1. Home
  2. Local Government
  3. Local Government Publications
  4. Area #10 – Firewalls and Intrusion Detection

Information Technology Governance

Local Government Management Guide

Area #10 – Firewalls and Intrusion Detection

Information Technology Governance
Local Government Management Guide

Networks that are connected to the Internet are physically connected to unknown networks and their users all over the world. While such connections are often useful, they also increase the vulnerability of IT systems and electronic data to access and attacks from unauthorized individuals.

Firewalls

Firewalls are hardware and/or software programs that enforce boundaries between devices on different networks or network segments. Firewalls control network communications using rules that specify which communication types are allowed between and within boundaries and which are denied. To safeguard against unauthorized access and disruption, the network administrator should configure firewall rules to allow only those communication types that are needed for system operations and explicitly deny all other communications.

Firewalls can also act as effective tracking tools because they can perform important logging and auditing functions. For these reasons, the network administrator should enable firewall logs and periodically review logged activities/events.

There are several types of firewalls, each with varying capabilities to analyze network communications and allow or deny specific types by comparing communication characteristics to defined rules. Understanding the capabilities of each type of firewall, acquiring firewall technologies and designing firewall rules that effectively address a local government’s or school’s needs are critical to achieving protection for network communications.

There are many aspects to firewall management. For example, choosing the type(s) of firewall to use and where to position each within the network can significantly affect the rules that the firewalls can enforce. Firewall rules may need to be updated as the local government’s or school’s requirements change, such as when new applications or devices are added to the network.

Firewall performance also needs to be monitored so that potential resource issues can be identified and addressed before components become overwhelmed. Logs and alerts that firewalls generate should also be continuously monitored to identify attempts to bypass network security controls—both successful and unsuccessful. Given their potential impact to security and operations, firewall rules should be managed using a formal change-management control process, with rule reviews or tests performed periodically to ensure continued compliance with the local government’s or school’s policies. Like any software, firewall software should be patched regularly as vendors provide updates to address vulnerabilities and improve functionality.

Intrusion Detection

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violations of computer security policies, acceptable use policies or standard security practices. Certain aspects of intrusion detection can be automated with modern antivirus software, firewalls or dedicated intrusion detection systems (IDSs). Network-based IDSs capture and analyze network communications within a network or network segment, while host-based IDSs capture and analyze activity to and from a particular computer.

Because the log information maintained may be too voluminous to review on a routine basis, the IDS should be implemented to selectively identify unauthorized, unusual and sensitive access activity, such as:

  • Attempted unauthorized access,
  • Deviations from access trends (e.g., access during off-hours),
  • Access to sensitive data and resources,
  • Highly sensitive privileged access, such as the ability to override security controls,
  • Floods of data coming from or going to a particular system or group of systems,
  • Access modifications made by security personnel, and
  • Multiple consecutive unsuccessful attempts to log-on to a system.

Unauthorized, unusual or sensitive access activity identified by the IDS should be reviewed and any apparent or suspected violations should be investigated. It is important to note that seemingly innocuous or legitimate behavior could be a manual probe to collect data about a network or security over a network, possibly for the purposes of formulating an attack plan for that network. Therefore, it is important that you provide for a periodic manual review of network activity even with  an automated IDS in place.

When a security violation occurs, appropriate action should be taken to identify and remedy the internal control weakness(es) that allowed the violation to occur, repair any damage that has been done, determine whether the violation constitutes a breach requiring notification of affected individuals and, when feasible, identify and discipline the perpetrator.

It is important that a local government or school have comprehensive written procedures for reporting security violations or suspected violations to the IT manager or other appropriate personnel so that multiple related incidents can be identified, other IT users can be alerted to potential threats and appropriate investigations can be performed. Such incidents might include multiple attacks by a common hacker or repeated infections with the same malicious software.

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf