Network Firewall Standard
These standards cover the configuration of Loyola University’s network firewalls.
To establish a uniform set of standards for implementing and maintaining established network firewall policies. Including, but not limited to, defining network security zones within the University’s network and the type and nature of traffic which will be allowed or denied access to those zones. Also, to maintain the stability of the network and increase the security for identified resources.
Ownership and Responsibility: All equipment and applications within this scope will be administered by Network Services.
Network Security Zones: A set of clearly defined network zones, with different levels of security requirements, built to provide the proper secure levels of networking access to the University community.
- Loyola DMZ - A semi-restrictive network, or group of networks, whose purpose is to publish content for public and/or Internet consumption. This zone contains a mix of ITS and Academic resources.
- Loyola Campus - A semi-restrictive network, or group of networks, which contain the majority of Loyola’s network traffic whose purpose is to provide internal and external connectivity to network and system resources as well as the Internet.
- Management Network - A restricted network that contains ITS network devices, such as network firewalls, routers, switches and managing servers, used in providing and controlling access to Loyola’s network.
- High Security DMZ - A restricted access network, or group of networks, whose purpose is to publish high security content for public and/or Internet consumption. This zone will contain ITS resources that serve as an interface for the protected, mission critical systems. Only traffic that has previously been justified will be allowed to enter and leave this security zone.
- High Security Internal - A highly restricted network, or group of networks, whose purpose is to protect Loyola mission critical resources. This security zone will store, transmit or process Loyola Protected and Sensitive data (see Data Classification Policy). Only traffic that has previously been justified will be allowed to enter and leave this security zone.
Firewall Ruleset: Each network security zone shall have a different set of access restrictions applied to them, ranging from least restrictive to most restrictive. The ruleset for each network security zone is located in the ITS Network Firewall Supporting Documentation document.
All ports opened within either of the High Security DMZ, High Security Internal and the Management Network zone must have accompanying justification, which is documented within ITS Network Firewall Supporting Documentation.
Administrative Access: Access to Loyola network firewalls allowed only to certain network and information security personnel as outlined in the ITS Roles and Responsibilities Matrix. All administrative access to Loyola network firewalls will be governed by the following rules:
- All administrative users must authenticate via RADIUS. A backup administrator account shall be used only for console access.
- All administrative access shall be encrypted, at a minimum, via the following methods: SSHv2, AES 128 bit or 3DES 128 bit.
- All administrative access shall be restricted to networks and hosts as identified in the ITS Network Firewall Supporting Documentation document.
- Each network firewall will present the following login banner when a user logs in to the device:
“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action in accordance with the appropriate handbook, and may be reported to law enforcement. There is no right to privacy on this device."
Logging: All network firewalls will be configured to use the syslog protocol for system log transport, and abide by the audit and logging strategy based on the ITS Log Management Standard.
Addressing: No private address, as defined in RFC 1918, shall ever be routed to the Internet. Port Address Translation (PAT) or Network Address Translation (NAT) will be used to shield all internal address from being reveled externally.
Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
This policy will be maintained in accordance with the ITS Security Policy.
To satisfy PCI-DSS requirement 1.1.6, ITS Network Services and Information Security will review all firewall and router rule sets reviews every 6 months & maintain evidence on file.
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.
References NIST: Guidelines on Firewalls and Firewall Policy. Special Publication 800-41. RFC 1918
September 4, 2008: Initial Policy
October 29, 2012: Annual Review for PCI Compliance, added ruleset review information.