Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Network Firewall Standard

Scope

These standards cover the configuration of Loyola University’s network firewalls.

Purpose

To establish a uniform set of standards for implementing and maintaining established network firewall policies. Including, but not limited to, defining network security zones within the University’s network and the type and nature of traffic which will be allowed or denied access to those zones. Also, to maintain the stability of the network and increase the security for identified resources.

Standard 

Ownership and Responsibility: All equipment and applications within this scope will be administered by Network Services.

Network Security Zones: A set of clearly defined network zones, with different levels of security requirements, built to provide the proper secure levels of networking access to the University community.

Firewall Ruleset: Each network security zone shall have a different set of access restrictions applied to them, ranging from least restrictive to most restrictive. The ruleset for each network security zone is located in the ITS Network Firewall Supporting Documentation document.

All ports opened within either of the High Security DMZ, High Security Internal and the Management Network zone must have accompanying justification, which is documented within ITS Network Firewall Supporting Documentation.

Administrative Access: Access to Loyola network firewalls allowed only to certain network and information security personnel as outlined in the ITS Roles and Responsibilities Matrix. All administrative access to Loyola network firewalls will be governed by the following rules:

“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action in accordance with the appropriate handbook, and may be reported to law enforcement. There is no right to privacy on this device."

Logging: All network firewalls will be configured to use the syslog protocol for system log transport, and abide by the audit and logging strategy based on the ITS Log Management Standard.

Addressing: No private address, as defined in RFC 1918, shall ever be routed to the Internet. Port Address Translation (PAT) or Network Address Translation (NAT) will be used to shield all internal address from being reveled externally.

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook.  Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

To satisfy PCI-DSS requirement 1.1.6, ITS Network Services and Information Security will review all firewall and router rule sets reviews every 6 months  & maintain evidence on file.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.

References

References NIST: Guidelines on Firewalls and Firewall Policy. Special Publication 800-41. RFC 1918

History and Updates

September 4, 2008: Initial Policy
October 29, 2012: Annual Review for PCI Compliance, added ruleset review information.
July 17, 2013: Annual Review for PCI Compliance
Author: UISO
Version: 1.3
 
 
PDF FILE DOWNLOAD

 

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy