Purpose
The purpose of this policy is to outline the requirements, procedures, and operation of the Penn State Wilkes-Barre network firewalls. This policy is in place to protect the Penn State Wilkes‑Barre network from outside attacks and minimize the possibility of compromises and/or possible litigation by increasing network integrity, availability, and confidentiality.
Scope
This policy applies to all equipment connected to the Penn State Wilkes‑Barre network and all personnel using said equipment.
Definitions
- Device – A computer, electronic tool or communication apparatus with the ability to connect to a data or communication network
- Internet – A worldwide system of computer networks
- Firewall – An electronic device used to monitor and inspect data transmission traveling between data networks (i.e. The Internet and the Mont Alto data network.) Based on a programmed rule set managed by the campus ITS department, the firewall with either allow or disallow traffic with the aim of preventing unauthorized access to the campus private data network.
- IP Address – A unique network addressed assigned to a device connected to a network.
- ADG01 – Glossary of Computerized Data and System Terminology
Guidelines
- The default policy of all campus firewalls will be to deny all traffic unless exceptions are requested via procedure outlines in exceptions section below, and approved.
- Any exception that poses a security risk, regardless if they were previously approved will be revoked immediately.
- Critical security patches must be installed in a timely fashion (less than 72 hours after release) unless the patch prevents functionality or reliability.
- All network traffic on the campus network may be subject to inspection by intrusion detection/intrusion prevention systems.
- Only recognized network contacts (administrative, technical, security) may view or modify firewall rules.
- Firewall rule set will be reviewed on a quarterly basis by authorized personnel.
Standard Rules
The initial configuration assumes that all inbound connections from outside the Penn State Wilkes-Barre campus are not trusted, and therefore are blocked with exceptions. The following exceptions have been researched thus far and are to be placed into the active exceptions.
Outbound Rules
No rules
Inbound Rules
- http, https – Allow access to the web servers
- Remote Desktop – Only allowed from the Penn State VPN or Penn State Wilkes-Barre Wireless 2.0
- AIS Printing – Allow printing from AIS business services
- Active Directory – Ports used to communicate with the active directory servers
- Tivoli Endpoint Manager – Ports used to communicate with the Tivoli Endpoint Manager servers at University Park
- Library Services – Ports used to allow DLT to manage the library computers
- Scanning – Ports used to allow the secure credit card network to be scanned (only opened during scanning)
- Seismic Server – Ports used to allow University Park to monitor the seismic server at the Wilkes-Barre campus
Exceptions
All proposed changes to firewall must be submitted in writing to [email protected]. This submission must include the following items:
- The specific need for the exception documented thoroughly
- The IP addresses of the devices involved on the LAN
- The IP addresses of the devices involved on the outside network
- Point of contact to administrator of devices involved on the outside network
- Ports, protocol, and justification required for incoming traffic
All proposed changes must be approved by the campus director of IT, the network administrator, and the requesting member’s supervisor. Requests that do not support the University’s mission or that pose security risks will not be approved.
Testing and Verification
Testing outside firewall rules will be accomplished through the use of the Penn State wireless network. The Penn State wireless network has a dedicated interface on the edge router and is not treated as a local LAN by our campus firewall.