Firewall Policy

A firewall is an appliance (a combination of hardware and software) or an application (software) designed to control the flow of Internet Protocol (IP) traffic to or from a network or electronic equipment. Firewalls are used to examine network traffic and enforce policies based on instructions contained within the Firewall's Ruleset. Firewalls represent one component of a strategy to combat malicious activities and assaults on computing resources and network-accessible information. Other components include, but are not limited to, antivirus software, intrusion detection software, patch management, strong passwords/passphrases, and spyware detection utilities.

Firewalls are typically categorized as either “Network” or “Host”: a Network Firewall is most often an appliance attached to a network for the purpose of controlling access to single or multiple hosts, or subnets; a Host Firewall is most often an application that addresses an individual host (e.g., personal computer) separately. Both types of firewalls (Network and Host) can be and often are used jointly.

This policy statement is designed to:

  • Provide guidance on when firewalls are required or recommended. A Network Firewall is required in all instances where Sensitive Data is stored or processed; a Host Firewall is required in all instances where Sensitive Data is stored or processed and the operating environment supports the implementation. Both the Network and Host Firewalls afford protection to the same operating environment, and the redundancy of controls (two separate and distinct firewalls) provides additional security in the event of a compromise or failure.
  • Raise awareness on the importance of a properly configured (installed and maintained) firewall.

Audience:

This policy is applicable to any and all schools, departments, and business units that cause Electronic Equipment to be connected to the University network.

Definition:

Term Definition
Electronic Equipment: All University-owned or issued and any personally-owned computer or related equipment (e.g., servers, workstations, laptops, PDAs, printers, fax and other such devices) that attaches to the University network, or is used to capture, process or store University data, or is used in the conduct of University business.
Enterprise System: Applicable to any infrastructure as a means of describing its importance to the University's mission and how it should be administered, protected and funded. From a functional viewpoint, an Enterprise System will be either (a) the only delivery platform for an essential service, or (b) a platform for a service to a very broad constituency spanning organizational boundaries. An Enterprise System is most frequently administered and protected by an institutional unit with expertise in both the technology and the business functions delivered.
Firewall: Any hardware and/or software designed to examine network traffic using policy statements (ruleset) to block unauthorized access while permitting authorized communications to or from a network or electronic equipment.
Firewall Administrator: The University function charged with the responsibility of Firewall Configuration and/or Ruleset administration. Administrative duties typically include implementation and documentation of approved changes, analysis of activity logs, and execution and documentation of reviews of system settings and/or rulesets.
Firewall Configuration: The system settings affecting the operation of a firewall appliance.
Firewall Ruleset: A set of policy statements or instructions used by a firewall to filter network traffic.
Host: Any computer connected to a network.
Host Firewall: A firewall application that addresses a separate and distinct host. Examples include, but are not limited to: Symantec’s Norton Personal Firewall, Zone Labs’ ZoneAlarm, native firewall functionality supplied under operating systems, e.g., Mac OS X, Linux, Windows XP SP2 (and higher).
Internal Information: Information that is intended for use by and made available to members of the University community who have a business need to know. This information is not restricted by local, state, national, or international statute regarding disclosure or use. Internal information is not intended for public dissemination but may be released to external parties to the extent there is a legitimate business need. The University reserves the right to control the content and format of Internal information when it is published to external parties. Examples include employment data, financial expenditure detail, Course Teacher Evaluations, and Directory Information (not subject to a FERPA hold).
Legally/Contractually Restricted Information: Information that is required to be protected by applicable law or statute (e.g., HIPAA, FERPA, or the Illinois Personal Information Protection Act), or which, if disclosed to the public could expose the University to legal or financial obligations. Examples include, but are not limited to, occurrences of personally-identifiable information, e.g., social security numbers (SSNs), personnel records, student records, medical records, names in connection with SSNs, and credit card numbers. Specific University policies may apply to particular data in this classification, e.g., Secure Handling of Social Security Numbers, Security of Electronic Protected Health Information, etc.
Network Device: Any physical equipment attached to the University network designed to view, cause or facilitate the flow of traffic within a network. Examples include, but are not limited to: routers, switches, hubs, wireless access points.
Network Extension:

Any physical equipment attached to the University network designed to increase the port capacity (number of available ports) at the point of attachment. Examples include, but are not limited to: routers (wired and wireless), switches, hubs, gateways.

Network Firewall: A firewall appliance attached to a network for the purpose of controlling traffic flows to and from single or multiple hosts or subnet(s).
Public Information: Information that is available to all members of the University community, and may be released to the general public. The University reserves the right to control the content and format of Public Information. This information is not restricted by local, state, national, or international statute regarding disclosure or use. Examples include the University's auditable financials, schedule of classes, and approved census facts.
Sensitive Data:

See “Legally/Contractually Restricted Information” above.

University Network:

The network infrastructure and associated devices provided or served by the University.

Policy Statement:

Where Electronic Equipment is used to capture, process or store data identified as University “Legally/Contractually Restricted” and the Electronic Equipment is accessible via a direct or indirect Internet connection, a Network Firewall appropriately installed, configured and maintained is required.

All installations and implementations of and modifications to a Network Firewall and its Configuration and Ruleset are the responsibility of the authorized Northwestern University Information Technology (NUIT) Firewall Administrator, with this exception: maintenance of a Network Firewall Ruleset may be performed by other than NUIT personnel where permitted by a documented agreement between NUIT and the School/Department/Business Unit assuming the Firewall Administrator’s responsibilities.

Where Electronic Equipment is used to capture, process or store data identified as University “Legally/Contractually Restricted” and the Electronic Equipment is accessible via an Internet connection, a Host Firewall appropriately installed, configured and maintained is required where the operating environment supports that installation. The maintenance of the Host Firewall’s Configuration and Ruleset is the responsibility of that system’s administrator.

Where Electronic Equipment is used to capture, process or store data identified as University “Internal” or “Public” and the Electronic Equipment is accessible via an Internet connection, a Host and/or Network Firewall is recommended.

Use of a Host Firewall is recommended for any individual Host with access to the Internet; its maintenance is the responsibility of the individual user or designated support personnel.

Procedures:

  1. All Network Firewalls installed and implemented must conform to the current standards as determined by NUIT. Unauthorized or non-standard equipment is subject to immediate removal, confiscation, and/or termination of network connectivity without notice.
  2. A properly executed Risk Acceptance Agreement is required before a School/Department/Business Unit is permitted to assume the management of a Network Firewall Ruleset. The agreement requires the signature of the individual who will perform Ruleset maintenance (Ruleset administrator) and that of the unit manager, and indicates their acceptance of the risk associated with the activity of Ruleset management.
  3. Network Firewall Rulesets

a. The Request for Firewall Ruleset Modification Form is used to:

1. Request and document all changes to Network Firewall Rulesets where Firewall Administration is performed by NUIT. All requests are subject to the approval of NUIT and review by ISS/C or its designate.
2. Document (only) all changes to Network Firewall Rulesets where Firewall Administration is performed by other than NUIT. Though approval is not required, all requests are subject to review by NUIT.

b. All related documentation is to be retained by the Firewall Administrator for three (3) years and is subject to review by NUIT and Audit and Advisory Services.

  1. All Firewall implementations must adopt the position of "least privilege" and deny all inbound traffic by default (the initial Ruleset should be set to “logging or learning mode” to prevent service interruptions). The Ruleset should be opened incrementally to only allow permissible traffic.
  2. Firewalls must be installed within production environments where “Legally/Contractually Restricted Information” is captured, processed or stored, to help achieve functional separation between web-servers, application servers and database servers.
  3. Firewall Rulesets and Configurations require periodic review to ensure they afford the required levels of protection:
    a. NUIT must review all Network Firewall Rulesets and Configurations during the initial implementation process.
    b. Firewalls protecting Enterprise Systems must be reviewed semi-annually; NUIT Firewall Administrators and ISS/C must collaborate on this review.
    c. Firewalls not protecting Enterprise Systems must be reviewed annually by the responsible Firewall Administrator.
    d. Firewall Administrators must retain the results of Firewall reviews and supporting documentation for a period of three (3) years; all results and documentation are subject to review by NUIT and Audit and Advisory Services.
  4. Firewall Rulesets and Configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets and configurations and backup media must be restricted to those responsible for administration and review.
  5. Any University entity operating under an e-merchant license is required to have properly configured Firewalls in place to protect credit card data and comply with Payment Card Industry/Data Security Standards (PCI/DSS). NUIT will not operate any Firewalls installed for the purpose of PCI/DSS compliance. University organizations requiring PCI/DSS compliance should contract with a PCI-compliant vendor to operate network equipment that falls within PCI/DSS scope and requirements. NUIT will provide technical guidance and coordinate the deployment of required equipment. PCI/DSS Firewalls should include the use of Network Address Translation (NAT) where required to help ensure compliance with PCI/DSS. Any questions about the suitability and use of NAT should be directed to ISS/C. See the “Related Information” section for references to PCI/DSS.
  6. Network Firewall administration logs (showing administrative activities) and event logs (showing traffic activity) are to be written to alternate storage (not on the same device) and reviewed at least daily, with logs retained for ninety (90) days. It is recommended that utilities or programs that facilitate the review process be employed. Appropriate access to logs and copies is permitted to those responsible for Firewall and/or system maintenance, support and review.
  7. NUIT Firewall Administrators will execute approved changes to the Firewall Rulesets maintained by NUIT during the scheduled maintenance window.
  8. NUIT Firewall Administrators will perform changes to Firewall Configurations according to approved production maintenance schedules.

Forms and Instructions:

ISS/C will coordinate requests for exceptions to this policy and contact the respective policy owner, data steward and other authorities as deemed appropriate for consideration and discussion of the exception request.

Individuals who discover or strongly suspect a violation of this policy or standards must promptly notify their management and/or any of the following:

Satisfies ISO 27002 10.4.1, 10.6.1

Last Review Date:

December 2013

Original Issue Date:

February 2010

Revision Dates:

November 2011
June 2010

Additional Information:
Support Contact:
NUIT Information and Systems Security/Compliance
(847) 467-1512
security@northwestern.edu

NUIT Service Center
611 or 847-467-6662
repair@northwestern.edu