Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Network Firewall Standard

Scope:

These standards cover the configuration of LoyolaUniversity’s network firewalls.

Purpose: 

To establish a uniform set of standards for implementing and maintaining established network firewall policies. Including, but not limited to, defining network security zones within the University’s network and the type and nature of traffic which will be allowed or denied access to those zones.  Also, to maintain the stability of the network and increase the security for identified resources. 

Standard:

Ownership and Responsibility

All equipment and applications within this scope will be administered by Network Services. 

Network Security Zones

A set of clearly defined network zones, with different levels of security requirements, built to provide the proper secure levels of networking access to the University community.

A semi-restrictive network, or group of networks, whose purpose is to publish content for public and/or Internet consumption.  This zone contains a mix of ITS and Academic resources. 

A semi-restrictive network, or group of networks, which contain the majority of Loyola’s network traffic whose purpose is to provide internal and external connectivity to network and system resources as well as the Internet.

A restricted network that contains ITS network devices, such as network firewalls, routers, switches and managing servers, used in providing and controlling access to Loyola’s network. 

A restricted access network, or group of networks, whose purpose is to publish high security content for public and/or Internet consumption.  This zone will contain ITS resources that serve as an interface for the protected, mission critical systems.  Only traffic that has previously been justified will be allowed to enter and leave this security zone.    

A highly restricted network, or group of networks, whose purpose is to protect Loyola mission critical resources.  This security zone will store, transmit or process Loyola Protected and Sensitive data (see Data Classification Policy).  Only traffic that has previously been justified will be allowed to enter and leave this security zone.   

Firewall Ruleset

Each network security zone shall have a different set of access restrictions applied to them, ranging from least restrictive to most restrictive.  The ruleset for each network security zone is located in the ITS Network Firewall Supporting Documentationdocument.

All ports opened within either of the High Security DMZ, High Security Internal and the Management Network zone must have accompanying justification, documented within ITS Network Firewall Supporting Documentation. 

Administrative Access

All administrative access to Loyola network firewalls will be governed by the following rules:

“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action in accordance with the appropriate handbook, and may be reported to law enforcement. There is no right to privacy on this device." 

Logging

All network firewalls will be configured to use the syslog protocol for system log transport, and abide by the audit and logging strategy based on the ITS Log Management Standard.

Addressing

No private address, as defined in RFC 1918, shall ever be routed to the Internet.  Port Address Translation (PAT) or Network Address Translation (NAT) will be used to shield all internal address from being reveled externally.

Exceptions:

Exceptions to this policy will be handled in accordance with the ITS Security Policy. 

Review:

This policy will be maintained in accordance with the ITS Security Policy.

 

Appendix

Documents Referenced:

ITS Log Management Standard

ITS Network Firewall Supporting Documentation

Data Classification Policy

References

NIST:  Guidelines on Firewalls and Firewall Policy.  Special Publication 800-41.

RFC 1918 

History

August 25, 2008: Initial Policy

October 29, 2012: Annual review for PCI Compliance, added ruleset review information.

July 17, 2013: Annual review for PCI Compliance

June 5, 2014: Annual review for PCI Compliance

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy