Human Media; It Security Environment - Stormshield SN series Configuration Manual

Complete: the standard scenarios of how equipment is used have all been considered
l
when defining the rules and their authorized limits have been defined.
Strict: only the necessary uses of the equipment are authorized.
l
Correct: rules do not contradict each other.
l
Unambiguous: the wording of the rules provides a competent administrator with all the
l
relevant elements for direct configuration of the appliance.

Human media

Administrators are non hostile, competent persons with the necessary means for accomplishing
their tasks. They have been trained to launch operations for which they are responsible. In
particular, their skills and organization imply that:
Different administrators having the same rights will not perform administrative actions
l
which conflict.
Logs are used and alarms are processed within the appropriate time frames.
l
Example
Incoherent modifications to the control policy for traffic.

IT security environment

Stormshield Network firewall-VPN appliances must be installed in accordance with the current
network interconnection policy and are the only passageways between the different networks on
which the control policy for traffic has to be applied. They are scaled according to the capacities
of the adjacent devices or these devices restrict the number of packets per second, positioned
slightly below the maximum treatment capacities of each firewall-VPN appliance installed in the
network architecture.
Besides applying security functions, NETASQ firewall-VPN appliances do not provide any network
service other than routing and address translation.
Example
no DHCP, DNS, PKI, application proxies, etc.*
Stormshield Network appliances are not configured to forward IPX, Netbios, AppleTalk, PPPoE or
IPv6 information flows.
Firewall-VPN appliances do not depend on external "online" services (DNS, DHCP, RADIUS, etc.) to
apply the information flow control policy.
Remote administration workstations are secured and kept up to date on all known vulnerabilities
affecting operating systems and hosted applications. They are installed in protected premises
and are exclusively dedicated to the administration of firewall-VPN appliance and the storage of
backups.
Network devices that the firewall uses to establish VPN tunnels are subject to constraints relating
to physical access, protection and control of their configuration. These constraints are equivalent
to those faced by the TOE's firewall-VPN appliances.
Workstations on which the VPN clients of authorized users are launched are subject to
restrictions regarding physical access control, protection and control over their configuration,
equivalent to the restrictions placed on workstations in trusted networks. They are secured and
kept up to date on all known vulnerabilities affecting operating systems and hosted applications.
Page 13/448
SNS - USER CONFIGURATION MANUAL V.3
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
WELCOME