Policy 8-2-5: Firewall Policy
| Policy: | Policy 8-2-5: Firewall Policy | Date Adopted: | Mar 15, 2011 | |
|---|---|---|---|---|
| Department: | Computing Services | Contact: | Director | |
| Statement: | WNC operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for WNC's computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this Firewall Policy is to describe how WNC's firewalls will filter Internet traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for business users. The Firewall Policy is subordinate to WNC's general Security Policy, as well as any governing laws or regulations. | |||
Purpose
WNC operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for WNCs computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this Firewall Policy is to describe how WNCs firewalls will filter Internet traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for business users.
The Firewall Policy is subordinate to WNCs general Security Policy, as well as any governing laws or regulations.
Definition
Firewall Computer hardware or software that prevents unauthorized access to private data (as on a local area network) by outside computer users ( as of the Internet).
Scope
This Firewall Policy refers specifically to the WNC firewalls.
The role of the firewalls is to help WNC keep unauthorized visitors from accessing valuable college resources.
- Stop attacks before they penetrate the network perimeter
- Protect resources and data, as well as voice, video, and multimedia traffic
- Control network and application activity
- Reduce deployment and operational costs
WNCs Firewalls will (at minimum) perform the following security services:
- Access control between the trusted internal network and un-trusted external networks
- Block unwanted traffic as determined by the firewall rule set
- Hide vulnerable internal systems from the Internet
- Hide information such as system names, network topologies, and internal user IDs from the Internet
- Log traffic to and from the internal network
- Provide virtual private network (VPN) connectivity
All employees of WNC are subject to this policy.
Responsibilities
Computing Services is responsible for implementing and maintaining WNC firewalls, as well as for enforcing and updating this policy. Logon access to firewalls will be restricted to a primary firewall administrator. Password construction for firewalls will be consistent with the strong password creation practices outlined in WNCs Password Policy.
Any questions or concerns regarding WNC firewalls should be directed to the Network Engineer.
Policy
The approach adopted to define firewall rule sets is that all services will be denied by the firewall unless expressly permitted in this policy. WNC firewalls permit the following outbound and inbound Internet traffic.
- Outbound All Internet traffic to hosts and services outside of WNC
- Inbound Only Internet traffic from outside WNC that supports the college mission of WNC as defined by NSHE policy
Operational Procedures
WNC Directors may request changes to firewall configurations in order to allow previously disallowed traffic. A firewall change request must be submitted through a work order, with full justification, to the Computing Services department for approval. If an outside vendor working for WNC needs firewall changes, the same procedure applies. The Director of the requesting area will submit a work order requesting the firewall changes. All requests will be assessed by the Computing Services Director to determine if they fall within the parameters of acceptable risk. If approval is given, the Network Engineer will make the changes and note those changes in the Firewall Change Order spreadsheet. In an emergency threatening the network, the Network Engineer may make a temporary change without the Computing Services Directors approval. In that case, approval would be sought as soon as the Computing Services Director is available and all changes would be recorded on the Firewall Change Order spreadsheet. Requested approvals are not guaranteed as associated risks may be deemed too high. If this is the case, an explanation will be provided to the original requestor and alternative solutions will be explored.
Turnaround time for the above stated firewall reconfiguration and network access requests is approximately five (5) days from the receipt of the work order.
Firewall logs will be archived 10 days. Firewall logs will be reviewed weekly.
Enforcement
Wherever possible, technological tools will be used to enforce this policy and mitigate security risks. Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
| Date(s) Revised | November 1, 2016; | Date(s) Reviewed |
|---|