Firewall policies for dynamic data masking are certain rules and regulations that dictate how database firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization’s information security firewall policies.
Before a firewall policy is created, some form of risk analysis should be carried out to develop a list of the types of traffic needed by the organization and categorize how they must be secured—including which types of traffic can traverse a firewall under what circumstances. This risk analysis should be based on an evaluation of threats; vulnerabilities; countermeasures in place to mitigate vulnerabilities; and the impact if systems or data are compromised.
Firewall policies should be documented in the system security plan and maintained and updated frequently as classes of new attacks or vulnerabilities arise, or as the organization’s needs regarding network applications change. The policies should also include specific guidance on how to address changes to the rule set.
An effective Database Firewall should be able to block all inbound and outbound traffic that has not been expressly permitted by the firewall policies—traffic that is not required by the organization. This decreases the risk of attack and can also reduce the volume of traffic carried on the organization’s networks. Because of the dynamic nature of hosts, networks, protocols, and applications, deny by default is a more secure approach than permitting all traffic that is not explicitly forbidden for dynamic data masking
Some Firewall Policies Are Described Below
Firewall Policies Based On IP Addresses And Protocols
Firewall policies should only allow necessary IP protocols through. Examples of commonly used IP protocols, with their IP protocol numbers, 17 are ICMP (1), TCP (6), and UDP (17). Other IP protocols, such as IPsec components Encapsulating Security Payload (ESP) (50) and Authentication Header (AH) (51) and routing protocols may also need to pass through firewalls. These necessary protocols should be restricted whenever possible to the specific hosts and networks within the organization with a need to use them. By permitting only necessary protocols, all unnecessary IP protocols are denied by default.
Firewall Policies Based on Applications
Most early firewall work involved simply blocking unwanted or suspicious traffic at the network boundary. Inbound application firewalls or application proxies take a different approach—they let traffic destined for a particular server into the network, but capture that traffic in a server that processes it like a port-based firewall. The application-based approach provides an additional layer of security for incoming traffic by validating some of the traffic before it reaches the desired server.