firewall procedure - sni wiki · web viewfirewall - security devices used to restrict access in...

SECURITY PROCEDURE Firewalls

I. Purpose

To outline the process for requesting firewall services from CSSD, including

Firewall requests Firewall zone builds Firewall changes Firewall monitoring Firewall VPN client installation

Firewalls are implemented to protect the University’s network from unauthorized use and to protect sensitive data stored on University computing systems.

This procedure includes terms and definitions to be used consistently throughout the University.

II. Scope

This procedure applies to all members of the University community who are authorized to have access to University computers, computer networks, and University administrative data, together with the information generated, stored, and/or maintained in such computer systems.

III. Procedure

1. All Firewall Requests

1.1 Requests for firewall implementation and rule changes are processed through the University’s CSSD Technology Help Desk service. The Technology Help Desk can be accessed by telephone at (412) 624-HELP [4357], by submitting an e-mail to [email protected], or by going to the online Helpdesk page at technology.pitt.edu. For firewall changes, the requestor must complete the firewall change request form, which should include the following information:

Name of requestor Department of requestor Requestor’s Phone Number Requestor’s Email Name of Department’s firewall zone(s) for the change Source of traffic (IP/hostname) Destination of traffic (IP/hostname) Port number and name of service needed (ex. 25/SMTP): Specify if port number and name of service should be opened or closed Reason/Justification for the requested change

Procedure: PRC-2004-0803 Revision: 0.2.6Effective Date: May 24, 2005 of 17

mailto:[email protected]


1.2 All requests for implementing and modifying firewalls will be reviewed by CSSD to ensure they comply with CSSD firewall standards, documented in CSSD Standard STD-2004-0803 Firewall Security Standard.

1.3 All approved network-based firewalls on the University’s network will be ordered, installed, managed and supported by CSSD.

1.4 Only authorized IT administrators or departmental managers may request firewall builds and changes. CSSD’s IT Security Team will maintain a list of approved firewall contacts.

2. New Firewall Zone Build Process

2.1 The authorized IT administrator or departmental manager contacts the Technology Help Desk to initiate a firewall zone build request.

2.2 The Technology Help Desk will record the firewall zone build request, the name of the departmental contact, and any additional information necessary to review the request. The request is then forwarded to the University’s CSSD IT Security Team, which will begin to track the new request using the CSSD Firewall Build Report.

2.3 Plan Phase: the IT Security Team will review the firewall zone build request and schedule an initial meeting with the University departmental contact provided in the request. A Port Inventory Form—intended to identify both network ports as well as computer systems that will be migrated behind the new firewall zone—will be sent to the departmental contact for listing all computing assets that will be protected by the firewall. The Port Inventory Form must be fully completed by the individual department and returned to the IT Security Team one week prior to the initial meeting. Firewall zone design will not commence until the Port Inventory Form is complete; this is to ensure that information is accurate and that the number of systems can be accurately ascertained in order to assign an appropriate new IP address range for systems moving into the new zone.

2.4 Design Phase: at the initial meeting, the Security Team will review the firewall zone build request, Port Inventory Form, and a preliminary design with the University departmental contact and any other appropriate team members. The IT Security Team will create a firewall zone diagram using CSSD’s firewall zone diagram template prior to the initial meeting. The University department will also identify a primary authorized contact and a secondary authorized contact for handling any issues with the request and its implementation. The final proposed firewall configuration will be reviewed by CSSD’s IT Security Team and Network Engineering Team. Any changes will be communicated to the University departmental contact in writing.



2.5 Build Phase: Upon approval of the final firewall configuration by CSSD and the University department, CSSD will install and configure the firewall zones for the University department. The IT Security Team will submit a Help Desk ticket to request the firewall build be started; this ticket will be escalated to CSSD’s Network Engineering team for them to complete the firewall zone build. The Network Engineering team will also be responsible for creating VLANs, reserving IP address space, and any additional routing or switch work needed to complete the firewall zone build.

2.6 Migrate Phase: Upon completion of the firewall zone build, CSSD will assist the University department with migration of several test workstations behind the firewall. During the test period, firewall rule-sets may be made during business working hours. Once testing has concluded, all firewall ruleset changes must be made in accordance with the CSSD Change Management policy, as the zone is now considered to be production. Departments are responsible for testing systems once they have been migrated to the new firewall zone to ensure network connectivity has been maintained.

2.7 CSSD will verify proper operation of the firewall zones and obtain University departmental verification that the new firewall zone build is successful.

3. Firewall Zone Configuration Change Process—Including Express Queue

3.1 The authorized University departmental contact submits a Firewall Configuration Change Request to the Help Desk. The Help Desk will create a helpdesk ticket using Remedy’s New Pitt Call Ticket form under the Quick Close category Security, title Firewall Change Request. Information to collect from the contact includes:

Name of requestor Department of requestor Requestor’s Phone Number Requestor’s Email Name of Department’s firewall zone(s) for the change Source of traffic (IP/hostname) Destination of traffic (IP/hostname) Port number and name of service needed (ex. 25/SMTP): Specify if port number and name of service should be opened or closed Reason/Justification for the requested change

The Helpdesk will then assign the firewall zone change helpdesk ticket to the CSSD IT Security Team.



Figure III.1:Screenshot of Remedy Ticket Screen with Firewall Request Quick Close

3.2 The CSSD IT Security Team will review the helpdesk ticket for completeness and compliance, and, if approved, will then create a Remedy change management ticket to document the request. The IT Security Team will verify the request with the authorized University departmental contact. If the request is denied, the IT Security Team will notify the contact by e-mail of the denial and the reason for the denial. Suggestions will also be made on how to change the request so that it can be accepted.

Express Queue: normal firewall zone changes must be submitted by Wednesday noon to the Help Desk for review and approval; these changes will be executed on Saturday evenings at 11:00 pm. However, certain firewall zone changes can be placed in an “express queue,” in which the change will be executed the night after the request is received.



Express Queue requests include:

New rules opening or closing network ports with defined source and destination IP address ranges

Deletion of existing firewall rules Source and destination IP address changes to existing rules Network port changes to existing rules Timeout adjustments on existing rules

Express queue requests must satisfy certain conditions, including:

Request comes from a designated department firewall contact.

All information needed to process the request has been provided by the department firewall contact.

The change is a “zone apply” change (changes to a firewall zone ruleset, which includes source and destination IP addresses as well as changes to network ports allowed/denied).

The change meets the University’s firewall configuration standards (example, no inbound * rules, requests for cleartext or insecure ports like telnet and ftp, etc.) as defined in CSSD Standard STD-2004-0803 Firewall Security Standard.

The departmental firewall contact must be prepared to test the change the morning after the change has been executed.

Express Queue request deadlines to the Help Desk are:

Mondays at noon (execute Tuesday night) Wednesdays at noon (execute Thursday night) Thursdays at noon (execute Saturday night)

3.3 The firewall change request will be formally reviewed by Security and by Network Engineering during a weekly “NetSec” meeting (Wednesday at 2 PM) for compliance to CSSD firewall guidelines and standards, as well as to potential impact to University network services and systems operation. If compliant, the change request ticket will be approved by the Information Security Officer. If the request is denied, the Security Team will notify the contact by e-mail of the denial and the reason for the denial. Suggestions will also be made on how to change the request so that it can be accepted.



Express Queue: firewall zone changes placed in Express Queue will be formally reviewed during the weekly NetSec meeting as well as on conference calls on Mondays and Thursdays at 2:30 pm with representatives from Security, Network Engineering, and the NOC.

3.4 Once the firewall change request has been approved, the change will be presented at CSSD’s change management call (Thursdays at 9 am). If approved, the change management request ticket will be set to scheduled, and the change will be staged in LSMS for execution during the next applicable maintenance window. An e-mail will be sent to the contact confirming that the change will be executed, with information on when the change will be executed, and with a reminder that the contact will need to ensure that end-user acceptance testing is to be performed immediately after the change is executed.

Express Queue: firewall zone changes placed in Express Queue will be reviewed during the daily helpdesk ticket call on Tuesdays and Fridays at 9 am.

3.5 CSSD’s Network Operations Center will take change request tickets in scheduled status and execute during the next change implementation period (Saturdays at 11 PM).

Express Queue: firewall zone changes placed in Express Queue will be executed by the Network Operations Center on Tuesday, Thursday and Saturday evenings at 11 PM. Express Queue requests will be scheduled by the IT Security Team in the Remedy change ticket form’s Implementation Date-Time field. Once the NOC implements the change, results of the implementation will be included by the NOC into the change ticket’s work log.

3.6 CSSD’s IT Security Team will notify by e-mail the departmental contact that the change was implemented, with a reminder that end-user acceptance testing should be completed immediately.

4. Firewall Problem Reporting

4.1 For any firewall problem, the authorized University departmental firewall contact will submit a Remedy ticket with a detailed description of the firewall problem, including affected hostnames, network addresses, target hosts and accessed services. Standard CSSD Help Desk resolution procedures will be followed.

5. Firewall Removal

5.1 CSSD will not permit the removal of any network-based firewall.

6. Firewall Log Access



6.1 SSH to fwlmgr-2.ns.pitt.edu or fwlmgr-2-bak.ns.pitt.edu (real-time logs which roll-over to datacomm-stor-pr every 3-4 minutes).

6.2 SSH to datacomm-stor-pr.ns.pitt.edu (contains log entries for each day).

6.3 Log viewer on LSMS (filters must be defined; log output is easier to understand as the fields are labeled. However, this method is not very reliable and at times has a huge delay of up to 15 minutes).

7. Firewall VPN User Creation

Note that the following procedure is to be used only for legacy IPSec VPN customers. CSSD no longer allows end users to implement IPSec VPN, and instead recommends that they use SSL VPN for secure remote connectivity to PittNet resources.

Firewall VPN User Creation allows for registered users to remotely access systems protected by network firewall zones. Note that the user will need to be added to groups that will permit access to firewall zones affiliated with those groups. To add a VPN user:

7.1 Start up the LSMS software

7.2 If this is an existing VPN user, find the username and right-click, then select Copy.

7.3 Click on the Browse button in the copy window.

7.4 Select the appropriate destination folder and then click the OK button.

7.5 If the user is not an existing user, open the User Auth folder and then select the Users folder.



7.6 Right-click an empty area on the right side of the screen and select New User.

7.7 Enter the required information in the User Editor window. Under Authentication Service select RADIUS. Change the Authentication Timeout to 480 minutes. When finished, go to the File menu and select Save and Close.



8. Firewall VPN Group Management

Firewall VPN Groups allows authorized users with a registered VPN user account to access firewall zones associated with a group. To associate a user with a group:

8.1 In LSMS, go to the User Groups folder. There should be a list of VPN user groups. Double-click on the one you want and a new window will appear.

8.2 Select the desired new user from the left side of the window and then click the Add button. Go to the File menu and select Save and Close.



IV. Definitions

Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.

Business Assets - The term Business Assets, as it relates to Information Security, refers to any information upon which the organization places a measurable value. By implication, the information is not in the public domain and would result in loss, damage, or even business collapse, if the information were to be lost, stolen, corrupted or in any way compromised.

Communications Equipment - Hardware, with associated software, relating to the ability of computers to receive data from, and transmit data to, locations separated from the central processor.

Communications Line - Within a communications network, the route by which data is conveyed from one point to another.

Communications Network - A system of communications equipment and communication links (by line, radio, satellite, etc.), which enables computers to be separated geographically, while still ‘connected’ to each other.

Computer System - One or more computers, with associated peripheral hardware, with one or more operating systems, running one or more application programs, designed to provide a service to users.

Confidentiality - Assurance that the information is shared only among authorized persons or organizations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data, etc.

Cracker - A cracker is either a piece of software (program) whose purpose is to ‘crack’ the code (i.e.: a password), or ‘cracker’ refers to a person who attempts to gain unauthorized access to a computer system. Such persons are usually ill intentioned and perform malicious acts.

Data/Information - In the area of Information Security, data is processed, formatted, and re-presented, so that it gains meaning and thereby becomes information. Information Security is concerned with the protection and safeguard of that information, which in its various forms can be identified as Business Assets.

Default - A default is a setting or value, that a computer program (or system) is given as a standard setting. It is likely to be the setting that ‘most people’ would choose.



IV. Definitions (con’t)

Denial of Service - A Denial of Service (DoS) attack, is an Internet attack against a Web site whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system.

Dual Homing - Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the Corporate network via a local Ethernet connection, and dialing into AOL or other internet service provider (ISP).

e-Commerce - Electronic transaction, performed over the Internet – usually via the World Wide Web – in which the parties to the transaction agree, confirm, and initiate both payment and goods transfer.

Firewall - Security devices used to restrict access in communication networks. They prevent computer access between networks (i.e.: from the Internet to your corporate network), and only allow access to services, which are expressly registered.

Fix - An operational expedient that may be necessary if there is an urgent need to amend or repair data, or solve a software bug problem.

Hacker - An individual whose primary aim in life is to penetrate the security defenses of large, sophisticated, computer systems. A truly skilled hacker can penetrate a system right to the core, and withdraw again, without leaving a trace of the activity.

Incursion - A penetration of the system by an unauthorized source. Similar to an Intrusion, the primary difference is that Incursions are classed as ‘hostile’.

Integrity - Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term integrity is used frequently when considering Information Security as it represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is ‘correct’, but also whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens the integrity of information. By making one or more copies, the data is then at risk of change or modification.

Internet - A publicly accessible Wide Area Network that can be employed for communication between computers.

Intranet - A Local Area Network within an organization, which is designed to look like, and work in the same way as, the Internet. Intranets are essentially private networks, and are not accessible to the public.




Intrusion - The IT equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorized source. While incursions are always seen as hostile, intrusions may be innocent.

IP Address - The IP address or ‘Internet Protocol’ is the numeric address that guides all Internet traffic, such as e-mail and Web traffic, to its destination.

Lab - A Lab is any non-production environment, intended specifically for developing, demonstrating, training and/or testing of a product.

Laptop - Laptop has become a generic expression for all portable computers. Laptops require extra security measures because of the portability and obvious attractiveness to thieves.

Local Area Network - A private communications network owned and operated by a single organization within one location. This may comprise one or more adjacent buildings; however a local network will normally be connected by fixed cables or, more recently short-range radio equipment. A LAN will not use modems or telephone lines for internal communications, although it may well include such equipment to allow selected users to connect to the external environment.

Log on / off - The processes by which users start and stop using a computer system.

Network - A configuration of communications equipment and communication links by network cabling or satellite, which enables computers and their terminals to be geographically separated, while still connected to each other. See also Communications Network.

Network Administrator - Individual(s) responsible for the availability of the Network, and the controlling of its use.

Operating System - Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than processing work for users. Computers can operate without application software, but cannot run without an operating system.

Penetration - Intrusion, trespassing, unauthorized entry into a system.

Penetration Testing - The execution of a testing plan, the sole purpose of which is to attempt to hack into a system using known tools and techniques.

Peripherals - Pieces of hardware attached to a computer rather than built into the machine itself. These include printers, scanners, external hard drive units, portable drives, and other items that can be plugged into a port.




Physical Security - Physical protection measures to safeguard the organization’s systems, including restrictions on entry to premises, restrictions on entry to computer department, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc.

Policy - A policy may be defined as ‘An agreed approach in theoretical form, which has been agreed to / ratified by a governing body, which defines direction and degrees of freedom for action’.

Privilege - Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system.

Privileged User - A user who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users.

Process - In computer terms, a process refers to one of dozens of program which are running to keep the computer running. When a software program is run, a number of processes may be started.

Production System - A system is said to be in production when it is in live, day to day operation.

Protocol - A set of formal rules describing how to transmit data, especially across a network. Low level protocols define the electrical and physical standards to be observed, bit and byte ordering and the transmission and error detection and correction of the bit stream. High level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages, etc.

Security Administrator - Individual(s) who are responsible for all security aspects of a system on a day-to-day basis.

Security Incident - A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place.

Sensitive Information - Information is considered sensitive if it can be damaging to the University or its’ reputation.



Split-tunnelling - Simultaneous direct access to a non-University network (such as the Internet, of a home network) from a remote device while connected into the University’s network via a VPN tunnel.




Spoofing - Spoofing is an alternative term for identity hacking and masquerading. The interception, alteration, and retransmission of data in an attempt to deceive the targeted recipient.

Spot Check - The term ’spot check’ comes from the need to validate compliance with procedures by performing impromptu checks on records and other files, which capture the organization’s day-to-day activities.

Unauthorized Disclosure - The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to know that information.

VPN - Virtual Private Network (VPN) is a method for accessing a remote network via “tunneling” through the Internet.



V. References

University Policy 10-02-06, Administrative University Data Security and Privacy.

CSSD Guideline GDL-2004-0803, Firewall Guidelines.

CSSD Standard STD-2004-0803, Firewall Security Standards.

CSSD Standard MSB-2004-0101, Firewall Minimum Security Baseline Standards.


firewall procedure - sni wiki · web viewfirewall - security devices used to restrict access in...

Documents