General

• ITSO will determine and manage the access policy.
• NIS will operate the in-line equipment.
• All traffic from/to the restricted access network will pass through this border.
• 1Gbps throughput will be good enough for now.

Access Policy

ICMP and other Firewall generic rules

• Inbound ICMP errors SHOULD NOT be filtered by source IP address. RFC-4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP,9. ICMP Destination Unreachable Behavior
• Inbound ICMP errors MAY be filtered by stateful match with outbound traffic (e.g. Linux RELATED target).
• Outbound ICMP echo requests SHOULD be permitted to any host for which other outbound traffic is permitted.
• Outbound ICMP echo requests SHOULD be rejected if sent to non-authorized destinations. (admin prohibited)
• Inbound ICMP echo replies SHOULD be permitted from any of the hosts ICMP echoes can be sent to. Stateful firewall may do this automatically.
• TCP connections to unauthorized destinations should be rejected with TCP RST.

Hardware

• IPv4 NAT
  • NIS will purchase and specify the IPv4 NAT device.
  • NAT device could most likely support IPv4 firewall as well.
• Firewall
  • May be the same as IPv4 NAT device.
  • To be jointly specified by ITSO and NIS R&D
  • How to deal with IPv6
  • Cisco?
  • Juniper?
  • SonicWall?
  • StoneSoft? (being tested by ITSO)
  • Unix/Linux + iptables/pfsense for IPv6 only?
  • http://www.getipv6.info/index.php/IPv6_Firewalls
• IPS/IDS
  • specified and purchased by ITSO.
• FireEye
  • specified and purchased by ITSO.