Firewall Guidelines

ed-tns-firewall-01

1.0 Documentation

The purpose of this Penn State University, College of Education (CoE), and Firewall guideline is to establish best practices in the use of port-level security on all networked devices (networks, Switches, servers, laptops, wireless configurations, mobile systems, and services) within our College LAN. These guidelines are necessary to preserve the integrity, availability and confidentiality of Penn State University College of Education devices and data. Any questions or comments about this document should be directed to the Office of Associate Dean for Research, Outreach, and Technology.

2.0 Change Management

There is one managed checkpoint firewall appliance for the College.  The firewall rules are required by Penn State and The College of Education to provide appropriate safeguards and access to College systems and data. Restricting certain specific ports allow us to comply to governmental, state, and local IT policies while effectively directing traffic, used for business purposes, to the appropriate devices and data on our LAN.

2.1 Organizational Structure

Penn State Telecommunications and Networking Services (TNS) provide the College’s Checkpoint Appliance and related Services.

College maintains the rules sets in collaboration with the TNS Firewall Manager. This collaboration includes the request for new rules, additions, change. At regular intervals review and refresh of the College’s rule set will be scheduled.

2.2 Responsibilities and Accountability

This policy applies to operators of college owned servers or networked devices that communicate with Penn State University Enterprise networks.

Listed below are the minimum guidelines in managing our firewall service

  1. All requests for a rule must be requested through the CETC Ticket system. After review by the Systems Administrators a Firewall Request Form is submitted to TNS.
  2. TNS: Authorization and verification are provided via email to: tns-firewallmanager@resources.ucs.psu.edu
  3. Revised of changes Firewall rule set is provided after each change to the College Firewall Service.
  4. Only College (CETC) Systems Administrators may request Firewall changes as needed. (See  #1)
  5. Request for Firewall Rules Form requires this format:
    • Request:
    • Priority: 
    • Reason for Change: 
    • Firewall Name: Chambers-FWO1
    • Create New Rule: 
    • Source: 
    • Destination:
    • Ports:
    • Action:
    • Track:
    • Log:
    • Comments:
  6. Only authorized IT staff are permitted access to specialized core services, for example the Hyper-V server environment.
  7. IT will assure physical and logical topology is used (e.g. VLANs) to create network segregation, such as security zones, that prevent traffic from different asset types with different criticality form reaching each other. 
  8. IT will assure that all devices are locked down to specific IPs or a range of IP addresses and limited to only ports that are required. 
  9. IT will annually review all firewall rules to assure they are still needed and appear appropriate.  Additionally, IT will assure there is documentation as to whether the rule is permanent or temporary, and if temporary, set an automatic expiration or require the rules to be reviewed more frequently. 
  10. IT will log files. Files will be maintained for at least one-month online and one-year offline as required by the General Retention Schedule.

2.3 Monitoring

Procedures used on the firewall to detect security breaches and attacks

  1. IT will monitor procedures used on the firewall to detect security breaches and attacks.
    • Automated procedures: In conjunction with TNS, IT authorizes quick response to fixes, patches, updates, alerts, required to maintain the integrity of the College LAN and data.
    • Manual procedures: During manual auditing and review of the firewall rules IT will request necessary changes via the TNS Firewall Rules Form as needed.
  2. Monitoring will be performed on an annual basis.
  3. Logs will be proactively reviewed and for specific incident responses. (See 2)

3.0 References

Penn State Service Management Office: http://smo.psu.edu/documents.  College IT Guidelines and Policies, Information Technology Guidelines and Policies .