DOCUMENT VERSION & CHANGE CONTROL

Version History

Issue Date	Version	Description	Prepared By	Approved By
June 15, 2022	1.0	Firewall Policy	Mrs. Sudha Jacob ITIL Administrator	Mr. Winston Ellison Group CIO

Change History

Issue Date	Version	Description	Prepared By	Approved By

1.0 Purpose

Al Babtain operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for Babtain’s computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this Firewall Policy is to describe how [PA-3020] firewall will filter Internet traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for business users.

The Firewall Policy is subordinate to Babtain’s general Security Policy, as well as any

2.0 Major Policy Elements

The approach adopted to define firewall rule sets is that all services will be denied by the firewall unless expressly permitted in this policy. The [PA-3020] firewall permits the following outbound and inbound Internet traffic.

· Outbound – All Internet traffic to hosts and services outside of Babtain.

· Inbound – Only Internet traffic from outside Babtain that supports the business mission of Babtain as defined by Babtain Group IT.

The table below identifies the most common services used for Internet communications within the Babtain environment. For each service type, the table will indicate whether the firewall will accept it, accept it with authentication, or reject it.

Name	Source Zone	Source Address	Destination Zone	Destination Address
Mail_Server-02 Inbound	untrust	any	trust	Mail_Server_Public
Mail_Server-02 Outbound	trust	Mail_Server-02_Private KEMP	untrust	any
Antispam_MFW Inbound	untrust	any	trust	Antispam_MFW_Public
Antispam_MFW Outbound	trust	Antispam_MFW_Private	untrust	any
ERP_Orion Inbound	untrust	any	trust	ERP_Orion_Public; KPC Orion Private
ERP_Orion Outbound	trust	ERP_Orion_Private	untrust	any
ESS Inbound	untrust	any	trust	ESS_Public
ESS Outbound	trust	ESS_Private	untrust	any
HRIS Inbound	untrust	any	trust	HRIS_Public
HRIS Outbound	trust	HRIS_Private	untrust	any
Xenapp_Server_Inbound	untrust	any	trust	Xenapp_Server_Public
Xenapp_Server Outbound	trust	Xenapp_Server_Private	untrust	any
Nissan_Web_Server_Inbound	untrust	any	trust	Nissan_Web_Server_Public
VPN Inbound	VPN	any	trust	any
VPN Outbound	trust	any	VPN	any
Servers Internet Access - Outbound	trust	3cx Server Private	untrust	any
Internet Group 1	trust	any	untrust	any
Internet Group 2	trust	any	untrust	any
ISA	trust	HQ_ISA_Server_Private	untrust	any
KPC Orion Outbound	trust	KPC Orion Private	untrust	any
KPC Orion Inbound	untrust	any	trust	KPC Orion Public

3.0 Scope

This Firewall Policy refers specifically to the [PA-3020] firewall. The role of this firewall is to [Protect network and Network device]. The firewall will (at minimum) perform the following security services:

· Access control between the trusted internal network and untrusted external networks.

· Block unwanted traffic as determined by the firewall rule set.

· Hide vulnerable internal systems from the Internet.

· Hide information, such as system names, network topologies, and internal user IDs, from the Internet.

· Log traffic to and from the internal network.

· Provide robust authentication.

· Provide virtual private network (VPN) connectivity.

All employees of Babtain are subject to this policy and required to abide by it.

4.0 Personnel with Responsibility

Mr. Rizwan Shakoor Sr. Network Administrator

Mr. Winston Ellison Group CIO

5.0 Operational Procedures

· Babtain employees may request changes to the firewall’s configuration in order to allow previously disallowed traffic. A firewall change request, with full justification, must be submitted to the Group IT department for approval. All requests will be assessed to determine if they fall within the parameters of acceptable risk. Approval is not guaranteed as associated risks may be deemed too high. If this is the case, an explanation will be provided to the original requestor and alternative solutions will be explored.

· Babtain employees may request access from the Internet for services located on the internal Babtain network. Typically, this remote access is handled via a secure, encrypted virtual private network (VPN) connection.

· VPN sessions will have an absolute timeout length of. An inactivity timeout will be set. At the end of these timeout periods, users must re-authenticate to continue or re-establish their VPN connection. A VPN connectivity request form, with full justification, must be submitted to the IT department for approval. Approval is not guaranteed.

· From time to time, outside vendors, contractors, or other entities may require secure, short-term, remote access to Babtain’s internal network. If such a need arises, a third-party access request, with full justification, must be submitted to the Group IT department for approval. Approval is not guaranteed.

· Turnaround time for the above stated firewall reconfiguration and network access requests are approximately days from the receipt of the request form.

6.0 Enforcement

This policy is approved by the Group CIO. Request for clarifications on this policy can be sent to the Group CIO (winston.ellison@babtain.com.kw)

Violations to this policy are formally intimated by Group CIO to HR department for subsequent disciplinary action.

Auditing periodically for compliance with the policy is the responsibility of all Managers.

6.0 Revision

This policy document is reviewed by Group CIO every year and updates are carried out if required and the policy is then approved.

P.S. The mentioned procedures are built on standard practice and can be changed upon business and technology environment. And/or IT new frameworks, new roles & responsibilities across IT resources and business owners demand.

END OF DOCUMENT