Firewall Standards

  1. All Firewall implementations should adopt the principal of “least privilege” and deny all inbound traffic by default. The Ruleset should be opened incrementally to only allow permissible traffic.
  2. Firewalls must be installed within production environments where “Confidential Information” is captured, processed or stored, to help achieve functional separation between web-servers, application servers and database servers.
  3. Firewall Rulesets and Configurations require annual periodic review to ensure they afford the desired levels of protection.
  4. Firewall Rulesets and Configurations must be backed up frequently to alternate storage (not on the same device). Multiple generations must be captured and retained in order to preserve the integrity of the data, should restoration be required. Access to rulesets and configurations and backup media must be restricted to those responsible for administration and review.  This is done by the ISO for all UITS managed firewall infrastructure.
  5. Any University entity operating under an e-merchant license is required to have properly configured Firewalls in place to protect credit card data and comply with Payment Card Industry/Data Security Standards (PCI/DSS).  UITS will provide technical guidance and coordinate the deployment of required equipment.
  6. Network Firewall administration logs (showing administrative activities) and event logs (showing traffic activity) are to be written to alternate storage (not on the same device) and reviewed regularly. It is recommended that utilities or programs that facilitate the review process be employed. Appropriate access to logs and copies is permitted to those responsible for Firewall and/or system maintenance, support and review.
  7. UITS Firewall Administrators will execute approved changes to the Firewall Rulesets maintained by UITS during the as defined in the UITS change management procedures.
  8. UITS Firewall Administrators will perform changes to Firewall Configurations according to approved production maintenance schedules.