logo

    Longwood University 
   Chief Information Officer:

Information and Instructional Technology Services

201 High Street, Coyner 107, Farmville, VA  23909
   Phone: 434.395.2034         Fax: 434.395.2035

 

 Policy 6130
FIREWALL POLICY

I.     PURPOSE

The purpose of this policy is to provide for the configuration, maintenance, control and monitoring of enterprise-wide firewall technology used to safeguard the university’s information technology (IT) resources and systems.

II.    DEFINITIONS

  1. Firewall Technology: The term “firewall technology” refers to any combination of network hardware, network software and host-based software used within an organization to prevent unauthorized access to system software or data.
     
  2. Outbound connection: An outbound connection allows university network users to utilize Internet services.
     
  3. Inbound connection: An inbound connection allows Internet and external IP network users to reach the university’s networks.
 

III.   POLICY

  1. The intention of firewall technology is to protect university IT resources and systems by limiting access to internal resources by those outside of the network and to limit access of network users to external resources with significant known vulnerabilities.
     
  2. Conceptually, Longwood’s enterprise firewall technology divides the world into multiple layers. Each layer represents a different level of trust. By enforcing a degree of separation between the layers, firewall technology helps to prevent unauthorized access from a less trusted layer to a more trusted layer. 

    Example: While a Web server on a less trusted layer is exposed to a relatively high risk of intrusion, the separation between layers provided by firewall technology mitigates the risk that an intrusion of that Web server could be leveraged to gain unauthorized access to a more trusted layer. 

    From outermost (least trusted) to innermost (most trusted), the layers are:
     
    • Internet and other external IP networks
       
    • Perimeter networks (varies according to level of trust)
       
    • Internal network (the most trusted network)
     
  3. Firewall technology will inspect network traffic to determine if the requested connection should be permitted or denied. In effect, the firewall technology will act as an entry point of network access where traffic can be analyzed and controlled.
     
    1. Outbound connections (more trusted to a less trusted layer) are generally permitted by default.
       
    2. Inbound connections (less trusted to more trusted layer) are denied by default.
     
  4. The system administrator of a system located on a more trusted network may request in writing or via e-mail a firewall “rule” to allow access (inbound connections) from a system on a less trusted network to a more trusted network. Information and Instructional Technology Services (IITS) must approve all rule requests.
     
    1. Temporary or testing access requests must include a reasonable expiration date not to exceed 30 days at a time.
       
    2. Requests for access to student owned systems will be valid for only one academic year at a time and will be automatically removed each May after graduation.
       
    3. Requests for access to faculty and staff systems from the Internet are not allowed.
       
    4. Requests for “gaming” ports are not allowed at any time and will be denied.
     
  5. Service continuity of the primary firewall will be provided through redundancy of the firewall technology.
     
  6. Firewall technology will be configured to use system logging.
     
  7. Daily operation and maintenance of firewall technology will be the responsibility of IITS.
     
  8. IITS will review firewall configurations annually or in the event of a situation warranting review of the configuration. Examples of such situations are (but not limited to):
     
    1. The implementation of major enterprise computing environment modifications.
       
    2. Any occurrence of a major information security incident.
       
    3. New applications are being considered or applications are being phased out or upgraded.

     

  9. The Information Security Officer or his or her designee reserves the right to review, modify or revoke any rule requests or configuration changes at his or her discretion.

IV.     ENFORCEMENT

The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

Approved by the Board of Visitors, September 15, 2006.
Revised and approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, September 11, 2009.

 

 

 

 

Back to the Table of Contents                                                                                 Next Policy