Network Engineering and Technology

A0034

Security Guidelines: Firewalls

Version

2

Created

04/08/05

Last Modified

08/23/06

Purpose

This policy describes a framework to be used for controlling software, hardware, and configuration changes made to Firewalls used in the George Mason University’s [GMU] enterprise data network.

Background

Any Firewall used on the GMU network should be managed in a consistent method.  If a department other then Network Engineering and Technology [NET] Security department controls the Firewall, the department shall have similar guidelines approved by their own management chain to follow. The Department, at a minimum must assign a liaison as described in Section 2 of this document. This guideline is to be used as referenced in TSD-1002, Firewall Management.

Table of Contents

1.0 Applicability. 1

2.0 Attachments. 2

3.0 Performing the Process. 2

Pre-Installation. 2

Meetings. 2

Purchasing. 2

Initial Configuration. 2

Installation. 3

Configuration Changes. 3

Auditing and Logging. 3

Passwords. 3

Firewall Rules. 3

4.0 Acronyms and Definitions. 3

5.0 Related Forms and Documents. 4

5.1 Forms. 4

5.2 Miscellaneous. 4

5.3 Procedures. 4

6.0 Documentation Update Process. 4

7.0 Document Revision History. 4

8.0 Approvals. 5

 

1.0 Applicability

This guideline is for use by any department looking to have a firewall for their specific departmental usage.

2.0 Attachments

There are no attachments.

3.0 Performing the Process

When a Firewall is to be installed on GMU network, the following steps need to be completed.  The Network and Technology Security Staff [Security] should be notified when the department feels it needs to implement a firewall.  This is to ensure that the group will have the proper level of security for what they wish to accomplish.  The equipment, firewall rules, and configuration must meet the approval of Security. A department wishing to have a Firewall under their control must provide a liaison to Security.  This liaison will be the staff member in charge of the firewall for the department.  Security must have their contact information, and be notified who is their back-up/replacement if they will be unavailable or leave the department.  This liaison will be responsible for all updates that may become necessary as issues arise.  Security will attempt to assist when possible. 

Pre-Installation

When a department decides that a separate firewall is needed, they should contact Security.  Security will provide purchasing guidelines after a discussion with the department on what will be required of the departmental firewall.  The pre-installation phase will consist of meetings, purchasing, and initial configuration.

Meetings

The purpose of the meetings is to find what access will be required, who the departmental liaison is, what equipment will need to be purchased, and determine the timeline for implementation of the firewall.

Purchasing

The department will be responsible for the purchase of the equipment.  The equipment must meet or exceed the requirements set forth by Security for their application. These requirements can change on an irregular basis due to vendors, security issues, and departmental requirements. Therefore, the purchasing guidelines will be discussed at the time with the department wishing to purchase the firewall.

Back to Top

Initial Configuration

The initial configuration will be created by the liaison and Security working together.  This will ensure that both the liaison and Security know what the configuration will be and be prepared for any issues that may arise during installation.  Testing should be completed to ensure the firewall works as planned prior to installation.

Installation

The installation of the firewall should be completed during a maintenance window. This is to ensure that the department using the firewall undergoes a minimum impact to its day-to-day business.  Maintenance windows are normally scheduled for the second and fourth Sunday of the month. Security will work with the department liaison to bring the firewall to a working state.

Configuration Changes

Changes to the configuration may be required from time to time as issues dictate.  If the department wishes to change the configuration of the firewall, the changes must be approved by Security. In some cases, Security may inform the liaison that a configuration change will be required due to issues including, but not limited to, new vulnerabilities, equipment failure, or new network security plans.

Auditing and Logging

All changes to configurations or equipment must be documented.  A standard audit will be performed by Security on a yearly basis to ensure that the firewall is up to date and functioning properly.  The firewall logs will need to be stored for 90 days per GMU policy.

Logging has some mandatory components. First, all drops, and all dropped rules must be logged. Also critical or high sensitivity connections should be logged (such as connections to databases) by default. 

Passwords

Security must have access to the firewall, both physically and electronically.  The passwords for the firewall will be kept by Security in the departmental safe.  The liaison should also have a secured area to store the passwords.  Passwords should not be changed without notifying Security.  Passwords should be changed whenever the liaison or back-up leaves. 

Firewall Rules

Firewall rules will vary depending on the services used by the department.  Currently the only guideline in place is a deny any as the last rule.  Part of the Pre-Installation phase will be a discussion of services that the department will need to have allowed on the firewall. All changes to the Firewall rules must be discussed with Security prior to implementation.

Back to Top

4.0 Acronyms and Definitions

GMU

George Mason University

NET

Network Engineering and Technology

Security

Network Engineering and Technology Security Staff

5.0 Related Forms and Documents

5.1 Forms

·       NET-F0001, Network Engineering and Technology Process Request/Revision Form

5.2 Miscellaneous

·        

5.3 Procedures

·       NET-A0001, Network Engineering and Technology Process Request/Revision Policy

·       TSD-1002, Firewall Management: http://tsd.gmu.edu/policy/tsd_policy_1002.pdf

Back to Top

6.0 Documentation Update Process

The NET Director reviews and approves this procedure for publication and use by the staff. The Managers of NET are the owners of this procedure and therefore are responsible for reviewing this procedure yearly and making changes as needed to align the work process with current corporate and department goals and policies.

The Managers of NET ensure that this procedure is available and followed by employees of the NET. The Managers initiate actions to reinforce adherence to established procedures in the performance of work activities.

In the event an employee finds that this document no longer accurately reflects the work functions described, the employee initiates a process revision by following the guidelines in NET-A0001, Network Engineering and Technology Process Request/Revision Policy and completing NET-F0001, Network Engineering and Technology Process Request/Revision Form.

Whenever this document is revised, the NET Manager responsible for the procedure should also update any on-line or Personal Digital Assistant [PDA] based version.  The staff should then be notified to update the version of the documentation on their PDA.  The older versions of the document should not be kept except as an archive on the departmental server.  These documents should be marked as “Archival, Not for Distribution”. The following documentation will need to be updated when this procedure is changed:

Process ID

Revision

Title
     

7.0 Document Revision History

Revision Number

DCR Number

Revision Description

Revision Date

1

---

Document creation

04/08/05

2

A0001

Document updating to reflect University Data Retention Policy.

8/23/06

8.0 Approvals

Issued By

Approved By

Release Date

David Robertson

Randy Anderson

8/30/06

Back to Top