OFFICE OF TECHNOLOGY SERVICES

Guidelines and Standards

Firewall Management

Key Players

Perimeter Security Maintenance

Perimeter security for the university will be maintained by a firewall. This firewall has a redundant fail over unit to provide service continuity should the primary firewall unit fail. The firewall(s) will inspect packets and sessions to determine if they should be transmitted or dropped. In effect, the firewalls will act as a single point of network access where traffic can be analyzed and controlled. This will forward authentication requests to a radius server. Access to the university's internal network will be based on parameters such as (but not limited to):

• Application use.
• User authentication, authorization, and accounting, for both incoming traffic from remote users and outgoing traffic to the Internet.
• IP Address and port

Firewall Administration

All firewalls will be centrally managed by the university firewall administrators. Two firewall administrators (one primary and secondary) shall be designated by the ISO or other manager, and shall be responsible for the upkeep of the firewall. The primary administrator shall make changes to the firewall and the secondary shall only do so in the absence of the former so that there is no simultaneous or contradictory access to the firewall. Each firewall administrator shall provide their home phone number, pager number, cellular phone number and other numbers or codes in which they can be contacted when support is required.

1. Remote Administration
   The preferred method for firewall administration is directly from the attached terminal.
   Physical access to the firewall terminal is limited to the firewall administrator and backup administrator. Where remote access for firewall administration must be allowed, it should be limited to access from other hosts on the TU internal network. Such internal remote access requires the use of strong authentication, such as one time passwords and/or hardware tokens. Remote access over untrusted networks such as the Internet requires end to end encryption and strong authentication to be employed.
    
2. User Accounts
   Only the firewall administrator and backup administrators will be given user accounts on the TU firewall. Any modification of the firewall system software must be done by the firewall administrator or backup administrator and requires approval of the ISO. Enable password construction will be consistent with the strong password creation practices utilized in the department.
    
3. Firewall Backup
   The firewall (system software, configuration data, database files, etc.) must be backed up daily, weekly, and monthly so that in case of system failure, data and configuration files can be recovered. Backup files should be stored securely on a read-only media so that data in storage is not over-written inadvertently and locked up so that the media is only accessible to the appropriate personnel. At least one firewall shall be configured and reserved (not-in-use) so that in case of a firewall failure, this backup firewall can be switched in to protect the network.
    
4. System Integrity
   The firewall’s system integrity database shall be updated each time the firewall's configuration is modified. System integrity files must be stored on read only media or off-line storage. System integrity shall be checked on a regular basis on the firewall in order for the administrator to generate a listing of all files that may have been modified, replaced, or deleted.
    
5. Documentation
   All operational procedures for a firewall and its configurable parameters be well documented, updated, and kept in a safe and secure place.
    
6. Firewall Physical Security
   The TU firewall should be located in a controlled environment, with access limited to the ISO, the firewall administrator, and the backup firewall administrator. The room in which the firewall is to be physically located must be equipped with heat, air-conditioner, and smoke alarms to assure the proper working order of the room. The placement and recharge status of the fire extinguishers shall be checked on a regular basis. If uninterruptible power service is available to any Internet-connected systems, such service should be provided to the firewall as well.
    
7. Restorable Services
   In case of a firewall break-in, the firewall administrator(s) are responsible for reconfiguring the firewall to address any vulnerabilities that were exploited. The firewall shall be restored to the state it was before the break-in so that the network is not left wide open. While the restoration is going on, the backup firewall shall be deployed.
    
8. Firewall Upgrade
   To optimize the performance of the firewall, all vendor recommendations for processor and memory capacities shall be followed. The firewall administrator must evaluate each new release of the firewall software to determine if an upgrade is required. All security patches recommended by the firewall vendor should be implemented in a timely manner. Hardware and software components shall be obtained from a list of vendor-recommended sources. Any firewall specific upgrades shall be obtained from the vendor. NFS shall not be used as a means of obtaining hardware and software components. The use of virus checked CDROM or FTP to a vendor’s site is an appropriate method. The firewall administrator(s) shall monitor the vendor’s firewall mailing list or maintain some other form of contact with the vendor to be aware of all required upgrades. Before an upgrade of any of the firewall component, the firewall administrator must verify with the vendor that an upgrade is required. After any upgrade the firewall shall be tested to verify proper operation prior to going operational.

Auditing

Firewall Log Configuration and Maintenance

The firewall will be configured to use system logging (syslog) to export its log messages to the System Log Server (syslog) server(s). The firewall’s logs will be base lined thirty (30) days to determine how best to fine-tune message traffic information. At a minimum, the firewall log will be configured to detect:

• Emergencies, such as system unusable messages
• Alerts, critical conditions, and Error message
• VPN sessions,
• Failed/unsuccessful login attempts
• Logon Access and configuration attempts made to the firewall

The firewall logs will be backed up daily and archived on a weekly basis, in accordance with current practices implemented on the syslog server. In addition, the firewall will be configured to send Simple Network Management Protocol (SNMP) Traps to the network management server. Construction of SNMP access lists and community strings will be consistent with established security practices.

Firewall Incident Handling

The firewall shall be configured to log all reports on daily, weekly, and monthly bases so that the network activity can be analyzed when needed. Firewall logs should be examined on a weekly basis to determine if attacks have been detected. The firewall administrator shall be notified at anytime of any security alarm by email, pager, or other means so that he may immediately respond to such alarm. The firewall shall reject any kind of probing or scanning tool that is directed to it so that information being protected is not leaked out by the firewall. In a similar fashion, the firewall shall block all software types that are known to present security threats to a network (such as Active X and Java) to better tighten the security of the network.

 

Information Security Office
Office of Technology Services
Cook Library, 4
Hours: Monday - Friday, 8:30 a.m. to 4:00 p.m.
E-mail: infosec@towson.edu