Network Security/Firewall Policy
No. 10-3 | Rev. | Date 11/13/07 |
I. PURPOSE
Access to information available through the university’s network systems must be strictly controlled in accordance with approved network access control criteria, which are to be maintained and updated regularly.
II. DEFINITIONS
Firewall: A firewall is an information technology (IT) security device which is configured to permit or deny data connections set and configured by the organization's security policy. Firewalls can either be network or host based and also hardware and/or software based.
Perimeter Firewall: Technology that is implemented where the Internet enters the campus network and is intended to mitigate known and ongoing threats.
Port: A port is a special number presented in the header of a data packet, using Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) protocols in computer networking.
Portable equipment – Laptops, PDAs, and other removable storage devices such as Flash Drives (Thumb Drive).
High-Risk Data – Data that could be used to steal an individual's identity or cause harm to the individual, and for which there are legal requirements or industry standards prohibiting or imposing financial penalties for unauthorized disclosure. Data covered by Gramm-Leach-Bliley (GLB) and Payment Card Industry (PCI) are in this class.
Restricted Data – Data assets for which there are legal requirements prohibiting or imposing financial penalties for unauthorized disclosure. Data covered by federal and state legislation, such as Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Government Records Access and Management Act (GRAMA), or the Data Protection Act, are in this class.
Host: A computer that communicates via a network, including servers and workstations. Devices such as “polycom” conference phones and web-cameras are not considered to be hosts.
Server: A computer that provides services to other computers.
Workstation: A single-user computer that is connected to a local-area network and is also referred to as a desktop or personal computer (PC).
Network: The interconnection of two or more computers that may share files, folders, applications, or resources such as file servers, application servers and printers.
Guest (Open) Network: A network which has a limited filtering of ports inbound from the Internet and is not allowed access to the Business or Academic Networks. This network is intended to accommodate visitors with non-university owned computers who wish to access the Internet.
Academic Network: A network which has a limited filtering of ports inbound from the Internet and is not allowed access to the Guest or Business Networks. This network is intended to accommodate Academic computing resources that require a less restrictive filtering of ports than resources on the Business Network.
Business Network: A network with controlled, restrictive filtering of ports which is managed at a higher level of security than the Guest and Academic Networks. This network is designed to support business processes which store and/or transmit Restricted and/or High-risk data.
Centralized Computer Systems - Computer hardware (including but not limited to Servers, Routers, Switches and Access Points) and software systems (including but not limited to Web hosts, Customized databases, University databases, and Faculty developed software for educational purposes) maintained by the IT Division and located in the University’s data centers.
Decentralized Computer Systems - Computer hardware (including but not limited to Servers, Routers, Switches and Access Points) and software systems (including but not limited to Web hosts, Customized databases, University databases, and Faculty developed software for educational purposes) maintained by any non- IT Division department.
III. POLICY
a) Firewall technology must be implemented where the Internet enters the campus network to mitigate known and ongoing threats. This is also referred to as a perimeter firewall. Firewalls must also be implemented to protect local network segments and the IT resources that attach to those segments such as the business network, academic network and open network. Firewalls must also be installed on all university owned hosts.
b) The level of security controls applied to the university’s network must at least match the highest level of classification of the data being transmitted.
c) High-risk or restricted information stored on portable devices must be protected, via encryption where feasible, to reduce the risk of unauthorized access. A university encryption solution will be identified for phased implementation by July 2008.
d) The university’s networks (Open, Academic and Business) must be adequately managed and controlled in order to be protected from threats and to maintain security for the systems and applications using the network. The Academic network will be initiated during July 2008. The following apply to the university’s networks:
i) IT specialists are responsible for documenting responsibilities and procedures for either centralized or decentralized computing systems which address security and management of computing equipment.
ii) Special controls must be established to safeguard the confidentiality and integrity of high-risk or restricted data passing over public or wireless networks.
iii) Special controls are also required to maintain the availability of the network services and computers connected to any university network.
iv) Appropriate logging and monitoring must be applied to enable recording of security relevant actions.
v) Projects and changes involving the university’s network must be closely coordinated, both to optimize the service to the university, and to ensure that controls are consistently applied across the network infrastructure.
vi) An audit of all network firewalls must be performed at least once a year to verify and/or re-verify the need for allowed ports.
e) Connections to the network must be properly managed to ensure that only authorized devices/persons are connected.
i) Physical or log-in access must be controlled to prevent users from finding (and exploiting) unintentional access routes to systems and network resources.
ii) All inbound network traffic to the campus is blocked by default, unless explicitly allowed.
iii) Students are not allowed to make firewall configuration requests.
iv) Any host that requires limited restricted access from the Internet must be placed into the Academic network.
v) Off-campus access into internal campus resources such as workstations and servers that are not intended for public use must be accessed through the university’s Virtual Private Network (VPN).
vi) The “standard campus firewall configuration” will restrict prohibited network traffic from reaching hosts outside of the 91¶ÌÊÓƵ network.
vii) Any host or server that creates an exorbitant amount of connections through the perimeter firewall and inversely impacts the overall performance of the firewall will be disconnected from the network. Regaining access to the Internet must be authorized by either the Network Security Administrator or Information Security Office.
f) External user access, or third party network connections to the university’s network, must be authorized by either the Network Security Administrator or Information Security Officer.