Pol-Firewalls – IT Division Policy

policy firewalls modified Mon Oct 31 2022 11:35:55 GMT-0400 (Eastern Daylight Time)

UofL Logo

University of Louisville

OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY

POLICY NAME

Firewalls – IT Division Policy

EFFECTIVE DATE

July 23, 2007

POLICY NUMBER

ISO-017 v2.1

POLICY APPLICABILITY

This policy applies to all University workforce, faculty, and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research, or study activity using University resources and includes all facilities, property, data, and equipment owned, leased, and/or maintained by the University or affiliates.

POLICY STATEMENT

The university provides firewalls to protect the central university servers and host systems, and to protect the university network from the wider Internet. Custom firewalls, which provide additional protection for departmental systems, may be installed upon request.

STANDARDS

Administrative Standards:

  • Individual computer firewalls must be installed/enabled on all computers and servers controlled by the department as well as personal computing devices used to store or process university data.
  • All internal network devices including, but not limited to routers, firewalls, and access control servers, have unique passwords and other appropriate access control mechanisms as documented in hardening guides.
  • A single password value or access control code must not be used on more than one firewall. Whenever supported by the involved firewall vendor, those who administer firewalls employed within the University network must have their identity validated through extended user authentication mechanisms.
  • Network access privileges to modify the functionality, connectivity and services supported by firewalls are restricted on a least privilege basis only to authorized employees or third parties under contract.
  • Firewalls run on single-function devices that perform no other services, such as acting as a mail server. Sensitive or critical departmental information must never be stored on a firewall. Such information may be held in buffers as it passes through a firewall.
  • Provisioning of perimeter network devices, including firewalls, within the department and university's network is managed and configured by the university IT and departmental IT teams. Configurations should deny unnecessary services and connections and prevent untrusted networks from accessing or being used inappropriately.
  • The effectiveness and proper configuration of all University of Louisville firewalls within the university's departments are tested on a regular basis.
  • Prior to the deployment of a department firewall, a risk assessment should be conducted and signed off by a member of IT, the Enterprise IT team or the Chief Information Security Officer.
  • Requests for custom firewalls or modification to existing firewall configurations must be sent using the Firewall forms located at: http://louisville.edu/it/departments/enterprise-security/forms. 
    • Changes will be completed, per university guidelines, during the Preventive Maintenance period. 
  • Emergency changes must be requested in writing and with approval from Department Head and/or Dean. 
  • Firewall rules older than or unmodified after 1 year will require a review by the requester to confirm that they are still necessary. Rules which are no longer needed or which receive no response will be deleted within 2-3 weeks. 

Technical Standards:

All outbound packets are allowed to travel outside, and inbound packets are allowed inside the firewall only if they can be determined to be responses to outbound requests.

The following type of network traffic should always be blocked:

  • Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself. 
  • Inbound traffic with a source address indicating that the packet originated on a network behind the firewall. 
  • Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks. For reference purposes, RFC 1918 reserves the following address ranges for private networks: 
    • 10.0.0.0 to 10.255.255.255 (Class A) 
    • 172.16.0.0 to 172.31.255.255 (Class B) 
    • 192.168.0.0 to 192.168.255.255 (Class C) 
  • Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost). 
  • Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0. 
  • Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic. 
  • Inbound traffic containing IP Source Routing information. 
  • Inbound or Outbound traffic containing directed broadcast addresses. 

The firewall should block all inbound traffic unless that traffic is explicitly needed for inbound server connections. The following services and applications should only be allowed in extreme circumstances and allowed connections should be documented outside of the firewall system being used.

Application - Port Numbers/Action

  • Login Services 
    • Telnet – TCP/23, always block
    • FTP - TCP/21, always block 
    • r services - TCP/512-514, always block 
  • RPC and NFS
    • Portmap/rpcbind - 111 tcp/udp always block 
    • NFS - 2049 tcp/udp always block 
    • lockd - 4045 tcp/udp always block 
  • NetBIOS over TCP/IP
    • Microsoft Remote Procedure Call (RPC) - 135 tcp/udp always block 
    • Name service - 137 tcp/udp always block 
    • Datagram distribution service - 138 udp always block 
    • Session Service - 139 tcp always block 
    • Direct SMB/CIFS - 445 tcp/udp always block 
  • X Windows
    • 6000-6255 tcp always block 
  • Naming Services
    • DNS - 53 tcp/udp restrict to external DNS servers 
    • DNS zone transfers - 53 tcp/udp block unless external secondary 
    • LDAP - 389 tcp always block 
  • Mail
    • SMTP - 25 tcp block unless external mail relays 
    • POP - 109 and 110 tcp always block 
    • IMAP - 143 tcp always block 
  • Miscellaneous
    • tftp - 69 udp always block 
    • finger - 79 tcp always block 
    • NNTP - 119 tcp always block 
    • NTP - 123 tcp always block 
    • BGP - 179 tcp always block 
    • SNMP - 161, 162 tcp/udp always block 
    • syslog - 514 udp always block 
    • LPD - 515 tcp always block 
    • SOCKS - 1080 tcp always block 
FORMS/ONLINE PROCESSES
ADMINISTRATIVE AUTHORITY

Executive Vice President and University Provost

RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION

Information Technology
Miller IT Center 109, Louisville, KY 40292
IT Helpdesk Phone: 502-852-7997
IT Helpdesk ServiceNow or Live Chat: http://louisville.edu/it/helpdesk

HISTORY

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.

Approved July 23, 2007 by the Information Technology Division

Revision Date(s):

1.0 / July 23, 2007 / Original Publication

1.1 / August 28, 2013 / Content Update per IT

1.2 / September 29, 2014 / Content Review

1.3 / April 3, 2015 / URL for Firewall Change Form updated

2.0 / March 8, 2016 / Content update of Responsibilities to IT, update to new template  

2.1  / June 14, 2017 / Content update IT contact info changed to ServiceNow

Reviewed Date(s): September 29, 2014; March 8, 2016; June 14, 2017

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.