Firewall Policy

Introduction

The Center for Information Technology Services (CITS) manages the perimeter firewall which is the location in the network that separates the Internet, Internet2, and other external network connections from the internal campus network.  This firewall filters Internet traffic to mitigate the risks and potential losses associated with security threats to the campus network and information systems.

UMB is a distributed environment with corresponding local responsibilities. Support for campus enterprise applications is managed centrally.

Campus organizations should view firewalls as their first line of defense from external threats; although internal security must still be a top priority.  Internal systems must be patched and configured in a timely manner.  The perimeter firewall provides the first level of protection for the campus network and computing resources.    

Purpose for Policy

The State of Maryland DoIT Security Policy requires all state agencies to have a firewall and develop a firewall policy that defines how the firewall rules may be adjusted. UMB CITS is the entity responsible for securing the UMB network environment. The purpose of this policy is to establish how firewall technology is installed in the campus network and to outline the firewall change management procedures. 

UMB’s Firewall Layers:

Perimeter Firewall Protection

A perimeter firewall layer is the location in the network that separates the Internet, Internet2, and other external network connections from the internal campus network. This perimeter firewall filters Internet traffic to mitigate the risks and potential losses associated with security threats to the campus network and information systems. 

Core Network Firewall Protection

A core network firewall layer is the location in the network that separates the major areas of the campus network. Examples of major network areas are campus buildings/networks, the computer center networks, and the wireless network. In addition this firewall secures a number of other ‘zones’ controlling traffic between clients and servers and other parts of the UMB network. 

Default Firewall Strategies

Schools/ Buildings that have a Building Network Firewall can opt out of having the Campus Border Firewall block any traffic destined for their School/Building.  Those schools will be responsible for defining their firewall policy to meet State Guidelines and possible review from the Office of Legislative Audits.

The UMB Student and Guest Wireless networks are blocked at the Core Network Firewall from accessing critical business related systems, i.e. financial and other database servers. 

Firewall Rule Modification Review

All requests for additions and/or changes are submitted via the Firewall Request Form which will be converted to an online database scheduled for implementation September 2019.  All requests are saved for audit compliance.

Firewall requests are accepted from system owner/admins only.  Requests from other users are forwarded to the system owner/admin for approval before being approved and implemented.

All firewall rule requests received will be reviewed and evaluated by the IT Security Officer and/or designee on a daily basis.  Approved requests will be forwarded to the datacomm group for implementation the following business day.  If there is an emergency rule needed this should be communicated in the original request.

A report containing firewall configuration changes is emailed from Firemon to CITS Security and Compliance on a daily basis for review to ensure that approved changes have occurred.