Compliance Regulations and the Firewall

By Anthony Tanzi ·

On occasion, Comm Solutions engineers are asked to recommend a firewall that is compliant with Industry regulations such as:

  • The Health Insurance Portability and Accountability Act (HIPAA) in Healthcare
  • The Payment Card Industry Data Security Standard (PCI DSS) in all industries touching cardholder information – online retail, electricity distribution, and even healthcare
  • Children’s Internet Protection Act (CIPAin education, and even healthcare
  • The North American Electric Reliability Corporation Critical Infrastructure Protection (NERCCIP) for the power grid and underlying SCADA networks

In most cases, the regulations apply to customers that need to demonstrate compliance and are subject to audits.

The network security platform can help make the compliance and audit processes easier, quicker and therefore less costly. Every regulation and industry has its own unique requirements that need to be carefully reviewed and evaluated.

There are some rules of thumb to look for:

  1. Does the security appliance help reduce the scope of compliance: The security platform should  allow you to segment your network by zones and enforce security policies that are based on business-oriented parameters such as applications, users and content, as traffic passes from one zone to another. This ensures tighter isolation of the sensitive information that is subject to the regulation, and narrows the scope of the compliance effort. An example is for PCI DSS where network segmentation isolates cardholder data to specific servers or areas of the network, not only reducing the costs of implementing compliance but also the risks of the sensitive data ever being compromised.
  2. The security appliance should also simplify the audit process: Compliance auditors require access to many pieces of data, including firewall logs. They’ll need proof that the security policies are enforced, consistently and everywhere, and will review traffic logs to check who has access to the zone and in which capacity (user, administrator,..) and whether any changes made over time were appropriate.
  3.  The security appliance should also reduce the risks of sensitive data being compromised: One example is the ability to monitor and inspect all content as specified by security policy rules, being able to flag outbound traffic for unauthorized transfer of sensitive data (cardholder data, social security numbers and other recognizable strings) using file and data patterns and either blocking the transfer altogether or sending an alert.

Below are a few examples from the HIPAA Administrative Safeguards:

Administrative Safeguards (Section 164.308)

164.308(a)(5)(ii)(B) – PROTECTION FROM MALICIOUS SOFTWARE

HIPAA Text: "[Organization must have] procedures for guarding against, detecting and reporting malicious software."

Malicious software is frequently brought into an organization through email attachments, and programs that are downloaded from the Internet. Under the Security Awareness and Training standard, the workforce must also be trained regarding its role in protecting against malicious software, and system protection capabilities. It is important to note that training must be an ongoing process for all organizations.

Malicious Software comes in many forms. These include viruses, worms and Trojans. Spyware and advanced persistent threats are also included as malicious software that can impact a networking system.

Legacy solutions cannot keep up with today’s cyberthreats: Because early firewalls did not directly concern themselves with cyberthreats, most vendors had to incorporate add-ons, such as anti-virus and intrusion prevention engines. This provides a basic capability for stopping known cyberthreats, but offers minimal protection against unknown ones—including APTs and zero-day attacks.

Recommended features on the Security appliance

Make sure that both desktop and gateway Anti-Virus products are being used at all times.

Ensure that your security appliance is capable of application identification and that it is providing Web Filtering, application-layer Intrusion Prevention (not just detection), anti-virus, anti-spyware and zero day based anomaly detection

Make sure that the appliance services provide regular updates of signature files.  This is to update the threat databases as well as any new zero-day malware signatures.

164.308(a)(6)(ii) – RESPONSE and REPORTING

"Identify and respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes."

Recommended Features of the Security Appliance:

• Make sure that all of the appliance services and sub-systems are proactive. Also make sure things like email alerting and SNMP traps are available for both traffic and threat prevention.

It would also be recommended here that the firewall have the capability of preventing DOS and DDOS attacks and the thresholds for such are configurable.

Make sure the Security Appliance performs very detailed logging and provides options for retaining those logs off of the Security Appliance. This can be in the form of syslog or logging to a supported centralized reporting and management station.

164.308(a)(4)(ii)(B)- ACCESS AUTHORIZATION

“Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.”

Recommended Features of the Security Appliance:

  • It may be worthwhile to investigate the firewalls ability to apply access via security policies that utilize a user’s directory service account as a match field in the security policy. This would allow you to provide access to specific servers based on the users credentials and not just their IP address.

The full listing of Administrative safeguards can be found at the following URL:

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf