Page 640 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 640
classification or sensitivity are grouped together and isolated from
other groups with different levels. This isolation can be absolute or
one-directional. For example, a lower level may not be able to initiate
communication with a higher level, but a higher level may initiate with
a lower level. Isolation can also be logical or physical. Logical isolation
requires the use of classification labels on data and packets, which
must be respected and enforced by network management, OSs, and
applications. Physical isolation requires implementing network
segmentation or air gaps between networks of different security levels.
Application Firewalls
An application firewall is a device, server add-on, virtual service, or
system filter that defines a strict set of communication rules for a
service and all users. It’s intended to be an application-specific server-
side firewall to prevent application-specific protocol and payload
attacks.
A network firewall is a hardware device, typically called an appliance,
designed for general network filtering. A network firewall is designed
to provide broad protection for an entire network.
Both of these types of firewalls are important and may be relevant in
many situations. Every network needs a network firewall. Many
application servers need an application firewall. However, the use of
an application firewall generally doesn’t negate the need for a network
firewall. You should use both firewalls in a series to complement each
other, rather than seeing them as competitive solutions.
Manual Updates
Manual updates should be used in static environments to ensure that
only tested and authorized changes are implemented. Using an
automated update system would allow for untested updates to
introduce unknown security reductions.
Firmware Version Control
Similar to manual software updates, strict control over firmware in a
static environment is important. Firmware updates should be
