of the company?
Banking
Health care
Governmental
Educational
IT, Computing
Other

c. The geography of the company

The geography of the company refers to the different location the company is based on. The company may be based on a unique location, but more and more company even small tends to extend in several locations either at the national spectrum or international spectrum. It seems obvious that a company with remote offices, mobile employees (teleworkers, contractors) has clearly different needs than a one-site company. Furthermore, it must be underlined that an international based company will have more constraints to take into consideration than a national based companies; simple example is the law regulation that may differ on the encryption rights.

FDDM related question is as follow:

What best describes the geographical repartition of the company?
One unique central Office
A Central Office with national Remote Branch Offices
A central Office with international Remote Branch Offices

d. The map of the network

While designing a firewall solution, it is essential to have a clear picture of the map of the network that is the list of the different elements that constitute the network: computers, servers, critical resources, printers, subnets, groups of users, their role and needs… All these information should normally be documented and regularly reviewed when needed. The method is not going to ask any of these information as it does not rely on such details to provide a solution. However, this document will be helpful all along the method to make decision based on all aspects of the network.

FDDM question must be taken as an advice:

Do you have an updated map of the network to protect?
Yes
No

e. The motive

What stimulates the need for a firewall solution or what stimulates the change of the current firewall solution for a new one? Knowing the trigger event that produced the need for a new firewall design helps to formulate the security needs and thus orientate the security solution. The National Institute of Standards and Technology (NIST) defines six categories of Triggers as shown in the following table extracted from NIST SP800-35:

triggers

Ranging the need into one of these categories permits to clearly state the objectives of the project and focus or refocus the need in its context. This step is helpful all along the process to check that the technical requirements are met. This also provides a good basis for documentation. One should know that documentation is one of the fundamental for the business continuity. Any security decision should be documented to explain the reason behind the choice and remind the context of such a choice.

FDDM related question is an open question. This intends to help in focusing on the starting objective. Since it is not a decision making question, it is left optional:

What triggered the need for a new firewall design?

 

f. The future growth

Future growth of the company must be anticipated so that the final solution is designed in consequence, either by selecting a firewall design that match the future requirement or by selecting a firewall solution easily upgradable.

FDDM related question is as follow:

Does the company plan future expansion in the two coming years?
Yes
No

 

g. The Security Profile

Determining the Security Profile of a company is paramount to design a security solution that fit the needs of the company. It reveals the security maturity of the company through the analysis of the security practises within the company. Knowing how security is performed inside a company permits to build a solution adapted to the work environment of the company. A company that only have one person in charge of the whole network maintenance and security will have different security requirements and practises than a company with a team only dedicated to security. The analysis of the security profile through the personnel, processes and expertise available for designing, installing and maintaining the firewall solution permits to evaluate the security maturity of the company and then helps in determining how complex the final solution can be.

The personnel

The firewall design clearly depends on the capacity of the company to maintain and administer the firewall solution. How many persons will be in charge of the firewall? And how much time can be allocated for firewall design, installation and maintenance? These questions are fundamental to determine which architecture may be adapted.

FDDM related questions are as follow:

How many persons will be allocated for the firewall administration and maintenance?
Is one person at least going to be a full time employee for security purpose only?
Yes
No

 

The expertise

Firewalls are not generally user friendly devices that can be implemented and maintained by novices. Since the security of the whole site clearly depends on the firewall doing the right job, it is essential that the person maintaining the firewall have the right competencies to do so or be trained previously.

FDDM related questions are as follow:

Do you have qualified personnel in-house to ensure the maintenance and administration of the firewall? If you project to hire someone or give appropriate trainings at this effect, select yes.
Yes
No
How qualified is the personnel in charge of the maintenance and administration?
Expert (more than 5 years in similar job)
Qualified (at least 1 year experience)
Trained (no real experience)
Basic (self training)

 

The budget

The budget allocated for security purpose will clearly restrict the firewall solution either in its architecture, technology or functions. The budget must take into account all the cost involved in the acquisition, the implementation, the maintenance of the firewall system.

FDDM related questions are as follow:

What is the range of price you are able to invest on for firewall acquisition and installation)?
Under £50
£100-£300
£1000-2000
£10000-20000
What is the maximum number of hours per week the firewall solution should require in term of maintenance?

 

The Security Maturity

The security of the network does not depend on the only choice of the firewall. Above all, it depends on the Security Maturity of the company. The Security Maturity reflects how well Risks are managed throughout the business.(Carol Woody, Carnegie Mellon University Larry Clinton and Internet Security Alliance 2004, March) It permits to evaluate how prepared a company is to maintain the firewall and also determines how complex the firewall design can be. The Security Maturity is determined by evaluating the security practises accross the business. The Security Practices Test inspired from Microsoft and Octave-S method permits to evaluate the level of maturity.

 

This part is not going to provide decision making information about the firewall itself, it can nevertheless help in further steps to determine which feature may be worth to implement at the border firewall itself. This step is optional however advised if you are not sure about how well are your security practices.

 

h. The Risk Profile

The Risk Profile is what determines the level of protection required. It is then useful to have this information to hand when designing a security solution. The Risk Profile can be classified as High, Medium or Low. But the real question is from what extend a Risk Profile should be considered as High, Medium or Low. Indeed this approach leaves too much subjectivity and can compromise the output of the method. To address this problem, FDDM method relies on a Risk Analysis or Risk Assessment to determine the level of risk that the company faces, and so the level of security that should be implemented.

 

What is a Risk Assessment?

Any business connected to the internet faces inherent security risks leading to potential loss of confidentiality, integrity or availability. Face to risks, the company has three choices: Mitigate, Transfer or Accept the risk. Mitigating the risk means finding a control to eliminate or at least diminish the probability of the risk to occur. Transferring the risk consists in outsourcing the responsibility of the risk to a third party. Accepting the risk simply means doing nothing to counteract the risk. In order to apply the appropriate measure, one should undertake a Risk Analysis also called Risk Assessment. Risk Assessment permits to identify and prioritise risks to the business; thus it gives an idea of the security level required for the firewall design. It should indicate:


  • The business assets to be protected; assets refer to systems, applications and information that are driving
    • the business (generally resources that people need to perform their job)
  • The threats to these assets
  • The qualitative or quantitative impact (cost) of such threats on the business
  • The probability of these threats to occur
  • The efficiency of the current measure/control (mitigate, transfer)
  • The person responsible of the security of each asset
  • The severity of the risk based on the impact and probability of the threat

    •  

    Before designing a firewall solution, it is essential to conduct such a Risk Analysis or at least take the last Risk Analysis performed. It is to notice that Risk Assessment is not the expertise of a unique person in the company but the fruit of the collaboration between the executive branch, the business branch and the security branch (IT staff or administrator in most case). The outcome of the Risk Analysis gives precious information about the critical assets, their risk profile (exposure and probability of occurrence) and their quantitative or qualitative cost to the business. In definitive, Risk Assessment provides a global picture of what level of risks the company is facing and thus permits to determine more accurately what level of security is required to minimize the risk to an acceptable level.

     

    How FDDM method determines the Risk Profile?

    The method starts from the fact that a Risk Assessment has previously been done in the company and uses the outcome of such report to determine the security level. Three questions must be answered:

    How critical are the private assets* of the company? How severe would be the impact on the business continuity if the asset was corrupted? *Assets refers to any information, system or application that is of high value
    High
    Medium
    Low
    How exposed is the information?
    Very High
    High
    Medium
    Low
    Very low
    How probable is it to occur?
    High
    Medium
    Low

     

    The Risk Profilel is determined in two steps. First two questions permit to define the level of impact if an asset happened to be corrupted. Then, the security level is established by joining the impact and probability.

     

    security_level

     

    As already said, these questions must be answered based on the outcome of the Risk Assessment. Answers are left to the own appreciation of the respondent. However, the method clearly advises to take support from the Risk Assessment Simplified Method RASM which purpose is to help in the ranking.This method has primarily been designed for those that don't have yet implement such method in their company. But this is also a good support for people that are not confident with the ranking.

    1 2 3 4