ISO PS017 Enterprise Firewalls

Policies and Standards ISO PS017 Enterprise Firewalls [Previous]  [Next]  [Policy Home]

Policy Name: Firewall Policy
Policy Number: IS PS017
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Brenda B. Gombosky
Contact Name: Brenda B. Gombosky
Contact Email: brenda.gombosky@louisville.edu
Approved By: IT (Division Policy for IT Enterprise Firewalls)
Version: 1.0

POLICY:

The university provides firewalls to protect the central university servers and host systems, and to protect the university network from the wider Internet. Custom firewalls to add additional protection are provided on request.

Administrative Standards:

• Any requests for modification to firewall configurations must be made by the end of the business day on Wednesday and changes will be completed during the Preventive Maintenance period on Fridays between 10:00 PM Friday and 2:00 AM Saturday.
• All requests should be sent using the Firewall Modification form located at: http://louisville.edu/it/services/network/firewalls/
• Emergency changes must be requested in writing and with approval from Department Head and/or Dean.
• Custom firewalls are also available. To request go to: http://louisville.edu/it/services/network/firewalls/

Technical Standards:

All outbound packets are allowed to travel outside, and inbound packets are allowed inside the firewall only if they can be determined to be responses to outbound requests.

The following type of network traffic should always be blocked:

• Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself.
• Inbound traffic with a source address indicating that the packet originated on a network behind the firewall.
• Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks. For reference purposes, RFC 1918 reserves the following address ranges for private networks:
  • 10.0.0.0 to 10.255.255.255 (Class A)
  • 172.16.0.0 to 172.31.255.255 (Class B)
  • 192.168.0.0 to 192.168.255.255 (Class C)
• Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic.
• Inbound traffic containing IP Source Routing information.
• Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost).
• Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0.
• Inbound or Outbound traffic containing directed broadcast addresses

The firewall should block all inbound traffic unless that traffic is explicitly needed for inbound server connections. The following services and applications should only be allowed in extreme circumstances:

Application - Port Numbers/Action

• Login Services
  • Telnet - 23/tcp always block
  • FTP - 21/tcp always block
  • NetBIOS - 139/tcp always block
  • r services - 512/tcp - 514/tcp always block
• RPC and NFS
  • Portmap/rpcbind - 111/tcp/udp always block
  • NFS - 2049/tcp/udp always block
  • lockd - 4045/tcp/udp always block
• NetBIOS in Windows NT
  • 135/tcp/udp always block
  • 137/udp always block
  • 138/udp always block
  • 139/tcp always block
  • 445/tcp/udp in Windows 2000 always block
• X Windows
  • 6000/tcp - 6255/tcp always block
• Naming Services
  • DNS - 53/udp restrict to external DNS servers
  • DNS zone transfers - 53/udp block unless external secondary
  • LDAP - 389/tcp/udp always block
• Mail
  • SMTP - 25/tcp block unless external mail relays
  • POP - 109/tcp and 110/tcp always block
  • IMAP - 143/tcp always block
• Miscellaneous
  • tftp - 69/udp always block
  • finger - 79/tcp always block
  • NNTP - 119/tcp always block
  • NTP - 123/tcp always block
  • LPD - 515/tcp always block
  • syslog - 514/udp always block
  • SNMP - 161/tcp/udp, 162/tcp/udp always block
  • BGP - 179/tcp always block
  • SOCKS - 1080/tcp always block

SCOPE / APPLICABILITY:

This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

Approved July 23, 2007 by the IT Division

IT Division policy