|
Firewall Policy
Background and Reason for the Policy: One of the information technology priorities for the University is to provide and maintain a safe and secure computing environment. University Information Technology Services (UITS) manages a perimeter firewall between its Internet connection and the University's campus network to provide the first level of defense against security threats to the University's network and information technology resources. In addition, UITS maintains a firewall within the UITS Server Farm to provide additional protection to those resources that are stored within that environment. Additionally, a departmental firewall has been established to provide firewall protection to departments' information technology resources.
Purpose of Policy: The purpose of this policy is to establish the requirements and responsibilities for the firewalls that are managed by UITS Network Engineering in providing overall security to the University's information technology resources.
Expected Institutional Outcome: It is expected that the implementation of the firewall rules defined in this policy will mitigate the risks and losses associated with security threats to the University's network and information systems while ensuring appropriate access needed to conduct University business.
Definitions:
Anti-Virus (AV): A component of the firewall that inspects network traffic for known viruses.
Exempt list: A list of those servers exempt from the firewall rules.
Firewall: A firewall is a hardware and/or software device that controls (allowing/blocking/inspecting) traffic between two networks.
Inbound Connection: An inbound connection is one that is initiated from outside the firewall boundary.
Intrusion Prevention System (IPS): A component of the firewall that inspects and acts upon network traffic for known malicious traffic or anomalies.
Least Privilege: The principle of least privilege requires that a user or program be given the minimum necessary rights to information and resources for the shortest duration necessary to perform the required task.
Outbound Connection: An outbound connection is one that is initiated from inside the firewall boundary.
Stateful Firewall: Any firewall that keeps track of the state of network connections and only allows packets matching a known connection state.
Applicability of Policy: This policy applies to all firewalls maintained by UITS.
Policy Statement: It is a violation of policy for anyone to attempt to bypass, to penetrate, to alter the configuration of, or to otherwise affect the operation of any firewall, router, intrusion detection device or other network infrastructure device unless they are an authorized administrator of the device or are a member of UITS Network Engineering and the action is performed in the execution of their duties.
Perimeter Firewalls Configuration:
In response to the need to provide an environment that is conducive to academic freedoms, UITS has taken an innovative approach in network and host security by installing firewalls that combine the common capabilities of stateful inspection with the uncommon ability to scan network traffic, in real time, for viruses and network intrusion attempts. The principal idea is to identify and stop only malicious traffic, while allowing legitimate traffic to flow as expected.
The following traffic is explicitly blocked on the Internet firewall:
- Any HTTP, FTP, IMAP, SMTP, NNTP, IMAP or IM traffic, Inbound or Outbound, that is found to contain a virus; as identified through our network based anti-virus scanning engine.
- Any traffic, Inbound or Outbound, that is found to contain malicious code or that exhibits non-standard behavior; as identified through our IPS engine.
- Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself.
- Inbound traffic with a source address indicating that the packet originated on a network behind the firewall.
- Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks.
- Inbound and Outbound SNMP (Simple Network Management Protocol) traffic.
- Inbound traffic containing IP Source Routing information.
- Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost).
- Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0.
- Inbound or Outbound traffic containing directed broadcast addresses.
Additional traffic types may be blocked as threats are identified by the UITS Network Security group.
Exceptions:
Firewall rule exceptions are made to the Internet Border firewall when an existing rule disrupts legitimate University business or productivity. If, for example, an AV signature breaks an application, the server hosting that application could be placed into an exempt list.
UITS Server Farm Firewall Configuration:
The purpose of the UITS Server Farm Firewall is to provide a physical firewall presence to every server that resides in the UITS Server Farm. Administration is a combined effort among the following groups:
|
Group
|
Responsibility
|
|
UITS Network Security Group
|
- Coordinate transition
- Work with server administrators to create initial policies
- Provide ongoing support
|
|
UITS Network Design
|
- Reconfigure networks as necessary to move them behind the firewall
|
|
Server Administrators
|
- Assist UITS Network Security Group with initial policy configuration
- Maintain policies
- Review logs
|
The UITS Server Farm Firewall is capable of providing firewall and IPS services, but not AV services. This choice was made to balance the security configuration without compromising application response time. Firewall configuration is based on the concept of least privilege
Departmental Firewall Configuration:
The purpose of the Departmental firewall is to provide a centrally managed firewall solution for departments that desire greater firewall protection than the Internet border firewalls provide. This solution provides the following benefits:
- Hardware support is handled by UITS.
- Firewall rule creation and maintenance can be done either by UITS or the department and is determined prior to implementation.
- Ability to implement Stateful Firewall, Anti-Virus, and IPS protections between the department's network and the remainder of the campus network.
Departments that are subject to regulatory compliance are encouraged to utilize this function.
Where UITS manages the firewall rules, the UITS Network Security Group will consult with the departmental network administrator to determine the functions of the systems on the networks. Firewall policies based on least privilege will be written and reviewed by the departmental network administrator. Documented agreement of both parties is required prior to implementation.
Where the department manages the firewall rules, the department is responsible for determining its own firewall rule configuration. UITS Network Security Group personnel will be available to assist if there are questions surrounding configuration.
Regular Auditing: All firewalls maintained by UITS will be audited regularly at a minimum, biennially by technically proficient 3rd parties. The audit process will include consideration of defined configuration parameters, enabled services, permitted connectivity, current administrative practices, and adequacy of the deployed security measures.
Internal network and service scans will be done by the UITS Network Security Group whenever a new network or department is added to a firewall to insure that the firewall is configured as expected.
Logs: All changes to firewall configuration parameters must be logged. In addition, system activity (syslog), which might be an indication of unauthorized usage or an attempt to compromise security measures, will be logged. These firewall logs are maintained on a dedicated system for a period of six months. The UITS Network Security Group reviews any logs associated with hardware functionality. Any access (firewall rules, AV or IPS) logs are reviewed by the group responsible for firewall rule creation.
Firewall Access Privileges: Privileges to modify the functionality, connectivity, and services supported by firewalls must be restricted to a few individuals with a business need for those privileges. All firewalls will have at least two staff members who are adequately trained to make changes as circumstances require. Each staff member will authenticate with his/her own user id and password.
Firewall Change Control: Because they support critical University information systems activities, firewalls are considered to be production systems. This means that all changes, including rules changes and configuration changes, as well as software upgrades and patches, must be submitted with the plan of implementation to be approved in advance by appropriate management.
Responsibilities:
The Chief Information Officer (CIO) has overall responsibility for this policy.
The CIO will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.
UITS Network Engineering Security Group has overall responsibility for the UITS- managed firewalls.
Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.
Last updated: September 6, 2007
|
