· Individual computer firewalls must be installed on all computers and servers controlled by the department as well as personal computing devices used to store or process university data.
· All internal network devices including, but not limited to routers, firewalls, and access control servers, have unique passwords and other appropriate access control mechanisms as documented in hardening guides.
· A single password value or access control code must not be used on more than one firewall. Whenever supported by the involved firewall vendor, those who administer firewalls employed within the University network must have their identity validated through extended user authentication mechanisms.
· Network access privileges to modify the functionality, connectivity and services supported by firewalls are restricted on a least privilege basis only to authorized employees or third parties under contract.
· Firewalls run on single-function devices that perform no other services, such as acting as a mail server. Sensitive or critical departmental information must never be stored on a firewall. Such information may be held in buffers as it passes through a firewall.
· Provisioning of perimeter network devices, including firewalls, within the department and university's network is managed and configured by the university IT and departmental IT teams. Configurations should deny unnecessary services and connections and prevent untrusted networks from accessing or being used inappropriately.
· The effectiveness and proper configuration of all University of Louisville firewalls within the university's departments are tested on a regular basis.
· Prior to the deployment of a department firewall, a risk assessment should be conducted and signed off by a member of IT, the Enterprise IT team or the Chief Information Security Officer.
· Emergency changes must be requested in writing and with approval from Department Head and/or Dean.
· Firewall rules older than or unmodified after 1 year will require a review by the requester to confirm that they are still necessary. Rules which are no longer needed or which receive no response will be deleted within 2-3 weeks.
All outbound packets are allowed to travel outside, and inbound packets are allowed inside the firewall only if they can be determined to be responses to outbound requests.
The following type of network traffic should always be blocked:
· Inbound traffic from a non-authenticated source system with a destination address of the firewall system itself.
· Inbound traffic with a source address indicating that the packet originated on a network behind the firewall.
· Inbound or Outbound traffic from a system using a source address that falls within the address ranges set aside in RFC 1918 as being reserved for private networks. For reference purposes, RFC 1918 reserves the following address ranges for private networks:
o 10.0.0.0 to 10.255.255.255 (Class A)
o 172.16.0.0 to 172.31.255.255 (Class B)
o 192.168.0.0 to 192.168.255.255 (Class C)
· Inbound or Outbound network traffic containing a source or destination address of 127.0.0.1 (localhost).
· Inbound or Outbound network traffic containing a source or destination address of 0.0.0.0.
· Inbound traffic from a non-authenticated source system containing SNMP (Simple Network Management Protocol) traffic.
· Inbound traffic containing IP Source Routing information.
· Inbound or Outbound traffic containing directed broadcast addresses
The firewall should block all inbound traffic unless that traffic is explicitly needed for inbound server connections. The following services and applications should only be allowed in extreme circumstances. Any allowed connections should be documented outside of the firewall system being used.
Application - Port Numbers/Action
· Login Services
o Telnet – TCP/23, always block
o FTP - TCP/21, always block
o r services - TCP/512-514, always block
· RPC and NFS
o Portmap/rpcbind - 111 tcp/udp always block
o NFS - 2049 tcp/udp always block
o lockd - 4045 tcp/udp always block
· NetBIOS over TCP/IP
o Microsoft Remote Procedure Call (RPC) - 135 tcp/udp always block
o Name service - 137 tcp/udp always block
o Datagram distribution service - 138 udp always block
o Session Service - 139 tcp always block
o Direct SMB/CIFS - 445 tcp/udp always block
· X Windows
o 6000-6255 tcp always block
· Naming Services
o DNS - 53 tcp/udp restrict to external DNS servers
o DNS zone transfers - 53 tcp/udp block unless external secondary
o LDAP - 389 tcp always block
o SMTP - 25 tcp block unless external mail relays
o POP - 109 and 110 tcp always block
o IMAP - 143 tcp always block
o tftp - 69 udp always block
o finger - 79 tcp always block
o NNTP - 119 tcp always block
o NTP - 123 tcp always block
o BGP - 179 tcp always block
o SNMP - 161, 162 tcp/udp always block
o syslog - 514 udp always block
o LPD - 515 tcp always block
o SOCKS - 1080 tcp always block