Firewalls are an essential component of Mt. SAC's information systems security infrastructure. Firewalls are defined as security systems that control and restrict both internet connectivity and internet services. Firewalls establish a perimeter where access controls are enforced. Connectivity defines which computer systems can exchange information. A service is sometimes called an application and it refers to the way for information to flow through a firewall. Examples of services include FTP (file transfer protocol) and HTTP (web browsing). This policy defines the essential rules regarding the management and maintenance of firewalls at Mt. SAC and it applies to all firewalls owned, rented, leased, or otherwise controlled by Mt. SAC employees excluding personal firewalls which are covered by the Computer Use Policy.
In some instances,systems such as routers, wireless access points, or gateways may befunctioning as though they are firewalls when in fact they are notformally known as firewalls. All Mt. SAC systems playing the role offirewalls, whether or not they are formally called firewalls, must bemanaged according to the rules defined in this policy. In some instancesthis will require that these systems be upgraded so they can support theminimum functionality defined in this policy.
Every networkconnectivity path not specifically permitted must be denied by firewalls.Permission to enable any paths will be granted by IT when a need isdemonstrated and sufficient security measures will be consistentlyemployed.All other paths should default to denial.
IT will audit firewalls on a regular basis. The audit process may includeconsideration of defined configuration parameters, enabled services,permitted connectivity, current administrative practices, and adequacy ofthe deployed security measures. These audits may also include the regularexecution of vulnerability identification software.
Firewalls must be configured so that they are visible to internal network management systems. Firewalls must also be configured so that they permit the use of remote automatic auditing tools by authorized Mt. SAC staff members. Unless deliberately intended such automatic auditing tools must not trigger a response sequence through firewall-connected intrusion detection systems.
Mt. SAC's firewalls may include intrusion detection systems approved by IT. These intrusion detection systems must each be configured according to the specifications defied by IT. Among other potential problems, these intrusion detection systems must detect unauthorized modifications to firewall system files. Such intrusion detection systems should also immediately notify technical staff that are in a position to take corrective action.
All Mt. SAC firewallsshould have unique passwords or other access control mechanisms.The same password or access control code must notbe used on more than one firewall. This will prevent an intruder fromusing the same mechanism to compromise multiple firewalls.
Privileges to modify the functionality, connectivity, and services supported by firewalls must be restricted to authorized personnel only. These privileges must be granted only to individuals who are full-time permanent employees of Mt. SAC. All firewalls should have at least two staff members who are adequately trained to make changes as circumstances require.
Portions of Mt. SAC's internal network that contain sensitive or valuableinformation must employ a secured subnet. Access to securedsubnets must be restricted with firewalls and other control measures.Based on periodic risk assessments, IT will define the secured subnets required.
All public servers must be protected by the DMZ. DMZs are subnets whichare protected by a firewall from the internet.Users of the systems in the DMZ are prevented from gaining access toother network-connected Mt. SAC computers outside the DMZ.
Firewalls must be configured so that they are visible to internal networkmanagement systems. Firewalls must also be configured so that they permitthe use of remote automatic auditing tools be used by authorizedMt. SAC staff members. Unless deliberately intended a test, suchautomatic auditing tools must not trigger a response sequence throughfirewall-connected instruction detection systems.
Current backup copies of firewall configuration files, connectivitypermission files, systems administration documentation, and related filesshould be stored in a secure accessible location atall times.
Where possible, virus screening software should be installed and enabledon all Mt. SAC firewalls.
Firewalls should run on dedicated machines which perform no otherservices. To reduce the chances of security compromise, firewalls musthave only the bare minimum of operating systems software resident andenabled on them.
Because hackers and other intruders use the latest attack techniques,Mt. SAC's firewalls must be running the latest software to repel theseattacks. Where available from the vendor, all Mt. SAC firewalls mustsubscribe to software maintenance and software update services.
Mt. SAC staff members responsible for managing firewalls must subscribe to therelevant sources providing current information about firewallvulnerabilities. Any vulnerability which appears to affect Mt. SACnetworks and systems must be promptly brought to the attention of IT.
All Mt. SAC firewallsshould be located in locked rooms accessible only to those who musthave physical access to such firewalls to perform the tasks assigned bymanagement.
The internal system addresses, configurations, and related system designinformation for Mt. SAC's networked computer systems must be restrictedsuch that both systems and users outside Mt. SAC's internal networkcannot access this information. One example of this involves split DNS(Domain Name Service).