The purpose of this document is to establish an understanding of the function that a firewall plays in the overall security of Trinity University’s network.
The Trinity University department of Information Technology Services (ITS) manages a perimeter firewall with a backup firewall between its Internet connection and the Trinity University campus network to establish a secure environment for the campus network and computer resources. This firewall filters Internet traffic to mitigate the risks and potential losses associated with security threats to the campus network and information systems.
Firewall configuration rules and permissible services rules have been reached after an extended evaluation of cost and benefits. These rules must not be changed unless the permission of both the Information Security Administrator and the Director and Chief Information Technology Officer has first been obtained. Request to change the Trinity University firewall rules must be submitted in writing or electronically including a rationale for the request. Firewall changes will be implemented by a Senior Level Systems Administrator. All changes to firewall configuration parameters, enabled services, and permitted connectivity must be logged. These logs must be reviewed periodically to ensure that the firewalls are operating in a secure manner.
The authorized Senior Level Systems Administrator will evaluate the risk of opening the firewall to accommodate requests. Where the risk is acceptable, granting of requests will be dependent on network infrastructure limitations and the availability of required resources to implement the request. If the risk associated with a given request is deemed objectionable, then an explanation of the associated risks will be provided to the original requestor and alternative solutions will be explored.
All Trinity University firewalls must be located in locked rooms accessible only to those who must have physical access to such firewalls to perform the tasks assigned by management. The placement of firewalls in the open area within a general purpose data processing center is prohibited, although placement within separately locked rooms or areas which themselves are within a general data processing center is acceptable.
The firewall will be configured to deny any service unless it is expressly permitted.
The firewall Operating System will be configured for maximum security.
The firewall product suite must reside on dedicated hardware.
The initial build and configuration of the firewall must be fully documented.
Security must not be compromised by the failure of any firewall component.