Requirements for Managed (Hardware) Firewalls
For general firewall information, see the Knowledge Base articles on firewalls.
These rules govern all firewalls and devices that provide network address translation installed on the University’s network. Firewalls which do not meet these minimum requirements must not be installed on the network and may be removed.
For the purposes of this document, a firewall is defined as any device which:
a) sits between multiple computers and the University network, and
b) filters traffic or translates network addresses. Firewalls which are installed in front of a single computer (that is, host firewalls) are exempt from this document.
- All firewalls must be registered with IT Security.
- Firewalls may not be placed in front of networking equipment managed by IT Services.
- The organization installing the firewall agrees to act as the first line of support for all networking issues involving machines behind the firewall. If IT Services is contacted by someone trying to connect through the firewall, that person may be directed to contact the firewall administrators.
- If the firewall runs any sort of address translation for more than one machine, the maintainers must keep at least six months of logs indicating which machine made every connection through the firewall. The maintainers must provide this information to IT Security upon request.
- The firewall must allow through the firewall any connections from IT Services that are necessary to ensure the integrity of the data network and to allow for vulnerability scans by IT Security.
- If a machine behind the firewall is in violation of the Acceptable Use Policy and would normally be removed from the network, the firewall will be removed from the network (isolating all machines behind it.)
- The organization installing the firewall understands that many modern threats to security are specifically designed to bypass firewalls. Machines behind firewalls must be kept secure.
Policy Owner: Chief Information Security Officer