|
|
|
Policy 6130
FIREWALL POLICY
I.
PURPOSE
The purpose of this policy is to provide for the configuration, maintenance, control and monitoring of enterprise-wide firewall technology used to safeguard the University’s information technology resources and systems.
A. COV IRTM Information Technology Security Standards
1. Agencies with external connections using TCP/IP must utilize firewall technology.
2. Each agency must test its firewall technology on a periodic basis to ensure compliance with security policies.
II. DEFINITIONS
A. Firewall Technology: The term “firewall technology” refers to any combination of network hardware, network software, and host-based software used within an organization to prevent unauthorized access to system software or data in accordance with its security policy (e.g. includes routers with access list proxy gateways, host-based firewall software, and specialized password devices).
III. POLICY
A. The intention is not to stop particular uses of the network, but instead to reduce the risk of insecure protocols which can be used to compromise systems.
B. Conceptually, Longwood’s enterprise firewall divides the world into multiple layers/networks. Each layer represents a different level of trust/protection. By enforcing a degree of separation between the layers, the firewall helps to prevent unauthorized access from a less trusted layer to a more trusted layer. For example, while a Web server on a less trusted layer is exposed to a relatively high risk of intrusion, the separation between layers, provided by the firewall, mitigates the risk that an intrusion of that Web server could be leveraged to gain unauthorized access to a more trusted layer. From outermost (least trusted/protected) to innermost (most trusted/protected), the layers are:
· Internet and other external IP networks
· Perimeter networks (varies according to level of trust)
· Internal network (the most trusted/protected network)
C. Security between the Internet and the university will be maintained by a firewall. The firewall must have a redundant failover unit to provide service continuity should the primary firewall unit fail. The firewall will inspect packets and sessions to determine if they should be permitted or denied. In effect, the firewall will act as a single point of network access where traffic can be analyzed and controlled. The firewall will provide forwarded authentication requests to a radius server. Access to the university’s Perimeter and/or Internal network(s) will be based on parameters such as (but not limited to):
1. Application/service use such as public, administrative only, student only, internet only, etc.
2. User authentication, authorization, and accounting, for both incoming traffic from remote users and outgoing traffic to the Internet
3. IP address and port
4. Outbound connections (more trusted to a less trusted layer) are generally permitted by default.
5. Inbound connections (less trusted to more trusted layer)
are denied by default. (see section F. for exceptions)
D. The firewall will be configured to use system logging (syslog) to export its log messages to designated syslog server(s). The firewall logs will be backed up and archived in accordance with current practices implemented on the syslog server. In addition, the firewall will be configured to respond to Simple Network Management Protocol (SNMP) requests from the network management server. Construction of SNMP access lists and community strings will be consistent with established security practices. At a minimum, the firewall log will be configured to detect:
1. Emergencies, such as system unusable messages,
2. Alerts, critical conditions, error and warning messages,
3. VPN sessions,
4. Logon access and configuration
attempts made to the firewall.
E. Daily operation and maintenance of
the firewall will be the responsibility of the Information Security Office.
F. The system administrator/owner of a system located on a more trusted network may request in writing or via e-mail a firewall “rule” to allow access (inbound connections) from a system on a less trusted network.
1. Temporary/testing access requests must include a reasonable expiration date not to exceed 30 days at a time.
2. Requests for access to student owned systems will be valid for only one academic year at a time and will be automatically removed each May after graduation.
3. Requests for access to faculty/staff
systems from the Internet are not allowed.
G. The Information Security Administrator or his/her
designee must approve in writing all configuration changes and rule
requests. The Information Security Office in conjunction with the
Communications and Technology Services Department must approve in writing all
operating system (OS) changes and upgrades. Changes will not be approved
if the university determines them to be a threat to the confidentiality, integrity
or availability of its information technology resources and systems.
H. Firewall configurations will be reviewed annually or when there are major changes to the network requirements that may warrant significant changes to the firewall. Examples of such situations are (but not limited to):
1. The implementation of major enterprise computing environment modifications
2. Any occurrence of a major information security incident
3. When new applications are being considered. Alternatively, when an application is phased out or upgraded, the firewall configuration should be formally changed where appropriate.
Approved by the Board of Visitors, September 15, 2006.
Back to the Table of Contents Next Policy