Information Security Standard Practices

Acceptable Use Agreement — Firewall Policy

1.0 Objectives and Scope

Firewalls are an essential component of Mt. SAC's information systems security infrastructure. Firewalls are defined as security systems that control and restrict both internet connectivity and internet services. Firewalls establish a perimeter where access controls are enforced. Connectivity defines which computer systems can exchange information. A service is sometimes called an application and it refers to the way for information to flow through a firewall. Examples of services include FTP (file transfer protocol) and HTTP (web browsing). This policy defines the essential rules regarding the management and maintenance of firewalls at Mt. SAC and it applies to all firewalls owned, rented, leased, or otherwise controlled by Mt. SAC employees excluding personal firewalls which are covered by the Computer Use Policy.

2.0 Playing the Role of Firewalls

In some instances, systems such as routers, wireless access points, or gateways may be functioning as though they are firewalls when in fact they are not formally known as firewalls. All Mt. SAC systems playing the role of firewalls, whether or not they are formally called firewalls, must be managed according to the rules defined in this policy. In some instances this will require that these systems be upgraded so they can support the minimum functionality defined in this policy.

3.0 Acceptable Configuration

Every network connectivity path not specifically permitted must be denied by firewalls. Permission to enable any paths will be granted by IT when a need is demonstrated and sufficient security measures will be consistently employed. All other paths should default to denial.

4.0 Regular Auditing

IT will audit firewalls on a regular basis. The audit process may include consideration of defined configuration parameters, enabled services, permitted connectivity, current administrative practices, and adequacy of the deployed security measures. These audits may also include the regular execution of vulnerability identification software.

4.5 Network Management Systems

Firewalls must be configured so that they are visible to internal network management systems. Firewalls must also be configured so that they permit the use of remote automatic auditing tools by authorized Mt. SAC staff members. Unless deliberately intended such automatic auditing tools must not trigger a response sequence through firewall-connected intrusion detection systems.

5.0 Intrusion Detection

Mt. SAC's firewalls may include intrusion detection systems approved by IT. These intrusion detection systems must each be configured according to the specifications defied by IT. Among other potential problems, these intrusion detection systems must detect unauthorized modifications to firewall system files. Such intrusion detection systems should also immediately notify technical staff that are in a position to take corrective action.

6.0 Firewall Access Mechanisms

All Mt. SAC firewalls should have unique passwords or other access control mechanisms. The same password or access control code must not be used on more than one firewall. This will prevent an intruder from using the same mechanism to compromise multiple firewalls.

7.0 Firewall Access Privileges

Privileges to modify the functionality, connectivity, and services supported by firewalls must be restricted to authorized personnel only. These privileges must be granted only to individuals who are full-time permanent employees of Mt. SAC. All firewalls should have at least two staff members who are adequately trained to make changes as circumstances require.

8.0 Secured Subnets

Portions of Mt. SAC's internal network that contain sensitive or valuable information must employ a secured subnet. Access to secured subnets must be restricted with firewalls and other control measures. Based on periodic risk assessments, IT will define the secured subnets required.

9.0 Demilitarized Zones (DMZ)

All public servers must be protected by the DMZ. DMZs are subnets which are protected by a firewall from the internet. Users of the systems in the DMZ are prevented from gaining access to other network-connected Mt. SAC computers outside the DMZ.

10.0 Network Management Systems

Firewalls must be configured so that they are visible to internal network management systems. Firewalls must also be configured so that they permit the use of remote automatic auditing tools be used by authorized Mt. SAC staff members. Unless deliberately intended a test, such automatic auditing tools must not trigger a response sequence through firewall-connected instruction detection systems.

11.0 Secure Backup

Current backup copies of firewall configuration files, connectivity permission files, systems administration documentation, and related files should be stored in a secure accessible location at all times.

12.0 Virus Screening

Where possible, virus screening software should be installed and enabled on all Mt. SAC firewalls.

13.0 Firewall Dedicated Functionality

Firewalls should run on dedicated machines which perform no other services. To reduce the chances of security compromise, firewalls must have only the bare minimum of operating systems software resident and enabled on them.

14.0 Applying Updates

Because hackers and other intruders use the latest attack techniques, Mt. SAC's firewalls must be running the latest software to repel these attacks. Where available from the vendor, all Mt. SAC firewalls must subscribe to software maintenance and software update services.

15.0 Monitoring Vulnerabilities

Mt. SAC staff members responsible for managing firewalls must subscribe to the relevant sources providing current information about firewall vulnerabilities. Any vulnerability which appears to affect Mt. SAC networks and systems must be promptly brought to the attention of IT.

16.0 Firewall Physical Security

All Mt. SAC firewalls should be located in locked rooms accessible only to those who must have physical access to such firewalls to perform the tasks assigned by management.

17.0 Disclosure of Internal Network information

The internal system addresses, configurations, and related system design information for Mt. SAC's networked computer systems must be restricted such that both systems and users outside Mt. SAC's internal network cannot access this information. One example of this involves split DNS (Domain Name Service).