|Policy Owner:||Information Technology Services / Chief Information Security Officer|
|Applies to:||All students, faculty, and staff responsible for configuring firewalls|
|Campus Applicability:||All campuses except UConn Health|
|Effective Date:||August 30, 2021|
|For More Information, Contact||UConn Information Security Office|
|Contact Information:||firstname.lastname@example.org or email@example.com|
To ensure a common set of firewall configurations across the organization to maximize their protection and detection capabilities in support of the security of the University. Firewalls provide a valuable protection and detection capability for the organization when properly configured, managed, and monitored.
This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have responsibility for controlling or configuring firewalls.
EOL: End of Life
EOS: End of Support
IANA: Internet Assigned Numbers Authority (iana.org)
The University operates in a highly flexible and adaptive security environment to meet its academic, research, and administrative missions. While the ability to adapt to meet the ever-changing needs of the University is important, oversight and reporting of firewall activities are critical to the successful protection and operation of the University environment. The following firewall requirements must be met:
Firewall Configuration Standards
- All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for EOL and EOS software/hardware and regular review (at least annually) of firewall rulesets.
- All dedicated firewalls used in production must follow the University firewall management standard, which includes the ability to review currently configured firewall rules across the organization, identification of shadow or redundant rules and rules in conflict, and standardization of device/object names.
- Firewall rulesets and configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets, configurations and backup media must be restricted to those responsible for administration and review.
Firewall rules specify (either allow or deny) the flow of traffic through the firewall device. Firewall rules are typically written based on a source object (IP address/range, DNS Name, or group), destination object (IP address/range, DNS Name, or group), Port/Protocol and action.
- All firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The ruleset should be opened incrementally to only allow permissible traffic.
- Outbound traffic should be enumerated for data stores, applications, or services
- Overtly broad rules may be allowed for specific groups of individuals (not systems). Approval must be granted by the Chief Information Security Officer or their designee.
- The use of overly permissive firewall rules is prohibited (i.e., ANY/ANY/ALL rules).
- Protocols defined in services and in the firewall must utilize Service Name and Protocol/Port information as assigned by IANA, unless there is a technical reason to do otherwise other than “security through obscurity” and must be commented appropriately in the ruleset.
Firewall log integrity is paramount to understanding potential threats to the network. Firewall devices must log the following data to a system outside of the physical firewall itself and must be regularly reviewed at least monthly or programmatically through automated means. Firewall logs may be forwarded to the ISO SIEM for retention and analysis.
The following items must be logged as part of the operation of the firewall:
- All changes to firewall configuration parameters, enabled services, and permitted connectivity
- Any suspicious activity that might be an indicator of either unauthorized usage or an attempt to compromise security measures
Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.
Questions about this policy or suspected violations may be reported to any of the following:
Office of University Compliance – https://compliance.uconn.edu (860-486-2530)
Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)
Information Security Office – https://security.uconn.edu
Policy created: August 30, 2021 [Approved by President’s Senior Team]