National Institutes of Health



| | | | |

| |[pic] | | |

| | | | |

| | | | |

| |NIH NIHnet/Firewall Policy | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

| |Chief Information Officer | | |

| |National Institutes of Health | | |

| |Department of Health and Human Services | | |

| | | | |

| | | | |

| | | |

| |September 6, 2011 | |

| | | |

| | | |

| | | |

| | | |

| | | |

| | | | |

| | | | |

For Official Use Only

(Formatted for double-sided printing)

This page was left blank intentionally.

Table of Contents

1. Purpose 1

2. Background 1

4. Policy 2

5. Roles and Responsibilities 3

5.1 NIH Chief Information Officer (CIO) 3

5.2 NIH Chief Information Security Officer (CISO) 3

5.3 NIH Institutes and Centers Chief Information Officer (IC CIO) 3

5.4 IC Information Systems Security Officers (ISSO) 3

5.5 The Incident Response Team (IRT) 3

5.6 Management Officials 3

6. Compliance and Oversight 4

7. Applicable Laws and Guidance 4

8. Information and Assistance 4

9. Effective Date/Implementation 4

10. Approved 5

Glossary 6

Appendix A: Links Referenced 7

Appendix B: Restricted Ports & Services 8

This page was left blank intentionally.

Record of Changes

|Version Number |Release Date |Summary of Changes |Section Number/ |Changes Approved by and Date |

| | | |Paragraph Number | |

|1 |January 9, 2007 |Original document. |All |OCIO/ISAO |

|1.1 |May 28, 2010 |Reformatted and updated link to IRT |4.2.1 |OCIO/ISAO |

| | |forms. | | |

|2.0 |September 6, 2011 |Annual Review; Reformatted and updated|2, 4, 6, Appendix B |OCIO/ISAO |

| | |links and references. Updated the | | |

| | |Background and Compliance sections. | | |

| | |Added information on restricted ports | | |

| | |and services (appendix). | | |

This page was left blank intentionally.

1. Purpose

The NIH IT Security Program employs a defense-in-depth strategy that is based on safeguards that are commensurate with risk and the available resources. This document establishes an NIH policy of restricting unnecessary Internet traffic by denying all inbound network access except that which is explicitly required to achieve the NIH mission and restricting outbound traffic.

2. Background

A firewall is a device or set of devices used to permit or deny network traffic, thereby protecting resources and assets by utilizing a set of rules for the network traffic. Firewalls are effective at blocking and monitoring inbound and outbound network traffic, but it should be noted that a significant number of threats have moved from the network levels to the applications levels, minimizing the effectiveness of Firewalls as a sole means of protection. Firewalls can still be effective at the application levels if they are used in conjunction with other security countermeasures such as Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), and ongoing vulnerability scanning.

The National Institute of Standards and Technology (NIST) SP 800-41, current rev., Guidelines on Firewalls and Firewall Policy recommends that federal agencies implement firewall policies that block all inbound traffic unless that traffic is explicitly permitted. NIH then instituted policies to block specific types of network traffic unless they were directed to authorized NIH servers and services.

The implementation of this policy will help mitigate the loss of critical services or irreplaceable scientific research data, unauthorized disclosure of sensitive and confidential information such as financial or medical records, unavailability to health information by the public and damage to the credibility of NIH by exposure of critical infrastructure or the use of NIH resources to launch Internet attacks.

3. Scope

This policy applies to the NIHnet perimeter firewall services, referred to as the NIHnet firewall. This policy does not address the specific inbound services that will be allowed. Institutes, and Centers (ICs), and other organizations managing firewalls connected to NIHnet should implement firewall policies that are as restrictive as possible while meeting operational requirements.

For this policy:

• “Service” is a defined set of servers or a server with an associated set of network protocols.

• “Inbound” is network traffic originating from non-NIH IP address ranges.

• “Outbound” is network traffic originating from NIH IP address ranges.

4. Policy

1. Inbound network traffic is blocked at the security perimeter by NIH firewalls, except that which is explicitly authorized to achieve the NIH mission.

The NIH security perimeter is a set of network access controls that separates the NIH community from less trusted sources, such as the Internet.  To reduce risk and support business needs, the security perimeter provides flexibility with accountability.  Therefore, the policy governing the security perimeter defines a change control process emphasizing due diligence rather than a defined set of access control statements.

All systems within NIHnet must be configured securely and with software versions kept up-to-date, so they are not vulnerable to any known attacks.  Systems that have been compromised or are deemed vulnerable will be blocked at the NIHnet firewalls and/or routers.

For a sample list of restricted ports and services, please see Appendix B of this policy. IC ISSOs may also make a request to the NIH IRT for a list of known exceptions and restrictions.

2. The NIH firewalls block inbound services at the security perimeter unless the service has been authorized and validated using the following procedure: 

▪ The IC ISSO requests a new service on behalf of a system owner.  The IC ISSO sends the request to the NIH IRT for validation after ensuring that the service is consistent with the applicable security policies and supports the IC’s mission. The firewall request form, which is online, can be accessed at:

▪ The NIH IRT validates that the request is complete, does not pose undue risk to the NIH, is compliant with the Enterprise Architecture, and is technically feasible. 

▪ The NIH CISO or designee must approve the request submitted by the IC ISSO before the exception is implemented. 

▪ The NIH IRT conducts periodic reviews of inbound services to ensure that the security perimeter is up-to-date. 

3. The security perimeter permits outbound services unless the service has been denied due to circumstances when the NIH CISO or designee has deemed that an outbound service poses significant risk to NIH or violates the Enterprise Architecture. The NIH IRT will conduct periodic reviews of denied services to ensure that the security perimeter is up-to-date. 

Emergency security perimeter changes are implemented on an as-needed basis in response to attacks on NIH assets.

5. Roles and Responsibilities

The primary individuals listed below may assign a designee to carry out these responsibilities.

5.1 NIH Chief Information Officer (CIO)

The NIH CIO establishes and ensures the implementation of this policy at NIH consistent with all other Federal, HHS, and NIH rules and regulations.

5.2 NIH Chief Information Security Officer (CISO)

The NIH CISO implements this policy within NIH, ensures compliance, and approves all exceptions.

5.3 NIH Institutes and Centers Chief Information Officer (IC CIO)

The IC CIO provides the resources necessary for policy implementation, training of IC employees, as appropriate; implementing security controls required and reporting policy implementation status to the CISO. The IC CIO is also responsible for ensuring that IC specific polices are written and implemented, as applicable.

5.4 IC Information Systems Security Officers (ISSO)

The IC ISSOs coordinate the implementation of this policy within their IC; monitor and ensure compliance; and submit exception requests to the NIH CISO.

5.5 The Incident Response Team (IRT)

The Incident Response Team (IRT) is the focal point for security incidents at NIH. The IRT is responsible for the following:

▪ Enforcing this policy;

▪ Blocking access for NIH systems that are the source of hacker attempts, or involved in compromises, critical exploits, incidents, or web site defacements;

▪ Restoring access to systems involved in security events mentioned above when remediation has been validated.

5.6 Management Officials

Management officials, in their supervisory role, are responsible for ensuring that employees, contractors, interns, etc. participate in the development and the review of this information security policy in a timely manner, as appropriate; and informing users (employees, contractors, interns, etc.) of their rights and responsibilities, including the dissemination of the information in policy.

6. Compliance and Oversight

Where deviations from this policy are necessary, the IC ISSO must comply with the procedures for exception listed in section 4.1 of this policy. A firewall exception request will be evaluated by the NIH IRT and the NIH CISO. A firewall request must include a business case that specifies how the service is consistent with the applicable security policies and supports the IC’s mission.. IC ISSOs are responsible for submitting firewall exception requests to the NIH IRT for validation and the NIH CISO for final approval using the IRT Firewall Exception Form, .

7. Applicable Laws and Guidance

Federal Information Security Management Act (FISMA)

HHS-OCIO Policy for Information Systems Security and Privacy

HHS-OCIO Policy for Information Systems Security and Privacy Handbook

HHS-OCIO-2002-0002, Policy for Department-wide Information Security

NIH Enterprise Information Security Plan (EISP)

National Institute of Standards and Technology (NIST) SP 800-41, current rev., Guidelines on Firewalls and Firewall Policy

OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources

8. Information and Assistance

Comments, questions, suggestions or requests for further information should be directed to the NIH Incident Response Team (IRT).

NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy found at

contains recommendations on ports, services, and file extensions to block.

9. Effective Date/Implementation

The effective date of this policy is the date the policy is approved.

10. Approved

___________/s/_________________ ______9/06/2011________

Thomas G. Murphy Date

Acting NIH Chief Information Officer

Glossary

Firewall – A device that controls access between networks.

Inbound – In terms for this policy only; Inbound is network traffic originating from non-NIH IP address ranges.

Incident Response Team – The focal point for information security incidents at NIH, the IRT identifies incidents, characterizes the nature and severity of incidents, and provides immediate diagnostic and corrective actions when appropriate.

Internet Protocol – IP is the protocol used to address and transfer packets of data over the Internet.

Intrusion Detection – The practice of identifying inappropriate, incorrect, anomalous or otherwise suspicious activity on an IT network.

NIHnet Firewall – The NIH firewall is a network device used to block unauthorized network traffic from entering or leaving NIHnet.

NIHnet – The NIH backbone computer network and all subnets attached to the NIH backbone.

Outbound – In terms for this policy only; Outbound is network traffic originating from NIH IP address ranges.

Packet – A unit of data formatted for transmission across a network.

Port – A logical connection channel in a network identified by its unique port number. Servers make their services available through ports.

Protocol – A set of rules enabling data to transmit across a network.

Service – In terms for this policy only; a service is a defined set of servers or a server with an associated set of network protocols.

Subnet – A subsection of a network containing multiple systems.

Web Site Defacement - Unauthorized change to NIH web page by external (or internal) source for the purpose of making a statement, proving hacker's ability, or discrediting NIH.

For additional information or terms, please visit the NIH Master Glossary of IT Security Terms.

Appendix A: Links Referenced

FISMA



HHS-OCIO Policy for Information Systems Security and Privacy



HHS-OCIO Policy for Information Systems Security and Privacy Handbook



IC ISSO Roster



NIH Enterprise Information Security Plan



NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy



OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources



Appendix B: Restricted Ports & Services

The following is an example of ports and services that are only available by exception. All queries originating from outside the NIH domain, that are not directed to authorized servers using the required ports will be blocked at the NIHnet firewall.

|Service |Protocols & Ports |Direction |

|Citrix |TCP/UDP Ports 1494, 1604, 2598 |Inbound |

|DNS |TCP/UDP Ports 53 |Inbound/Outbound |

|FTP |TCP/UDP Ports 20, 21 |Inbound |

|HTTP & HTTPS |TCP Ports 80, 8080, 443, 8443 |Inbound |

|LDAP |TCP/UDP Ports 389; TCP Port 636 |Inbound |

|NetBIOS |TCP/UDP Ports 135-139, 445 |Inbound |

|Oracle |TCP Ports 1521-1529 |Inbound |

|POP & IMAP |TCP Ports 110, 143, 109; TCP/UDP Ports 993, 995 |Inbound |

|SMTP |TCP Port 25 |Inbound/Outbound |

|SSH |TCP Port 22 |Inbound |

|SQL |TCP/UDP Ports 1433 |Inbound |

|VoIP |Many Ports |Inbound |

|(H323, SIP) | | |

|VPN |TCP Ports 47, 50, 51; UDP Ports 500, 501, 4500; TCP/UDP Ports |Inbound |

| |1723, 10000 | |

|Encrypted Remote Access: (pcAnywhere, |TCP/UDP Ports 88; TCP Ports 407, 1352, 1417-1420, 3389, 5631, |Inbound |

|Timbuktu, MS WBT Server, Kerberos, |5632 | |

|Lotus Notes) | | |

|IRC |TCP Ports 6660-6669, 7000 |Inbound/Outbound |

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download