Skip to main content
Back to LUC.edu
Information Technology Services

Network Firewall Policy

Policy Statement

This policy defines the essential rules regarding the management, maintenance, and operation of network security controls and firewalls at Loyola University Chicago and applies to all network security controls procured through, operated, or contracted by the university. In addition, please note that this policy covers all IoT devices.

Definitions

 

Not applicable.

 

Policy

Network Connections

All external and wireless connections to university networks must pass through a network firewall. In addition, all network connections entering a high security network must pass through an additional network firewall. Any change to an external connection or to the configuration of the firewall must be adequately tested and documented according to the ITS Network Firewall Standard.

Dedicated Functionality

Network firewalls used to protect University networks must run on single-purpose devices.

  • These devices may not serve other purposes, such as acting as web servers.
  • Each network firewall must have a rule set specific to its purpose and location on the network, in accordance with the ITS Network Firewall Standard.

Network Firewall Change Control

Network firewall configuration rules and permissible services rules must not be changed unless the permission of the Chief Information Security Officer and Network Manager has first been obtained.  Any change to rules and permissible services made to any network firewall needs to be documented using the ITS Change Management Policy, and a justification for the change and the actual updated configuration or service rule needs to be documented in the ITS Network Firewall Supporting Documentation. Changes made to Intrusion Prevention functions of the Internet facing firewalls (See Allowable Changes) are an exception and do not require a change management request.

Allowable Changes (External Facing Firewalls Only)

The following list of changes do not require a change management request:

  • Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Wildfire Analysis, Data Filtering, and DoS protection)
  • Zone Protection
  • Log Forwarding
  • VPN

Regular Reviews and Auditing (PCI DSS 4.0 Requirement 1.2.7)

  • Firewall and network security control configurations must undergo a formal review at least every six (6) months.
  • Each review must include verification that:
    • Every firewall rule has documented business justification.
    • Rules follow the principle of least privilege, limiting access to only what is required for business operations.
    • Any outdated, unnecessary, or insecure rules are removed or remediated.
  • All review activities and outcomes must be documented in the ITS Network Firewall Supporting Documentation and retained for audit purposes.
  • Reviews will be conducted by Information Security and Compliance in collaboration with Network Services.
  • Vulnerability assessments must be executed in accordance with the ITS Vulnerability Assessment Policy to validate the effectiveness of firewall configurations.

 

Network Firewall Physical Security

All University network security controls and firewalls must be physically located in ITS data centers and accessible only to those whose roles and responsibilities permit them to access network firewalls as defined within the ITS Access Control Policy.

These secure spaces must also have adequate physical security measures installed.  All physical access to the secured spaces will be automatically logged.  All visitor access to the secured space must abide by the ITS Access Control Policy.

Related Documents and Forms

 

Not applicable.

 

Roles and Responsibilities

 

Jim Pardonek, Director and Chief Information Security Officer

Enforcing the Network Firewall Policy at the University by setting the necessary requirements

 Related Policies

Please see below for additional related policies:

  • Security Policy
  • ITS Access Control Policy
  • ITS Network Firewall Standard
  • Incident Response Plan
  • ITS Security Policy

Approval Authority:

ITESC

Approval Date:

August 11 2017

Review Authority:

Jim Pardonek

Review Date:

September 15, 2025

Responsible Office:

ISC

Contact:

datasecurity@luc.edu