The aim of this document is to present best practices for the secure deployment of SNS firewalls, in physical or virtual versions (the restrictions relating to virtualization and best practices are explained in the guide Security issues associated with virtualized information systems - in French).

The recommendations given in this document apply to SNS firewalls. The recommendations relating to configurations on the SMC server aim to secure the deployment of SNS firewalls. Recommendations cover the following functions:

  • Administration,

  • Filtering,

  • IPsec encryption,

  • Monitoring,

  • Backup,

  • Logging.

This document is to be read together with the ANSSI’s publications (in French) Recommendations for the definition of a firewall’s filter policy and Recommendations relating to the interconnection of information systems to the Internet.

The features presented in this guide are not restricted to those evaluated during the qualification of the product. Features that were not evaluated are specified in the body of this document with the caption “This feature was not part of the security target”.
The use of unevaluated features therefore requires additional risk analysis that must be submitted to the IS approval committee. The committee will then decide whether to accept residual risks or implement adapted protection measures.
The security target does not cover the features on the SMC server.