The university provides firewalls to protect the central university servers and host systems, and to protect the university network from the wider Internet. Custom firewalls providing additional protection for university systems may be installed upon request.

Administrative Standards:

• Individual software firewalls must be installed/enabled on all computers and servers used to access, store, or process university data.
• All internal network devices including, but not limited to routers, firewalls, and access control servers, have unique passwords and other appropriate access control mechanisms as documented in hardening guides.
• A single password value or access control code must not be used on more than one firewall.  Whenever supported by the involved firewall vendor, those who administer firewalls employed within the University network must have their identity validated through extended user authentication mechanisms.
• Network access privileges to modify the functionality, connectivity and services supported by firewalls are restricted on a least privilege basis only to authorized employees or third parties under contract.
• Firewalls run on single-function devices that perform no other services, such as acting as a mail server.  Sensitive or critical information must never be stored on a firewall.  Such information may be held in buffers as it passes through a firewall.
• Provisioning of perimeter network devices, including firewalls, within the university's network is managed and configured by the university IT.  Configurations should deny unnecessary services and connections and prevent inappropriate access or usage of untrusted networks.
• The effectiveness and proper configuration of all University of Louisville firewalls are evaluated and tested on a regular basis.
• A risk assessment must be conducted before any firewall deployment or modifications may occur. Any identified risk, such as vulnerabilities or improper configuration must be mitigated, then reviewed and approved by ITS Enterprise Security or the Chief Information Security Officer. 
• Firewall rules older than or unmodified after 1 year will require a review by the requester to confirm that they are still necessary.   Rules which are no longer needed or which receive no response will be deleted within 2-3 weeks. 

Technical Standards:

The following type of network traffic should always be blocked:

• Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself. 
• Inbound traffic with a source address indicating that the packet originated on a network behind the firewall. 
• Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks. For reference purposes, RFC 1918 reserves the following address ranges for private networks: 
  • 10.0.0.0 to 10.255.255.255 (Class A) 
  • 172.16.0.0 to 172.31.255.255 (Class B) 
  • 192.168.0.0 to 192.168.255.255 (Class C) 
• Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost). 
• Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0. 
• Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic. 
• Inbound traffic containing IP Source Routing information. 
• Inbound or Outbound traffic containing directed broadcast addresses 

The firewall should block all inbound traffic unless that traffic is explicitly needed for inbound server connections. The following services and applications should only be allowed in extreme circumstances and allowed connections should be documented outside of the firewall system being used.

Application - Port Numbers/Action

• Login Services 
  • Telnet – TCP/23, always block
  • FTP - TCP/21, always block 
  • r services - TCP/512-514, always block 
• RPC and NFS
  • Portmap/rpcbind - 111 tcp/udp always block 
  • NFS - 2049 tcp/udp always block 
  • lockd - 4045 tcp/udp always block 
• NetBIOS over TCP/IP
  • Microsoft Remote Procedure Call (RPC) - 135 tcp/udp always block 
  • Name service - 137 tcp/udp always block 
  • Datagram distribution service - 138 udp always block 
  • Session Service - 139 tcp always block 
  • Direct SMB/CIFS - 445 tcp/udp always block 
• X Windows
  • 6000-6255 tcp always block 
• Naming Services
  • DNS - 53 tcp/udp restrict to external DNS servers 
  • DNS zone transfers - 53 tcp/udp block unless external secondary 
  • LDAP - 389 tcp always block 
• Mail
  • SMTP - 25 tcp block unless external mail relays 
  • POP - 109 and 110 tcp always block 
  • IMAP - 143 tcp always block 
• Miscellaneous
  • tftp - 69 udp always block 
  • finger - 79 tcp always block 
  • NNTP - 119 tcp always block 
  • NTP - 123 tcp always block 
  • BGP - 179 tcp always block 
  • SNMP - 161, 162 tcp/udp always block 
  • syslog - 514 udp always block 
  • LPD - 515 tcp always block 
  • SOCKS - 1080 tcp always block 

https://service.louisville.edu