Purpose
A firewall is an appliance designed to control the flow of internet traffic from a network. Firewalls are used to examine network traffic and enforce policies based on rulesets. Firewalls provide a valuable protection and detection capability for the university when properly configured, managed, and monitored.
Supporting Policy
Cybersecurity Policy
Scope
This standard applies to all schools, departments, and business units that configure, install, or maintain a firewall.
Standard
All network firewalls installed and implemented must conform to the current procedures as determined by the Office of Information Technology. Unauthorized or non-standard equipment is subject to immediate removal, confiscation, and/or termination of network connectivity without notice.
Firewall Configuration Standards
- All firewalls must be properly maintained from a hardware and software perspective. This includes proper lifecycle planning for end-of-life and end-of-support software/hardware and regular review (at least annually) of firewall rulesets.
- Firewalls must be installed in a high-availability configuration.
- A Vice President and Chief Information Officer approved IT Security Exception request is required before a college, department, or business unit is permitted to assume the management of a firewall.
- Host based firewalls are allowed by departmental IT staff if the systems supported by OU IT that certify our compliance are permitted access.
- Firewall Asset Administrators shall conduct reviews of individual access to firewalls twice per year and immediately remove individuals who no longer require need access to the firewall.
- Firewall Asset Administrators shall conduct quarterly reviews of firewall access control list rules.
- At a minimum, the following must be conducted during the review:
- The current firewall configuration must be identified.
- The firewall configuration must be reconciled against requested communications or flows.
- Stale, shadow, and obsolete rules must be identified.
- OU IT Security Operations will submit a Change Request to disable stale, shadow, and obsolete firewall rules.
- OU IT Security Operations must delete firewall policies that have been disabled for more than six (6) months.
Network Firewall Rulesets
- Firewalls managed by OU IT, are to be installed at each campus border and data center edge with a “default deny” rule in place.
- An IT Service Request must be used to request and document all changes to network firewall rulesets.
- Though approval is not required, all firewall ruleset changes must be documented as an OU IT Standard Change Request.
- Firewall rulesets and configurations must be backed up regularly to alternate store. Multiple generations should be captured and retained to preserve the integrity of the data, should restoration be required. Access to rulesets and configurations and backup media must be restricted to those responsible for administration and review.
Use of Authentication
- Where possible, firewalls shall be configured to authenticate administrators using OU active directory authentication via RADIUS, LDAP, or SAML protocols.
- OU IT shall retain sole administrative rights to network devices and shall not provide departments with administrative access.
- Network-based authentication must be encrypted in transit using industry-standard, strong encryption mechanisms. Unencrypted services such as HTTP, Telnet, FTP, and SNMP must be replaced by their encrypted equivalents.
Access Control
- Access to firewall configurations and administrative features will be limited to OU IT Security Operations personnel only, using a named Privileged Account type.
- Access to firewall configurations and administrative features via the local administrator account(s) will be permitted only when needed, and if OU authentication services are not available.
- All local administrator firewall accounts must be stored in the OU IT Privileged Access Management vault.
- OU IT Network and Telecom personnel may be granted read-only access for the purpose of support and troubleshooting.
- Access to configuration backups shall be protected against unauthorized access with access limited to authorized OU IT Security Operations personnel only.
- Secure Shell (SSH) access to firewall command-line interfaces must be encrypted in accordance with the OU Encryption Standard.
Site-to-Site VPN
- To establish a Site-to-Site VPN connection with OU, an OU Site-to-Site VPN Request form must be filled out and returned to OU IT Security Operations.
- The requesting VPN device must support IPSec. OU IT will make a best effort attempt to build to any VPN device that supports the IPSec standard, however we cannot guarantee compatibility.
- ISP must not be blocking VPN traffic, which consists of the following protocols:
- UDP (Protocol 17) Port 500
- ESP (Protocol 50)
- Only “public addresses” assigned to your organization by ARIN or your ISP, or RFC1918 “private addresses” (see requirement 5) will be routed across the VPN connection.
- In some cases, NAT (Network Address Translation) will be required if your addressing scheme uses RFC1918 compliant "private addresses" or is based on arbitrary addresses that are not registered to your organization.
- Site-to-Site VPNs must be review and approved annually by a Vice President.
- Site-to-Site VPNs must adhere to the following minimum security standards:
- Web-based administrative interfaces must be configured to employ modern Secure Sockets Layer (SSL), Transport Layer Security (TLS) version 1.2 or higher, or their equivalent cryptographic protocols for authenticating and establishing identities and maintaining encrypted communications between endpoints.
- Site-to-Site VPNs must be configured to use Internet Key Exchange (IKE) to establish a secure and authenticated communications channel.
- Pre-shared keys must generated with a strong 32-character pre-shared key.
- Pre-shared keys must be stored in an OU IT CyberArk vault.
- Site-to-Site VPNs must adhere to the encryption strength required in accordance with the OU Encryption Standard.
Secure Configurations
- Where possible, network devices shall be configured to follow the Center for Internet Security Level 1 benchmarks and at a minimum employ the following configuration:
- Configure all devices to display a banner upon logon. This banner should, at a minimum, prohibit unauthorized access, provide notice of logging or monitoring, and avoid using the work “welcome” or similar words of invitation.
- Permit IP addresses in a dedicated OU VLAN to be used to manage the device.
- For all management profiles, only the IP addresses required for device management should be specified.
- Ensure ‘Minimum Password Complexity’ is enabled for the device.
- Ensure ‘Minimum Password Length’ is equal to the OU Password Policy for Privileged Accounts.
- Ensure ‘Required Password Change Period’ is equal to the OU Password Policy for Privileged Accounts.
- Ensure ‘Prevent Password Reuse Limit’ is equal to the OU Password Policy for Privileged Accounts.
- Ensure ‘Password Profiles’ do not exist.
- Ensure ‘Idle timeout’ is less than or equal to the requirements defined in the OU Password Policy.
- Ensure ‘Failed Attempts’ and ‘Lockout Time’ are configured in accordance with the OU Password Policy.
- Ensure the certificate used for securing Remote Access VPNs is configured in accordance with OU Encryption Standard.
- Ensure ‘Antivirus Update Schedule’ is configured to download and install updates every forty-eight (48) hours.
- Ensure ‘Applications and Threats Update Schedule’ is configured to download and install updates every forty-eight (48) hours.
- Ensure ‘Service setting of ANY’ in a security policy allowing traffic does not exist.
- Ensure ‘Security Policy’ denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources is configured.
- Firewalls shall undergo an annual Center for Internet Security (CIS) Level 1 Benchmark compliance scan.
- In accordance with the OU Vulnerability Management Program, OU IT Security Operations will schedule an annual CIS Level 1 Benchmark compliance scan to occur once a year.
- OU IT Security Operations will configure the policy to send an annual Compliance Scan report to OU IT Governance, Risk, and Compliance (GRC) to be included in annual risk assessment reviews.
- OU IT GRC will track and maintain compliance scan vulnerabilities in the OU IT GRC Risk Register.
- OU IT GRC will deliver an annual executive summary of firewall compliance to the Cybersecurity and Infrastructure Advisory Committee (CIAC).
- Firewall configurations shall be backed up on a regular basis and before major changes.
Firewall Logging
-
Firewall administration logs and event logs are to be written to OU IT Security Incident and Event Management (SIEM) storage and reviewed regularly in accordance with the OU System Logging Policy.
References
- National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.AC-3, PR.PT-4
- National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.1.3, 3.13.1, 3.13.2, 3.13.5, 3.13.6, 3.13.15, 3.1.20
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(1)(ii)(D), §164.308(a)(5)(ii)(B), §164.308(a)(5)(ii)(C), §164.308(8), §164.312(b), §164.312(e)(2)(i)
- National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AC-2, SC-5, SC-7, SI-4
- Payment Card Industry (PCI) Data Security Standards, 10.6.1, 10.6.2, 11.4
- Center for Internet Security (CIS) Benchmarks
Revision, Review, and Approval History
- August 2023: Draft version opened for comments
- November 2023: Comment period closed.
- February 2024: Cybersecurity and Infrastructure Advisory Committee (CIAC): Reviewed standard, recommended for approval
- July 2024: Standard approved by Chief Information Officer