firewall standard - university of pittsburgh · web viewfirewall - security devices used to...
TRANSCRIPT
SECURITY STANDARD Firewalls
I. Introduction
This document describes the standard firewall rules that will be applied to all firewalls connected to the University’s networks. The University’s standard firewall is the Lucent Brick Firewall.
II. Standard
Firewall Overview
1) The University has implemented a “Security Zone” approach to firewall configuration and deployment. These “Security Zones” are implemented as rule-sets on University firewalls. Each firewall will provide multiple “Security Zones” to implement specific security controls for each zone. Default sets of “Security Zones” are created during the implementation of each University firewall as follows:
Workstation Zone Server Zone “Demilitarized” Zone (DMZ)
2) CSSD defines these “Security Zones” to be implemented for each firewall as follows:
Workstation Zone – The Workstation zone is designed to protect a University Unit’s workstations, network printers, and other local network devices (inside the firewall) from all other zones. Access to this zone from all other zones is restricted and controlled.
Server Zone – The Server zone is designed to protect a University Unit’s critical infrastructure such as domain controllers, file, print, intranet (internal web applications), application, and database servers. Access to this zone is limited to the Unit’s Workstation Zone.
DMZ Zone – The DMZ zone is designed to protect any server that is accessed by a broad audience. An example of this is a web server that is accessed by users from around the world. This zone acts as a protective layer between a University Unit’s workstations and servers. Only necessary ports are allowed inbound to this zone. Additionally, the Unit’s Workstation and Server zones are allowed to access the DMZ zone.
Other Zones – Other Zones are specialized zones within a department. These zones are created on an as needed basis. Other zones typically follow
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 1 of 18
SECURITY STANDARD Firewalls
the same access controls as workstation zones but may very according to needs. Examples of other zones are Labs, Classrooms, Development, Database, etc.
Exceptions to any zone can be created with CSSD Security approval in accordance to the standards presented in this document.
Firewall Configuration
1) All physical network interfaces or VLAN interfaces will be configured with static IP addresses.
2) Each physical firewall will be configured to support multiple virtual firewalls. Each virtual firewall has its own routing information, its own set of IP addresses, its own firewall policies, etc. through the use of partitions.
3) Serial port access will be enabled on each physical firewall to allow local console management. A unique secure password will be assigned to each physical firewall for local console management.
3) All rule-sets, rules, host groups and service groups will have a complete description (ex. the “VNC” service group description should be “VNC remote control application”, and describe the port and protocol “tcp5900”).
4) Host groups will be defined as local to each firewall. Host groups that are used across multiple firewalls will be defined as global. Local firewall host group names will be identified using mixed case characters. Global firewall host group names will be identified using all upper case characters. When a Host groups that are converted from local to Global Group they will be modified to upper case.
5) Service groups will be defined as global to all firewalls. Service groups that will be utilized for only one firewall will be defined as local to that firewall. Local firewall service group names will be identified using mixed case characters. Global firewall service group names will be identified using all upper case characters.
6) All firewalls will be assigned a local console rule-set (“firewall”) and an administrative zone rule-set (“administrative zone”).
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 2 of 18
SECURITY STANDARD Firewalls
Firewall Rule-Sets
1) Rule-sets will be defined for each “Security Zone” (Workstation Zone, Server Zone, DMZ Zone) as needed. Multiple rule-sets may be defined for each “Security Zone”.
2) The system generated “firewall” rule-set will be assigned to the “local” interface for each firewall. The system generated “administrative zone” will be assigned to one of the network “etherX” interfaces for each firewall.
3) Rule-sets will be numbered according to the following ranges:
Range Low
Range High Description
1 199 Reserved for future features200 299 Firewall, Administration and Proxy rules300 399 User Authentication rules400 499 VPN rules500 999 Reserved for future features
1000 64999 Administrator created rules65000 65534 Reserved for future features65535 65535 Default Drop-All rule
TCP State Enforcement
PITTNET firewalls should be monitoring TCP state for every established session so that we are NOT forgoing the firewall protections. A proper timeout for a session type should be researched and arrived at to insure that a properly opened TCP session can resume when necessary (by having an active cache entry), but not keep TCP sessions in the cache because they did not close properly or sessions that will not be resumed after some idle time. Note that this is a huge problem with Windows as it almost never closes an open socket.
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 3 of 18
SECURITY STANDARD Firewalls
Workstation Zone Rule-Set Table
RULEDESCRIPTION
RULENUMBER PROTOCOL PORT/TYPE DIRECTION
SOURCEADDRESS
DESTINATION ADDRESS ACTION
Allow any outbound from workstations Any Any Out Workstations in
workstation zone Any Pass
Allow any traffic from datacom management machines Any Any In
Datacom management
machines
Workstations in workstation zone Pass
Allow any traffic from management VLAN 1 Any Any In
VLAN-1 management
machines
Workstations in workstation zone Pass
Allow any traffic from 1st upstream router interface Any Any In First upstream
router interfaceWorkstations in
workstation zone Pass
Allow broadcast traffic from 1st upstream router interface Any Any In First upstream
router interface
Broadcast addresses in
workstation zonePass
Allow ICMP destination unreachable messages to be returned
ICMP 3 In Any Workstations in workstation zone Pass
Allow ICMP time/ttl exceeded messages to be returned ICMP 11 In Any Workstations in
workstation zone Pass
Allow ICMP parameter problem messages to be returned ICMP 12 In Any Workstations in
workstation zone Pass
Allow ICMP traceroute return ICMP 30 In Any Workstations in workstation zone Pass
Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 Page 4 of 18
SECURITY STANDARD Firewalls
Server Zone Rule-Set Table
RULEDESCRIPTION
RULENUMBER PROTOCOL PORT/TYPE DIRECTION
SOURCEADDRESS
DESTINATION ADDRESS ACTION
Allow any outbound from servers Any Any Out Servers in server zone Any Pass
Allow any traffic from workstation zone Any Any In Workstations in
workstation zoneServers in server
zone Pass
Allow any traffic from datacom management machines Any Any In
Datacom management
machines
Servers in server zone Pass
Allow any traffic from management VLAN 1 Any Any In
VLAN-1 management
machines
Servers in server zone Pass
Allow any traffic from 1st upstream router interface Any Any In First upstream
router interfaceServers in server
zone Pass
Allow broadcast traffic from 1st upstream router interface Any Any In First upstream
router interface
Broadcast addresses in server
zonePass
Allow ICMP destination unreachable messages to be returned
ICMP 3 In Any Servers in server zone Pass
Allow ICMP time/ttl exceeded messages to be returned ICMP 11 In Any Servers in server
zone Pass
Allow ICMP parameter problem messages to be returned ICMP 12 In Any Servers in server
zone Pass
Allow ICMP traceroute return ICMP 30 In Any Servers in server zone Pass
Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 Page 5 of 18
SECURITY STANDARD Firewalls
DMZ Zone Rule-Set Table
RULEDESCRIPTION
RULENUMBER PROTOCOL PORT/TYPE DIRECTION
SOURCEADDRESS
DESTINATION ADDRESS ACTION
Allow any outbound from servers in dmz Any Any Out Servers in DMZ
zone Any Pass
Allow any traffic from workstation zone Any Any In Workstations in
workstation zoneServers in DMZ
zone Pass
Allow any traffic from datacom management machines Any Any In
Datacom management
machines
Servers in DMZ zone Pass
Allow any traffic from management VLAN 1 Any Any In
VLAN-1 management
machines
Servers in DMZ zone Pass
Allow any traffic from 1st upstream router interface Any Any In First upstream
router interfaceServers in DMZ
zone Pass
Allow broadcast traffic from 1st upstream router interface Any Any In First upstream
router interface
Broadcast addresses in DMZ
zonePass
Allow ICMP destination unreachable messages to be returned
ICMP 3 In Any Servers in DMZ zone Pass
Allow ICMP time/ttl exceeded messages to be returned ICMP 11 In Any Servers in DMZ
zone Pass
Allow ICMP parameter problem messages to be returned ICMP 12 In Any Servers in DMZ
zone Pass
Allow ICMP traceroute return ICMP 30 In Any Servers in DMZ zone Pass
Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 Page 6 of 18
SECURITY STANDARD Firewalls
Workstation Allowed Firewall Exceptions
SERVICEDESCRIPTION
TRAFFIC SOURCE
TRAFFIC DESTINATION DESTINATION PORT
NOTES
NETBIOS, MS-DS, EXCHANGE MAIL NOTIFICATION
SERVER ZONE WORKSTATION ZONE
TCP/UDP: 135, 136, 137, 138, 139, 445
UDP: 1024-65000 (Exchange Mail Notification)
Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 Page 7 of 18
SECURITY STANDARD Firewalls
Server Zone Allowed Firewall Exceptions
SERVICEDESCRIPTION
TRAFFIC SOURCE
TRAFFIC DESTINATION DESTINATION PORT
NOTES
NETBIOS, MS-DS, EXCHANGE MAIL NOTIFICATION
WORKSTATION ZONE
SERVER ZONE TCP/UDP: 135, 136, 137, 138, 139, 445
ACTIVE DIRECTORY REPLICATION PITTNET-NO DORMS
SERVER ZONE AD Replication Ports This allows departmental Domain controllers to replicate with the University’s Active Directory Tree
SSH, SFTP, SCP, SSL 1.WORKSTATION ZONE
2. SPECIFIC IP ADDRESSES THAT ARE NOT GATEWAY HOSTS
SERVER ZONE 22, 443
IMAP, POP3, SMTP WORKSTATION ZONE ONLY
SERVER ZONE 143, 110, 25 This is to allow users in the Workstation zone to access mail from a server that is located in the Server Zone.
*Note: Mail servers that serve users that are located outside of the Workstation zone must be placed in the DMZ.
PRINT SERVICES WORKSTATION ZONE
SERVER ZONE Any defined print service (9100, 515, etc.)
This is to allow users in the Workstation zone to access print servers that are located in the Server zone.
Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 Page 8 of 18
SECURITY STANDARD Firewalls
Demilitarized Zone Allowed Firewall Exceptions
SERVICEDESCRIPTION
TRAFFIC SOURCE
TRAFFIC DESTINATION DESTINATION PORT
NOTES
SSH, SCP, SFTP, HTTPS, HTTP WORLD DMZ ZONE 22, 443 Allows traffic from anywhere to access resources in the DMZ over encrypted channels. This would primarily be used for accessing publicly-accessible data.
Services Blocked on all Firewall Zones
SERVICEDESCRIPTION
TRAFFIC SOURCE
TRAFFIC DESTINATION DESTINATION PORT NOTES
PC ANYWHERE, TERMINAL SERVICES, REMOTE DESKTOP, CITRIX, TELNET, VNC, SQL, AND MOST PLAIN TEXT SERVICES
ANYWHERE SERVER OR WORKSTATION
ZONES
ANY This is to block unencrypted remote administration services into protected firewall zones
Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 Page 9 of 18
SECURITY STANDARD Firewalls
Services to Allow Limited Access at the Perimeter Firewall
PORT SERVICE DESCRIPTION22 SSH Secure Shell
25 SMTP The port a mail server receives mail on
53 DNS The port your Domain Name Service (DNS) listens to for DNS requests
67,68 DHCP The port your Dynamic Host Configuration Protocol (DHCP) server listens to for handing out IP addresses and network information
80 HTTP The port Web servers listen to by default
98 Linuxconf Linux-only, for the Linuxconf configuration program
110 POP3 The port a mail server listens to for clients to pick up mail from
111 RPC portmap Required by NFS servers and other RPC-based programs
113 Auth The port the ident server uses when a remote host wants to verify that the users are coming from the IP they claim to be coming from
119 NNTP Usenet (newsgroups)
123 NTP Network Time Protocol
137-139 NetBIOS (Windows File and Print Sharing) The ports Windows and Samba use for sharing drives and printers with other clients
143 IMAP The port a mail server listens to for clients using IMAP to read their mail instead of POP3
389 LDAP Lightweight Directory Access Protocol
443 HTTPS The port Web servers listen to by default for SSL-enabled Web activity
465 SSMTP SMTP over SSL
512-515 *NIX-specific ports *NIX-specific ports for the exec, biff, login, who, shell, syslog, and lpd programs to listen to
993 SIMAP IMAP over SSL
995 SPOP3 POP3 over SSL
1080 SOCKS SOCKS proxy
2049 NFS Used to export file systems to other *NIX-based computers
3128 SQUID Squid proxy
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 11 of 18
SECURITY STANDARD Firewalls
PORT SERVICE DESCRIPTION3306 MySQL The port the MySQL server listens to
5432 PostgreSQL The port the PostgreSQL server listens to
6000-6069 X Windows *NIX-only, for the X Windows GUI desktop
8080 Proxy Used by many Web caching proxy servers
Access to other services will be permitted on an as needed basis with approval by CSSD Security.
ICMP Services to Allow Inbound
MESSAGE TYPE NAME
0 Echo reply
3 Destination Unreachable
11 Time Exceeded
12 Parameter Problem
30 Traceroute
III. Definitions
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 12 of 18
SECURITY STANDARD Firewalls
Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
Communications Network - A system of communications equipment and communication links (by line, radio, satellite, etc.), which enables computers to be separated geographically, while still ‘connected’ to each other.
Computer System - One or more computers, with associated peripheral hardware, with one or more operating systems, running one or more application programs, designed to provide a service to users.
Confidentiality - Assurance that the information is shared only among authorized persons or organizations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data, etc.
Cracker - A cracker is either a piece of software (program) whose purpose is to ‘crack’ the code (i.e.: a password), or ‘cracker’ refers to a person who attempts to gain unauthorized access to a computer system. Such persons are usually ill intentioned and perform malicious acts.
Data / Information - In the area of Information Security, data is processed, formatted, and re-presented, so that it gains meaning and thereby becomes information. Information Security is concerned with the protection and safeguard of that information, which in its various forms can be identified as Business Assets.
Default - A default is the setting, or value, that a computer program (or system) is given as a standard setting. It is likely to be the setting that ‘most people’ would choose.
Denial of Service - A Denial of Service (DoS) attack, is an Internet attack against a Web site whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system.
Dual Homing – A device that has concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the Corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP).
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 13 of 18
SECURITY STANDARD Firewalls
Definitions (continued)
e-Commerce - Electronic transaction, performed over the Internet – usually via the World Wide Web – in which the parties to the transaction agree, confirm, and initiate both payment and goods transfer.
Firewall - Security devices used to restrict access in communication networks. They prevent computer access between networks (i.e.: from the Internet to your corporate network), and only allow access to services, which are expressly registered.
Fix - An operational expedient that may be necessary if there is an urgent need to amend or repair data, or solve a software bug problem.
Hacker - An individual whose primary aim in life is to penetrate the security defenses of large, sophisticated, computer systems. A truly skilled hacker can penetrate a system right to the core, and withdraw again, without leaving a trace of the activity.
Incursion - A penetration of the system by an unauthorized source. Similar to an Intrusion, the primary difference is that Incursions are classed as ‘hostile’.
Integrity - Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term integrity is used frequently when considering Information Security as it represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is ‘correct’, but also whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens the integrity of information. By making one or more copies, the data is then at risk of change or modification.
Internet - A publicly accessible Wide Area Network that can be employed for communication between computers.
ISO - The International Organization for Standardization is a group of standards bodies from approximately 130 countries whose aim is to establish, promote and manage standards to facilitating the international exchange of goods and services.
ISP - An Internet Service Provider is a company, which provides individuals and organizations with access to the Internet, plus a range of standard services such as e-mail and hosting of personal and corporate Web sites.
Intranet - A Local Area Network within an organization, which is designed to look like, and work in the same way as, the Internet. Intranets are essentially private networks, and are not accessible to the public.
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 14 of 18
SECURITY STANDARD Firewalls
III. Definitions (continued)
Intrusion - The IT equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorized source. While incursions are always seen as hostile, intrusions may be innocent.
IP Address - The IP address or ‘Internet Protocol’ is the numeric address that guides all Internet traffic, such as e-mail and Web traffic, to its destination.
Lab - A Lab is any non-production environment, intended specifically for developing, demonstrating, training and/or testing of a product.
Local Area Network - A private communications network owned and operated by a single organization within one location. The network may comprise one or more adjacent buildings. A local area network will normally be connected by hard-wired cables or short-range radio (wireless) equipment. A LAN will not use modems or telephone lines for internal communications, although it may well include such equipment to allow selected users to connect to the external environment.
Log on / off - The processes by which users start and stop using a computer system.
Network - A configuration of communications equipment and communication links by network cabling or satellite, which enables computers and their terminals to be geographically separated, while still connected to each other. See also Communications Network.
Network Administrator - Individual(s) responsible for the availability of the Network, and the controlling of its use.
Operating System - Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than processing work for users. Computers can operate without application software, but cannot run without an operating system.
Password - A string of characters put into a system by a user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use.
Penetration - Intrusion, trespassing, unauthorized entry into a system.
Penetration Testing - The execution of a testing plan, where the sole purpose is to attempt to hack into a system using known tools and techniques.
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 15 of 18
SECURITY STANDARD Firewalls
III. Definitions (continued)
Physical Security - Physical protection measures to safeguard the organization’s systems, including restrictions on entry to premises, restrictions on entry to computer department, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc.
Policy - A policy may be defined as ‘An agreed approach in theoretical form, which has been agreed to / ratified by a governing body, which defines direction and degrees of freedom for action’.
Privilege - Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system.
Privileged User - A user who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users.
Process - In computer terms, a process refers to one of dozens of program that are running to keep the computer running. When a software program is run, a number of processes may be started.
Production System - A system is said to be in production when it is in live, day-to-day operation.
Protocol - A set of formal rules describing how to transmit data, especially across a network. Low-level protocols define the electrical and physical standards to be observed, bit and byte ordering and the transmission and error detection and correction of the bit stream. High-level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages, etc.
Remote Access - Any access to Company X’s corporate network through a non-Company X controlled network, device, or medium.
Security Administrator - Individual(s) who are responsible for all security aspects of a system on a day-to-day basis.
Security Incident - A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place.
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 16 of 18
SECURITY STANDARD Firewalls
Sensitive Information - Information is considered sensitive if it can be damaging to the University or it’s reputation.
Split tunneling - Simultaneous direct access to a non-University network (such as the Internet, of a home network) from a remote device while connected into the University’s network via a VPN tunnel.III. Definitions (continued)
Spoofing - Spoofing is an alternative term for identity hacking and masquerading. The interception, alteration, and retransmission of data in an attempt to deceive the targeted recipient.
Spot Check - The term ’spot check’ comes from the need to validate compliance with procedures by performing impromptu checks on records and other files, which capture the organization’s day-to-day activities.
Unauthorized Disclosure - The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to know that information.
VPN - Virtual Private Network (VPN) is a method for accessing a remote network via “tunneling” through the Internet.
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 17 of 18
SECURITY STANDARD Firewalls
IV. References
University Policy 10-02-06, Administrative University Data Security and Privacy.
CSSD Guideline GDL-2004-0803, Firewall Guidelines.
CSSD Procedure PRC-2004-0803, Firewall Procedures.
Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 18 of 18