Pol-Firewalls – IT Division Policy
policy firewalls modified Mon Mar 16 2020 16:55:29 GMT-0400 (Eastern Daylight Time)
University of Louisville
Firewalls – IT Division Policy
July 23, 2007
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
The university provides firewalls to protect the central university servers and host systems, and to protect the university network from the wider Internet. Custom firewalls, which provide additional protection for departmental systems, may be installed upon request.
- Individual computer firewalls must be installed/enabled on all computers and servers controlled by the department as well as personal computing devices used to store or process university data.
- All internal network devices including, but not limited to routers, firewalls, and access control servers, have unique passwords and other appropriate access control mechanisms as documented in hardening guides.
- A single password value or access control code must not be used on more than one firewall. Whenever supported by the involved firewall vendor, those who administer firewalls employed within the University network must have their identity validated through extended user authentication mechanisms.
- Network access privileges to modify the functionality, connectivity and services supported by firewalls are restricted on a least privilege basis only to authorized employees or third parties under contract.
- Firewalls run on single-function devices that perform no other services, such as acting as a mail server. Sensitive or critical departmental information must never be stored on a firewall. Such information may be held in buffers as it passes through a firewall.
- Provisioning of perimeter network devices, including firewalls, within the department and university's network is managed and configured by the university IT and departmental IT teams. Configurations should deny unnecessary services and connections and prevent untrusted networks from accessing or being used inappropriately.
- The effectiveness and proper configuration of all University of Louisville firewalls within the university's departments are tested on a regular basis.
- Prior to the deployment of a department firewall, a risk assessment should be conducted and signed off by a member of IT, the Enterprise IT team or the Chief Information Security Officer.
Requests for custom firewalls or modification to existing firewall configurations must be sent using the Firewall forms located at: http://louisville.edu/it/departments/enterprise-security/forms.
- Changes will be completed, per university guidelines, during the Preventive Maintenance period.
- Emergency changes must be requested in writing and with approval from Department Head and/or Dean.
- Firewall rules older than or unmodified after 1 year will require a review by the requester to confirm that they are still necessary. Rules which are no longer needed or which receive no response will be deleted within 2-3 weeks.
All outbound packets are allowed to travel outside, and inbound packets are allowed inside the firewall only if they can be determined to be responses to outbound requests.
The following type of network traffic should always be blocked:
- Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself.
- Inbound traffic with a source address indicating that the packet originated on a network behind the firewall.
Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks. For reference purposes, RFC 1918 reserves the following address ranges for private networks:
- 10.0.0.0 to 10.255.255.255 (Class A)
- 172.16.0.0 to 172.31.255.255 (Class B)
- 192.168.0.0 to 192.168.255.255 (Class C)
- Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost).
- Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0.
- Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic.
- Inbound traffic containing IP Source Routing information.
- Inbound or Outbound traffic containing directed broadcast addresses.
The firewall should block all inbound traffic unless that traffic is explicitly needed for inbound server connections. The following services and applications should only be allowed in extreme circumstances and allowed connections should be documented outside of the firewall system being used.
Application - Port Numbers/Action
- Telnet – TCP/23, always block
- FTP - TCP/21, always block
- r services - TCP/512-514, always block
RPC and NFS
- Portmap/rpcbind - 111 tcp/udp always block
- NFS - 2049 tcp/udp always block
- lockd - 4045 tcp/udp always block
NetBIOS over TCP/IP
- Microsoft Remote Procedure Call (RPC) - 135 tcp/udp always block
- Name service - 137 tcp/udp always block
- Datagram distribution service - 138 udp always block
- Session Service - 139 tcp always block
- Direct SMB/CIFS - 445 tcp/udp always block
- 6000-6255 tcp always block
- DNS - 53 tcp/udp restrict to external DNS servers
- DNS zone transfers - 53 tcp/udp block unless external secondary
- LDAP - 389 tcp always block
- SMTP - 25 tcp block unless external mail relays
- POP - 109 and 110 tcp always block
- IMAP - 143 tcp always block
- tftp - 69 udp always block
- finger - 79 tcp always block
- NNTP - 119 tcp always block
- NTP - 123 tcp always block
- BGP - 179 tcp always block
- SNMP - 161, 162 tcp/udp always block
- syslog - 514 udp always block
- LPD - 515 tcp always block
- SOCKS - 1080 tcp always block
Policy Authority/Enforcement: Enterprise Information Technology Management is responsible for the development, publication, modification and oversight of this policy and standards. Information Technology works in conjunction with University Leadership, Information Security, Audit Services and others for development, monitoring and enforcement of this policy and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
Executive Vice President and University Provost
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
Miller IT Center 109, Louisville, KY 40292
IT Helpdesk Phone: 502-852-7997
IT Helpdesk ServiceNow or Live Chat: http://louisville.edu/it/helpdesk
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Information Technology Division
1.0/ July 23, 2007 / Original Publication
1.1/ August 28, 2013 / Content Update per IT
1.2/ September 29, 2014 / Content Review
1.3/ April 3, 2015 / URL for Firewall Change Form updated
2.0/ March 8, 2016 / Content update of Responsibilities to IT, update to new template
2.1 / June 14, 2017 / Content update IT contact info changed to ServiceNow
Reviewed Date(s): September 29, 2014, March 8, 2016, June 14, 2017
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.