Firewall Standard



I. Introduction

This document describes the standard firewall rules that will be applied to all firewalls connected to the University’s networks. The University’s standard firewall is the Lucent Brick Firewall.

II. Standard

Firewall Overview

1) The University has implemented a “Security Zone” approach to firewall configuration and deployment. These “Security Zones” are implemented as rule-sets on University firewalls. Each firewall will provide multiple “Security Zones” to implement specific security controls for each zone. Default sets of “Security Zones” are created during the implementation of each University firewall as follows:

• Workstation Zone

• Server Zone

• “Demilitarized” Zone (DMZ)

2) CSSD defines these “Security Zones” to be implemented for each firewall as follows:

• Workstation Zone – The Workstation zone is designed to protect a University Unit’s workstations, network printers, and other local network devices (inside the firewall) from all other zones. Access to this zone from all other zones is restricted and controlled.

• Server Zone – The Server zone is designed to protect a University Unit’s critical infrastructure such as domain controllers, file, print, intranet (internal web applications), application, and database servers. Access to this zone is limited to the Unit’s Workstation Zone.

• DMZ Zone – The DMZ zone is designed to protect any server that is accessed by a broad audience. An example of this is a web server that is accessed by users from around the world. This zone acts as a protective layer between a University Unit’s workstations and servers. Only necessary ports are allowed inbound to this zone. Additionally, the Unit’s Workstation and Server zones are allowed to access the DMZ zone.

• Other Zones – Other Zones are specialized zones within a department. These zones are created on an as needed basis. Other zones typically follow the same access controls as workstation zones but may very according to needs. Examples of other zones are Labs, Classrooms, Development, Database, etc.

• Exceptions to any zone can be created with CSSD Security approval in accordance to the standards presented in this document.

Firewall Configuration

1) All physical network interfaces or VLAN interfaces will be configured with static IP addresses.

2) Each physical firewall will be configured to support multiple virtual firewalls. Each virtual firewall has its own routing information, its own set of IP addresses, its own firewall policies, etc. through the use of partitions.

3) Serial port access will be enabled on each physical firewall to allow local console management. A unique secure password will be assigned to each physical firewall for local console management.

3) All rule-sets, rules, host groups and service groups will have a complete description (ex. the “VNC” service group description should be “VNC remote control application”, and describe the port and protocol “tcp5900”).

4) Host groups will be defined as local to each firewall. Host groups that are used across multiple firewalls will be defined as global. Local firewall host group names will be identified using mixed case characters. Global firewall host group names will be identified using all upper case characters. When a Host groups that are converted from local to Global Group they will be modified to upper case.

5) Service groups will be defined as global to all firewalls. Service groups that will be utilized for only one firewall will be defined as local to that firewall. Local firewall service group names will be identified using mixed case characters. Global firewall service group names will be identified using all upper case characters.

6) All firewalls will be assigned a local console rule-set (“firewall”) and an administrative zone rule-set (“administrative zone”).

Firewall Rule-Sets

1) Rule-sets will be defined for each “Security Zone” (Workstation Zone, Server Zone, DMZ Zone) as needed. Multiple rule-sets may be defined for each “Security Zone”.

2) The system generated “firewall” rule-set will be assigned to the “local” interface for each firewall. The system generated “administrative zone” will be assigned to one of the network “etherX” interfaces for each firewall.

3) Rule-sets will be numbered according to the following ranges:

|Range Low |Range High |Description |

|1 |199 |Reserved for future features |

|200 |299 |Firewall, Administration and Proxy rules |

|300 |399 |User Authentication rules |

|400 |499 |VPN rules |

|500 |999 |Reserved for future features |

|1000 |64999 |Administrator created rules |

|65000 |65534 |Reserved for future features |

|65535 |65535 |Default Drop-All rule |

TCP State Enforcement

PITTNET firewalls should be monitoring TCP state for every established session so that we are NOT forgoing the firewall protections. A proper timeout for a session type should be researched and arrived at to insure that a properly opened TCP session can resume when necessary (by having an active cache entry), but not keep TCP sessions in the cache because they did not close properly or sessions that will not be resumed after some idle time. Note that this is a huge problem with Windows as it almost never closes an open socket.

Workstation Zone Rule-Set Table

|Rule |Rule |Protocol |Port/Type |Direction |Source |Destination Address |Action |

|Description |Number | | | |Address | | |

|Allow any traffic from datacom management | |Any |Any |In |Datacom management machines |Workstations in workstation |Pass |

|machines | | | | | |zone | |

|Allow any traffic from management VLAN 1 | |Any |Any |In |VLAN-1 management machines |Workstations in workstation |Pass |

| | | | | | |zone | |

|Allow any traffic from 1st upstream router | |Any |Any |In |First upstream router |Workstations in workstation |Pass |

|interface | | | | |interface |zone | |

|Allow broadcast traffic from 1st upstream router| |Any |Any |In |First upstream router |Broadcast addresses in |Pass |

|interface | | | | |interface |workstation zone | |

|Allow ICMP destination unreachable messages to | |ICMP |3 |In |Any |Workstations in workstation |Pass |

|be returned | | | | | |zone | |

|Allow ICMP time/ttl exceeded messages to be | |ICMP |11 |In |Any |Workstations in workstation |Pass |

|returned | | | | | |zone | |

|Allow ICMP parameter problem messages to be | |ICMP |12 |In |Any |Workstations in workstation |Pass |

|returned | | | | | |zone | |

|Allow ICMP traceroute return | |ICMP |30 |In |Any |Workstations in workstation |Pass |

| | | | | | |zone | |

Server Zone Rule-Set Table

|Rule |Rule |Protocol |Port/Type |Direction |Source |Destination Address |Action |

|Description |Number | | | |Address | | |

|Allow any traffic from workstation zone | |Any |Any |In |Workstations in workstation |Servers in server zone |Pass |

| | | | | |zone | | |

|Allow any traffic from datacom management | |Any |Any |In |Datacom management machines |Servers in server zone |Pass |

|machines | | | | | | | |

|Allow any traffic from management VLAN 1 | |Any |Any |In |VLAN-1 management machines |Servers in server zone |Pass |

|Allow any traffic from 1st upstream router | |Any |Any |In |First upstream router |Servers in server zone |Pass |

|interface | | | | |interface | | |

|Allow broadcast traffic from 1st upstream router| |Any |Any |In |First upstream router |Broadcast addresses in server|Pass |

|interface | | | | |interface |zone | |

|Allow ICMP destination unreachable messages to | |ICMP |3 |In |Any |Servers in server zone |Pass |

|be returned | | | | | | | |

|Allow ICMP time/ttl exceeded messages to be | |ICMP |11 |In |Any |Servers in server zone |Pass |

|returned | | | | | | | |

|Allow ICMP parameter problem messages to be | |ICMP |12 |In |Any |Servers in server zone |Pass |

|returned | | | | | | | |

|Allow ICMP traceroute return | |ICMP |30 |In |Any |Servers in server zone |Pass |

DMZ Zone Rule-Set Table

|Rule |Rule |Protocol |Port/Type |Direction |Source |Destination Address |Action |

|Description |Number | | | |Address | | |

|Allow any traffic from workstation zone | |Any |Any |In |Workstations in workstation |Servers in DMZ zone |Pass |

| | | | | |zone | | |

|Allow any traffic from datacom management | |Any |Any |In |Datacom management machines |Servers in DMZ zone |Pass |

|machines | | | | | | | |

|Allow any traffic from management VLAN 1 | |Any |Any |In |VLAN-1 management machines |Servers in DMZ zone |Pass |

|Allow any traffic from 1st upstream router | |Any |Any |In |First upstream router |Servers in DMZ zone |Pass |

|interface | | | | |interface | | |

|Allow broadcast traffic from 1st upstream router| |Any |Any |In |First upstream router |Broadcast addresses in DMZ |Pass |

|interface | | | | |interface |zone | |

|Allow ICMP destination unreachable messages to | |ICMP |3 |In |Any |Servers in DMZ zone |Pass |

|be returned | | | | | | | |

|Allow ICMP time/ttl exceeded messages to be | |ICMP |11 |In |Any |Servers in DMZ zone |Pass |

|returned | | | | | | | |

|Allow ICMP parameter problem messages to be | |ICMP |12 |In |Any |Servers in DMZ zone |Pass |

|returned | | | | | | | |

|Allow ICMP traceroute return | |ICMP |30 |In |Any |Servers in DMZ zone |Pass |

Workstation Allowed Firewall Exceptions

|Service |Traffic Source |Traffic Destination |Destination Port |Notes |

|Description | | | | |

|Netbios, MS-DS, Exchange Mail Notification |Server Zone |Workstation Zone |TCP/UDP: 135, 136, 137, 138, 139, 445 | |

| | | |UDP: 1024-65000 (Exchange Mail Notification) | |

Server Zone Allowed Firewall Exceptions

|Service |Traffic Source |Traffic Destination |Destination Port |Notes |

|Description | | | | |

|Netbios, MS-DS, Exchange Mail Notification |Workstation Zone |Server Zone |TCP/UDP: 135, 136, 137, 138, 139, 445 | |

|Active Directory replication |PITTNET-NO Dorms |Server Zone |AD Replication Ports |This allows departmental Domain controllers to|

| | | | |replicate with the University’s Active |

| | | | |Directory Tree |

|SSH, SFTP, SCP, SSL |1.Workstation Zone |Server Zone |22, 443 | |

| |2. Specific IP Addresses | | | |

| |that are not gateway hosts| | | |

|IMAP, POP3, SMTP |Workstation Zone Only |Server Zone |143, 110, 25 |This is to allow users in the Workstation zone|

| | | | |to access mail from a server that is located |

| | | | |in the Server Zone. |

| | | | |*Note: Mail servers that serve users that are |

| | | | |located outside of the Workstation zone must |

| | | | |be placed in the DMZ. |

|Print services |Workstation Zone |Server Zone |Any defined print service (9100, 515, etc.) |This is to allow users in the Workstation zone|

| | | | |to access print servers that are located in |

| | | | |the Server zone. |

Demilitarized Zone Allowed Firewall Exceptions

|Service |Traffic Source |Traffic Destination |Destination Port |Notes |

|Description | | | | |

|SSH, SCP, SFTP, HTTPS, HTTP |World |DMZ Zone |22, 443 |Allows traffic from anywhere to access |

| | | | |resources in the DMZ over encrypted channels. |

| | | | |This would primarily be used for accessing |

| | | | |publicly-accessible data. |

Services Blocked on all Firewall Zones

|Service |Traffic Source |traffic Destination |Destination Port |Notes |

|Description | | | | |

|PC Anywhere, terminal services, Remote Desktop, Citrix, |Anywhere |Server or Workstation |Any |This is to block unencrypted remote |

|telnet, VNC, SQL, and most plain text services | |Zones | |administration services into protected |

| | | | |firewall zones |

Services to Allow Limited Access at the Perimeter Firewall

|Port |Service |Description |

|22 |SSH |Secure Shell |

|25 |SMTP |The port a mail server receives mail on |

|53 |DNS |The port your Domain Name Service (DNS) listens to for DNS requests |

|67,68 |DHCP |The port your Dynamic Host Configuration Protocol (DHCP) server |

| | |listens to for handing out IP addresses and network information |

|80 |HTTP |The port Web servers listen to by default |

|98 |Linuxconf |Linux-only, for the Linuxconf configuration program |

|110 |POP3 |The port a mail server listens to for clients to pick up mail from |

|111 |RPC portmap |Required by NFS servers and other RPC-based programs |

|113 |Auth |The port the ident server uses when a remote host wants to verify that|

| | |the users are coming from the IP they claim to be coming from |

|119 |NNTP |Usenet (newsgroups) |

|123 |NTP |Network Time Protocol |

|137-139 |NetBIOS |(Windows File and Print Sharing) The ports Windows and Samba use for |

| | |sharing drives and printers with other clients |

|143 |IMAP |The port a mail server listens to for clients using IMAP to read their|

| | |mail instead of POP3 |

|389 |LDAP |Lightweight Directory Access Protocol |

|443 |HTTPS |The port Web servers listen to by default for SSL-enabled Web activity|

|465 |SSMTP |SMTP over SSL |

|512-515 |*NIX-specific ports |*NIX-specific ports for the exec, biff, login, who, shell, syslog, and|

| | |lpd programs to listen to |

|993 |SIMAP |IMAP over SSL |

|995 |SPOP3 |POP3 over SSL |

|1080 |SOCKS |SOCKS proxy |

|2049 |NFS |Used to export file systems to other *NIX-based computers |

|3128 |SQUID |Squid proxy |

|3306 |MySQL |The port the MySQL server listens to |

|5432 |PostgreSQL |The port the PostgreSQL server listens to |

|6000-6069 |X Windows |*NIX-only, for the X Windows GUI desktop |

|8080 |Proxy | Used by many Web caching proxy servers |

Access to other services will be permitted on an as needed basis with approval by CSSD Security.

ICMP Services to Allow Inbound

|Message Type |Name |

|0 |Echo reply |

|3 |Destination Unreachable |

|11 |Time Exceeded |

|12 |Parameter Problem |

|30 |Traceroute |

III. Definitions

Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.

Communications Network - A system of communications equipment and communication links (by line, radio, satellite, etc.), which enables computers to be separated geographically, while still ‘connected’ to each other.

Computer System - One or more computers, with associated peripheral hardware, with one or more operating systems, running one or more application programs, designed to provide a service to users.

Confidentiality - Assurance that the information is shared only among authorized persons or organizations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data, etc.

Cracker - A cracker is either a piece of software (program) whose purpose is to ‘crack’ the code (i.e.: a password), or ‘cracker’ refers to a person who attempts to gain unauthorized access to a computer system. Such persons are usually ill intentioned and perform malicious acts.

Data / Information - In the area of Information Security, data is processed, formatted, and re-presented, so that it gains meaning and thereby becomes information. Information Security is concerned with the protection and safeguard of that information, which in its various forms can be identified as Business Assets.

Default - A default is the setting, or value, that a computer program (or system) is given as a standard setting. It is likely to be the setting that ‘most people’ would choose.

Denial of Service - A Denial of Service (DoS) attack, is an Internet attack against a Web site whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system.

Dual Homing – A device that has concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the Corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP).

Definitions (continued)

e-Commerce - Electronic transaction, performed over the Internet – usually via the World Wide Web – in which the parties to the transaction agree, confirm, and initiate both payment and goods transfer.

Firewall - Security devices used to restrict access in communication networks. They prevent computer access between networks (i.e.: from the Internet to your corporate network), and only allow access to services, which are expressly registered.

Fix - An operational expedient that may be necessary if there is an urgent need to amend or repair data, or solve a software bug problem.

Hacker - An individual whose primary aim in life is to penetrate the security defenses of large, sophisticated, computer systems. A truly skilled hacker can penetrate a system right to the core, and withdraw again, without leaving a trace of the activity.

Incursion - A penetration of the system by an unauthorized source. Similar to an Intrusion, the primary difference is that Incursions are classed as ‘hostile’.

Integrity - Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term integrity is used frequently when considering Information Security as it represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is ‘correct’, but also whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens the integrity of information. By making one or more copies, the data is then at risk of change or modification.

Internet - A publicly accessible Wide Area Network that can be employed for communication between computers.

ISO - The International Organization for Standardization is a group of standards bodies from approximately 130 countries whose aim is to establish, promote and manage standards to facilitating the international exchange of goods and services.

ISP - An Internet Service Provider is a company, which provides individuals and organizations with access to the Internet, plus a range of standard services such as e-mail and hosting of personal and corporate Web sites.

Intranet - A Local Area Network within an organization, which is designed to look like, and work in the same way as, the Internet. Intranets are essentially private networks, and are not accessible to the public.

III. Definitions (continued)

Intrusion - The IT equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorized source. While incursions are always seen as hostile, intrusions may be innocent.

IP Address - The IP address or ‘Internet Protocol’ is the numeric address that guides all Internet traffic, such as e-mail and Web traffic, to its destination.

Lab - A Lab is any non-production environment, intended specifically for developing, demonstrating, training and/or testing of a product.

Local Area Network - A private communications network owned and operated by a single organization within one location. The network may comprise one or more adjacent buildings. A local area network will normally be connected by hard-wired cables or short-range radio (wireless) equipment. A LAN will not use modems or telephone lines for internal communications, although it may well include such equipment to allow selected users to connect to the external environment.

Log on / off - The processes by which users start and stop using a computer system.

Network - A configuration of communications equipment and communication links by network cabling or satellite, which enables computers and their terminals to be geographically separated, while still connected to each other. See also Communications Network.

Network Administrator - Individual(s) responsible for the availability of the Network, and the controlling of its use.

Operating System - Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than processing work for users. Computers can operate without application software, but cannot run without an operating system.

Password - A string of characters put into a system by a user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use.

Penetration - Intrusion, trespassing, unauthorized entry into a system.

Penetration Testing - The execution of a testing plan, where the sole purpose is to attempt to hack into a system using known tools and techniques.

III. Definitions (continued)

Physical Security - Physical protection measures to safeguard the organization’s systems, including restrictions on entry to premises, restrictions on entry to computer department, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc.

Policy - A policy may be defined as ‘An agreed approach in theoretical form, which has been agreed to / ratified by a governing body, which defines direction and degrees of freedom for action’.

Privilege - Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system.

Privileged User - A user who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users.

Process - In computer terms, a process refers to one of dozens of program that are running to keep the computer running. When a software program is run, a number of processes may be started.

Production System - A system is said to be in production when it is in live, day-to-day operation.

Protocol - A set of formal rules describing how to transmit data, especially across a network. Low-level protocols define the electrical and physical standards to be observed, bit and byte ordering and the transmission and error detection and correction of the bit stream. High-level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages, etc.

Remote Access - Any access to Company X’s corporate network through a non-Company X controlled network, device, or medium.

Security Administrator - Individual(s) who are responsible for all security aspects of a system on a day-to-day basis.

Security Incident - A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place.

Sensitive Information - Information is considered sensitive if it can be damaging to the University or it’s reputation.

Split tunneling - Simultaneous direct access to a non-University network (such as the Internet, of a home network) from a remote device while connected into the University’s network via a VPN tunnel.III. Definitions (continued)

Spoofing - Spoofing is an alternative term for identity hacking and masquerading. The interception, alteration, and retransmission of data in an attempt to deceive the targeted recipient.

Spot Check - The term ’spot check’ comes from the need to validate compliance with procedures by performing impromptu checks on records and other files, which capture the organization’s day-to-day activities.

Unauthorized Disclosure - The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to know that information.

VPN - Virtual Private Network (VPN) is a method for accessing a remote network via “tunneling” through the Internet.

IV. References

University Policy 10-02-06, Administrative University Data Security and Privacy.

CSSD Guideline GDL-2004-0803, Firewall Guidelines.

CSSD Procedure PRC-2004-0803, Firewall Procedures.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download