Information Security Standard Practices
Acceptable Use Agreement — Firewall Policy
1.0 Objectives and Scope
Firewalls are an essential component of Mt. SAC's information systems security infrastructure. Firewalls are defined as security systems that control and restrict both internet connectivity and internet services. Firewalls establish a perimeter where access controls are enforced. Connectivity defines which computer systems can exchange information. A service is sometimes called an application and it refers to the way for information to flow through a firewall. Examples of services include FTP (file transfer protocol) and HTTP (web browsing). This policy defines the essential rules regarding the management and maintenance of firewalls at Mt. SAC and it applies to all firewalls owned, rented, leased, or otherwise controlled by Mt. SAC employees excluding personal firewalls which are covered by the Computer Use Policy.
2.0 Playing the Role of Firewalls
In some instances,systems such as routers, wireless access points, or gateways may befunctioning as though they are firewalls when in fact they are notformally known as firewalls. All Mt. SAC systems playing the role offirewalls, whether or not they are formally called firewalls, must bemanaged according to the rules defined in this policy. In some instancesthis will require that these systems be upgraded so they can support theminimum functionality defined in this policy.
3.0 Acceptable Configuration
Every networkconnectivity path not specifically permitted must be denied by firewalls.Permission to enable any paths will be granted by IT when a need isdemonstrated and sufficient security measures will be consistentlyemployed.All other paths should default to denial.
4.0 Regular Auditing
IT will audit firewalls on a regular basis. The audit process may includeconsideration of defined configuration parameters, enabled services,permitted connectivity, current administrative practices, and adequacy ofthe deployed security measures. These audits may also include the regularexecution of vulnerability identification software.
4.5 Network Management Systems
Firewalls must be configured so that they are visible to internal network management systems. Firewalls must also be configured so that they permit the use of remote automatic auditing tools by authorized Mt. SAC staff members. Unless deliberately intended such automatic auditing tools must not trigger a response sequence through firewall-connected intrusion detection systems.
5.0 Intrusion Detection
Mt. SAC's firewalls may include intrusion detection systems approved by IT. These intrusion detection systems must each be configured according to the specifications defied by IT. Among other potential problems, these intrusion detection systems must detect unauthorized modifications to firewall system files. Such intrusion detection systems should also immediately notify technical staff that are in a position to take corrective action.
6.0 Firewall Access Mechanisms
All Mt. SAC firewallsshould have unique passwords or other access control mechanisms.The same password or access control code must notbe used on more than one firewall. This will prevent an intruder fromusing the same mechanism to compromise multiple firewalls.
7.0 Firewall Access Privileges
Privileges to modify the functionality, connectivity, and services supported by firewalls must be restricted to authorized personnel only. These privileges must be granted only to individuals who are full-time permanent employees of Mt. SAC. All firewalls should have at least two staff members who are adequately trained to make changes as circumstances require.
8.0 Secured Subnets
Portions of Mt. SAC's internal network that contain sensitive or valuableinformation must employ a secured subnet. Access to securedsubnets must be restricted with firewalls and other control measures.Based on periodic risk assessments, IT will define the secured subnets required.
9.0 Demilitarized Zones (DMZ)
All public servers must be protected by the DMZ. DMZs are subnets whichare protected by a firewall from the internet.Users of the systems in the DMZ are prevented from gaining access toother network-connected Mt. SAC computers outside the DMZ.
10.0 Network Management Systems
Firewalls must be configured so that they are visible to internal networkmanagement systems. Firewalls must also be configured so that they permitthe use of remote automatic auditing tools be used by authorizedMt. SAC staff members. Unless deliberately intended a test, suchautomatic auditing tools must not trigger a response sequence throughfirewall-connected instruction detection systems.
11.0 Secure Backup
Current backup copies of firewall configuration files, connectivitypermission files, systems administration documentation, and related filesshould be stored in a secure accessible location atall times.
12.0 Virus Screening
Where possible, virus screening software should be installed and enabledon all Mt. SAC firewalls.
13.0 Firewall Dedicated Functionality
Firewalls should run on dedicated machines which perform no otherservices. To reduce the chances of security compromise, firewalls musthave only the bare minimum of operating systems software resident andenabled on them.
14.0 Applying Updates
Because hackers and other intruders use the latest attack techniques,Mt. SAC's firewalls must be running the latest software to repel theseattacks. Where available from the vendor, all Mt. SAC firewalls mustsubscribe to software maintenance and software update services.
15.0 Monitoring Vulnerabilities
Mt. SAC staff members responsible for managing firewalls must subscribe to therelevant sources providing current information about firewallvulnerabilities. Any vulnerability which appears to affect Mt. SACnetworks and systems must be promptly brought to the attention of IT.
16.0 Firewall Physical Security
All Mt. SAC firewallsshould be located in locked rooms accessible only to those who musthave physical access to such firewalls to perform the tasks assigned bymanagement.
17.0 Disclosure of Internal Network information
The internal system addresses, configurations, and related system designinformation for Mt. SAC's networked computer systems must be restrictedsuch that both systems and users outside Mt. SAC's internal networkcannot access this information. One example of this involves split DNS(Domain Name Service).