Agencies operating bi-directional gateways implement firewalls and traffic flow filters to provide a protective layer to their networks in both discrete and virtual environments.

]]> This section covers information relating to filtering requirements for bi-direction gateways between networks of different security domains.

]]> When a control specifies a requirement for a diode or filter the appropriate information can be found within Section 19.4 –Diodes and Section 20.3 – Content Filtering.

]]> Additional information that also applies to topics covered in the section can be found in:

Chapter 12 – Product Security which provides advice on the selection of evaluated products;
Section 20.1 – Data Transfers;
Section 20.2 – Data Import and Export; and
Section 22.2 – Virtualisation.

]]> When connecting networks accredited to the same classification and set of endorsements within an agency the requirements of this section may not apply. When connecting networks accredited with different classifications or endorsements within an agency the information in this section applies.

]]> When connecting an agency network to the Internet, the Internet is considered an UNCLASSIFIED and insecure network.

]]> Further information on the Network Device Protection Profile (NDPP) and firewalls can be found at:

Reference	Title	Publisher	Source
NDPP	Network Device Protection Profile (NDPP)	(US) National Information Assurance Partnership	https://www.niap-ccevs.org/Profile/Info.cfm?PPID=293&id=293

]]> The higher the required assurance level for a firewall, the greater the assurance that it provides an appropriate level of protection against an attacker. For example, an EAL2 firewall is certified to provide protection against a basic threat potential, whilst an EAL4 firewall is certified to provide protection against a moderate threat potential. A Protection Profile (PP) is considered to be equivalent to EAL2 under its Common Criteria Recognition Arrangement.

]]> If a uni-directional connection between two networks is being implemented only one gateway is necessary with requirements being determined based on the source and destination networks. However, if a bi-directional connection between two networks is being implemented both gateways will be configured and implemented with requirements being determined based on the source and destination networks.

]]> All gateways MUST contain a firewall in both physical and virtual environments.

]]> Agencies MUST check the evaluation has examined the security enforcing functions by reviewing the target of evaluation/security target and other testing documentation.

]]> Agencies MUST use devices as shown in the following table for their gateway when connecting two networks of different classifications or two networks of the same classification but of different security domains.

Your network	Their network	You require	They require
RESTRICTED and below	UNCLASSIFIED	EAL4 firewall	N/A
	RESTRICTED	EAL2 or PP firewall	EAL2 or PP firewall
	CONFIDENTIAL	EAL2 or PP firewall	EAL4 firewall
	SECRET	EAL2 or PP firewall	EAL4 firewall
	TOP SECRET	EAL2 or PP firewall	Consultation with GCSB
CONFIDENTIAL	UNCLASSIFIED	Consultation with GCSB	N/A
	RESTRICTED	EAL4 firewall	EAL2 or PP firewall
	CONFIDENTIAL	EAL2 or PP firewall	EAL2 or PP firewall
	SECRET	EAL2 or PP firewall	EAL4 firewall
	TOP SECRET	EAL2 or PP firewall	Consultation with GCSB
SECRET	UNCLASSIFIED	Consultation with GCSB	N/A
	RESTRICTED	EAL4 firewall	EAL2 or PP firewall
	CONFIDENTIAL	EAL4 firewall	EAL2 or PP firewall
	SECRET	EAL2 or PP firewall	EAL2 or PP firewall
	TOP SECRET	EAL2 or PP firewall	EAL4 firewall
TOP SECRET	UNCLASSIFIED	Consultation with GCSB	N/A
	RESTRICTED	Consultation with GCSB	EAL2 or PP firewall
	CONFIDENTIAL	Consultation with GCSB	EAL2 or PP firewall
	SECRET	EAL4 firewall	EAL2 or PP firewall
	TOP SECRET	EAL4 firewall	EAL4 firewall

]]> The requirement to implement a firewall as part of gateway architecture MUST be met separately and independently by both parties (gateways) in both physical and virtual environments.

Shared equipment DOES NOT satisfy the requirements of this control.

]]> As NZEO networks are particularly sensitive, additional security measures need to be put in place when connecting them to other networks.

]]> Agencies MUST use a firewall of at least an EAL4 assurance level between an NZEO network and a foreign network in addition to the minimum assurance levels for firewalls between networks of different classifications or security domains.

]]> In all other circumstances the table at 19.3.8.C.03 MUST apply.

]]> Agencies SHOULD use a firewall of at least an EAL2 assurance level or a Protection Profile between an NZEO network and another New Zealand controlled network within a single security domain.

]]>