Standard and Process
See the specific requirements in the Network Firewall Standard in the University Policy library. The following supplements the requirements in University policy.
Configure the firewall to deny all network traffic and applications by default. Use the appropriate configuration management tools to allow specific network traffic or applications on a case-by-case basis. See the Log Management Standard for firewall log requirements.
Disable or remove insecure services, protocols, or ports that are not necessary.
PCI DSS defines an insecure protocol, service, or port as a protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. These security concerns include services, protocols, or ports that transmit data or authentication credentials (for example, password/passphrase) in clear-text over the network, or that easily allow for exploitation by default or if misconfigured. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.
If insecure services, protocols, or ports are necessary, the risk posed by the use of these services, protocols, or ports needs to be clearly understood and accepted by the unit, and the use of the services, protocols, or ports needs to be justified, including implementation of security features that allow these protocols to be used more securely when possible. For additional guidance on services, protocols, or ports considered to be insecure, refer to industry standards and guidance (e.g., NIST, OWASP).
Examples of secure protocols include, but are not limited to TLS, IPSEC, SSH, HTTPS.
See the Log Management Standard for firewall log requirements.
A network firewalling technology (e.g. port or IP address filtering) must be used to help protect the computer systems and networked devices. A network firewall is most often an appliance installed into a network for the purpose of controlling access to hosts or networks.
Maintain a general document that classifies applications and traffic and explains the need and use on your devices and network behind the firewall.
Maintain detailed documentation for the requirements and business justification for each rule, including approvals by personnel not responsible for managing the firewall configuration. For insecure services, protocols, or ports, document the security features that allow these services, protocols, or ports to be used securely.
Periodically review the documentation and firewall rules to ensure that they are still needed and are correctly implemented. Document all reviews and changes to the firewall rules. Follow the appropriate change control process for firewall rule changes.
See the Information Security policy appendices for additional information security standards that also apply.