Firewall Standard - University of Pittsburgh · Web viewFirewall - Security devices used to...

SECURITY STANDARD Firewalls

I. Introduction

This document describes the standard firewall rules that will be applied to all firewalls connected to the University’s networks. The University’s standard firewall is the Lucent Brick Firewall.

II. Standard

Firewall Overview

1) The University has implemented a “Security Zone” approach to firewall configuration and deployment. These “Security Zones” are implemented as rule-sets on University firewalls. Each firewall will provide multiple “Security Zones” to implement specific security controls for each zone. Default sets of “Security Zones” are created during the implementation of each University firewall as follows:

Workstation Zone Server Zone “Demilitarized” Zone (DMZ)

2) CSSD defines these “Security Zones” to be implemented for each firewall as follows:

Workstation Zone – The Workstation zone is designed to protect a University Unit’s workstations, network printers, and other local network devices (inside the firewall) from all other zones. Access to this zone from all other zones is restricted and controlled.

Server Zone – The Server zone is designed to protect a University Unit’s critical infrastructure such as domain controllers, file, print, intranet (internal web applications), application, and database servers. Access to this zone is limited to the Unit’s Workstation Zone.

DMZ Zone – The DMZ zone is designed to protect any server that is accessed by a broad audience. An example of this is a web server that is accessed by users from around the world. This zone acts as a protective layer between a University Unit’s workstations and servers. Only necessary ports are allowed inbound to this zone. Additionally, the Unit’s Workstation and Server zones are allowed to access the DMZ zone.

Other Zones – Other Zones are specialized zones within a department. These zones are created on an as needed basis. Other zones typically follow

Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 of 18


the same access controls as workstation zones but may very according to needs. Examples of other zones are Labs, Classrooms, Development, Database, etc.

Exceptions to any zone can be created with CSSD Security approval in accordance to the standards presented in this document.

Firewall Configuration

1) All physical network interfaces or VLAN interfaces will be configured with static IP addresses.

2) Each physical firewall will be configured to support multiple virtual firewalls. Each virtual firewall has its own routing information, its own set of IP addresses, its own firewall policies, etc. through the use of partitions.

3) Serial port access will be enabled on each physical firewall to allow local console management. A unique secure password will be assigned to each physical firewall for local console management.

3) All rule-sets, rules, host groups and service groups will have a complete description (ex. the “VNC” service group description should be “VNC remote control application”, and describe the port and protocol “tcp5900”).

4) Host groups will be defined as local to each firewall. Host groups that are used across multiple firewalls will be defined as global. Local firewall host group names will be identified using mixed case characters. Global firewall host group names will be identified using all upper case characters. When a Host groups that are converted from local to Global Group they will be modified to upper case.

5) Service groups will be defined as global to all firewalls. Service groups that will be utilized for only one firewall will be defined as local to that firewall. Local firewall service group names will be identified using mixed case characters. Global firewall service group names will be identified using all upper case characters.

6) All firewalls will be assigned a local console rule-set (“firewall”) and an administrative zone rule-set (“administrative zone”).



Firewall Rule-Sets

1) Rule-sets will be defined for each “Security Zone” (Workstation Zone, Server Zone, DMZ Zone) as needed. Multiple rule-sets may be defined for each “Security Zone”.

2) The system generated “firewall” rule-set will be assigned to the “local” interface for each firewall. The system generated “administrative zone” will be assigned to one of the network “etherX” interfaces for each firewall.

3) Rule-sets will be numbered according to the following ranges:

Range Low

Range High Description

1 199 Reserved for future features200 299 Firewall, Administration and Proxy rules300 399 User Authentication rules400 499 VPN rules500 999 Reserved for future features

1000 64999 Administrator created rules65000 65534 Reserved for future features65535 65535 Default Drop-All rule

TCP State Enforcement

PITTNET firewalls should be monitoring TCP state for every established session so that we are NOT forgoing the firewall protections. A proper timeout for a session type should be researched and arrived at to insure that a properly opened TCP session can resume when necessary (by having an active cache entry), but not keep TCP sessions in the cache because they did not close properly or sessions that will not be resumed after some idle time. Note that this is a huge problem with Windows as it almost never closes an open socket.



Workstation Zone Rule-Set Table

RULEDESCRIPTION

RULENUMBER PROTOCOL PORT/TYPE DIRECTION

SOURCEADDRESS

DESTINATION ADDRESS ACTION

Allow any outbound from workstations Any Any Out Workstations in

workstation zone Any Pass

Allow any traffic from datacom management machines Any Any In

Datacom management

machines

Workstations in workstation zone Pass

Allow any traffic from management VLAN 1 Any Any In

VLAN-1 management

machines

Workstations in workstation zone Pass

Allow any traffic from 1st upstream router interface Any Any In First upstream

router interfaceWorkstations in

workstation zone Pass

Allow broadcast traffic from 1st upstream router interface Any Any In First upstream

router interface

Broadcast addresses in

workstation zonePass

Allow ICMP destination unreachable messages to be returned

ICMP 3 In Any Workstations in workstation zone Pass

Allow ICMP time/ttl exceeded messages to be returned ICMP 11 In Any Workstations in


Allow ICMP parameter problem messages to be returned ICMP 12 In Any Workstations in


Allow ICMP traceroute return ICMP 30 In Any Workstations in workstation zone Pass

Guideline: STD-2004-0803 Revision: 4Effective Date: October 26, 2004 of 18


Server Zone Rule-Set Table

RULEDESCRIPTION


SOURCEADDRESS


Allow any outbound from servers Any Any Out Servers in server zone Any Pass

Allow any traffic from workstation zone Any Any In Workstations in

workstation zoneServers in server

zone Pass


Datacom management

machines

Servers in server zone Pass


VLAN-1 management

machines

Servers in server zone Pass


router interfaceServers in server

zone Pass


router interface

Broadcast addresses in server

zonePass


ICMP 3 In Any Servers in server zone Pass

Allow ICMP time/ttl exceeded messages to be returned ICMP 11 In Any Servers in server

zone Pass

Allow ICMP parameter problem messages to be returned ICMP 12 In Any Servers in server

zone Pass

Allow ICMP traceroute return ICMP 30 In Any Servers in server zone Pass



DMZ Zone Rule-Set Table

RULEDESCRIPTION


SOURCEADDRESS


Allow any outbound from servers in dmz Any Any Out Servers in DMZ

zone Any Pass

Allow any traffic from workstation zone Any Any In Workstations in

workstation zoneServers in DMZ

zone Pass


Datacom management

machines

Servers in DMZ zone Pass


VLAN-1 management

machines

Servers in DMZ zone Pass


router interfaceServers in DMZ

zone Pass


router interface

Broadcast addresses in DMZ

zonePass


ICMP 3 In Any Servers in DMZ zone Pass

Allow ICMP time/ttl exceeded messages to be returned ICMP 11 In Any Servers in DMZ

zone Pass

Allow ICMP parameter problem messages to be returned ICMP 12 In Any Servers in DMZ

zone Pass

Allow ICMP traceroute return ICMP 30 In Any Servers in DMZ zone Pass



Workstation Allowed Firewall Exceptions

SERVICEDESCRIPTION

TRAFFIC SOURCE

TRAFFIC DESTINATION DESTINATION PORT

NOTES

NETBIOS, MS-DS, EXCHANGE MAIL NOTIFICATION

SERVER ZONE WORKSTATION ZONE

TCP/UDP: 135, 136, 137, 138, 139, 445

UDP: 1024-65000 (Exchange Mail Notification)



Server Zone Allowed Firewall Exceptions

SERVICEDESCRIPTION

TRAFFIC SOURCE


NOTES

NETBIOS, MS-DS, EXCHANGE MAIL NOTIFICATION

WORKSTATION ZONE

SERVER ZONE TCP/UDP: 135, 136, 137, 138, 139, 445

ACTIVE DIRECTORY REPLICATION PITTNET-NO DORMS

SERVER ZONE AD Replication Ports This allows departmental Domain controllers to replicate with the University’s Active Directory Tree

SSH, SFTP, SCP, SSL 1.WORKSTATION ZONE

2. SPECIFIC IP ADDRESSES THAT ARE NOT GATEWAY HOSTS

SERVER ZONE 22, 443

IMAP, POP3, SMTP WORKSTATION ZONE ONLY

SERVER ZONE 143, 110, 25 This is to allow users in the Workstation zone to access mail from a server that is located in the Server Zone.

*Note: Mail servers that serve users that are located outside of the Workstation zone must be placed in the DMZ.

PRINT SERVICES WORKSTATION ZONE

SERVER ZONE Any defined print service (9100, 515, etc.)

This is to allow users in the Workstation zone to access print servers that are located in the Server zone.



Demilitarized Zone Allowed Firewall Exceptions

SERVICEDESCRIPTION

TRAFFIC SOURCE


NOTES

SSH, SCP, SFTP, HTTPS, HTTP WORLD DMZ ZONE 22, 443 Allows traffic from anywhere to access resources in the DMZ over encrypted channels. This would primarily be used for accessing publicly-accessible data.

Services Blocked on all Firewall Zones

SERVICEDESCRIPTION

TRAFFIC SOURCE

TRAFFIC DESTINATION DESTINATION PORT NOTES

PC ANYWHERE, TERMINAL SERVICES, REMOTE DESKTOP, CITRIX, TELNET, VNC, SQL, AND MOST PLAIN TEXT SERVICES

ANYWHERE SERVER OR WORKSTATION

ZONES

ANY This is to block unencrypted remote administration services into protected firewall zones



Services to Allow Limited Access at the Perimeter Firewall

PORT SERVICE DESCRIPTION22 SSH Secure Shell

25 SMTP The port a mail server receives mail on

53 DNS The port your Domain Name Service (DNS) listens to for DNS requests

67,68 DHCP The port your Dynamic Host Configuration Protocol (DHCP) server listens to for handing out IP addresses and network information

80 HTTP The port Web servers listen to by default

98 Linuxconf Linux-only, for the Linuxconf configuration program

110 POP3 The port a mail server listens to for clients to pick up mail from

111 RPC portmap Required by NFS servers and other RPC-based programs

113 Auth The port the ident server uses when a remote host wants to verify that the users are coming from the IP they claim to be coming from

119 NNTP Usenet (newsgroups)

123 NTP Network Time Protocol

137-139 NetBIOS (Windows File and Print Sharing) The ports Windows and Samba use for sharing drives and printers with other clients

143 IMAP The port a mail server listens to for clients using IMAP to read their mail instead of POP3

389 LDAP Lightweight Directory Access Protocol

443 HTTPS The port Web servers listen to by default for SSL-enabled Web activity

465 SSMTP SMTP over SSL

512-515 *NIX-specific ports *NIX-specific ports for the exec, biff, login, who, shell, syslog, and lpd programs to listen to

993 SIMAP IMAP over SSL

995 SPOP3 POP3 over SSL

1080 SOCKS SOCKS proxy

2049 NFS Used to export file systems to other *NIX-based computers

3128 SQUID Squid proxy

Guideline: STD-2004-0803 Revision: 0.4Effective Date: October 26, 2004 Page 11 of 18


PORT SERVICE DESCRIPTION3306 MySQL The port the MySQL server listens to

5432 PostgreSQL The port the PostgreSQL server listens to

6000-6069 X Windows *NIX-only, for the X Windows GUI desktop

8080 Proxy Used by many Web caching proxy servers

Access to other services will be permitted on an as needed basis with approval by CSSD Security.

ICMP Services to Allow Inbound

MESSAGE TYPE NAME

0 Echo reply

3 Destination Unreachable

11 Time Exceeded

12 Parameter Problem

30 Traceroute

III. Definitions



Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.

Communications Network - A system of communications equipment and communication links (by line, radio, satellite, etc.), which enables computers to be separated geographically, while still ‘connected’ to each other.

Computer System - One or more computers, with associated peripheral hardware, with one or more operating systems, running one or more application programs, designed to provide a service to users.

Confidentiality - Assurance that the information is shared only among authorized persons or organizations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data, etc.

Cracker - A cracker is either a piece of software (program) whose purpose is to ‘crack’ the code (i.e.: a password), or ‘cracker’ refers to a person who attempts to gain unauthorized access to a computer system. Such persons are usually ill intentioned and perform malicious acts.

Data / Information - In the area of Information Security, data is processed, formatted, and re-presented, so that it gains meaning and thereby becomes information. Information Security is concerned with the protection and safeguard of that information, which in its various forms can be identified as Business Assets.

Default - A default is the setting, or value, that a computer program (or system) is given as a standard setting. It is likely to be the setting that ‘most people’ would choose.

Denial of Service - A Denial of Service (DoS) attack, is an Internet attack against a Web site whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system.

Dual Homing – A device that has concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the Corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP).



Definitions (continued)

e-Commerce - Electronic transaction, performed over the Internet – usually via the World Wide Web – in which the parties to the transaction agree, confirm, and initiate both payment and goods transfer.

Firewall - Security devices used to restrict access in communication networks. They prevent computer access between networks (i.e.: from the Internet to your corporate network), and only allow access to services, which are expressly registered.

Fix - An operational expedient that may be necessary if there is an urgent need to amend or repair data, or solve a software bug problem.

Hacker - An individual whose primary aim in life is to penetrate the security defenses of large, sophisticated, computer systems. A truly skilled hacker can penetrate a system right to the core, and withdraw again, without leaving a trace of the activity.

Incursion - A penetration of the system by an unauthorized source. Similar to an Intrusion, the primary difference is that Incursions are classed as ‘hostile’.

Integrity - Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term integrity is used frequently when considering Information Security as it represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is ‘correct’, but also whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens the integrity of information. By making one or more copies, the data is then at risk of change or modification.

Internet - A publicly accessible Wide Area Network that can be employed for communication between computers.

ISO - The International Organization for Standardization is a group of standards bodies from approximately 130 countries whose aim is to establish, promote and manage standards to facilitating the international exchange of goods and services.

ISP - An Internet Service Provider is a company, which provides individuals and organizations with access to the Internet, plus a range of standard services such as e-mail and hosting of personal and corporate Web sites.

Intranet - A Local Area Network within an organization, which is designed to look like, and work in the same way as, the Internet. Intranets are essentially private networks, and are not accessible to the public.



III. Definitions (continued)

Intrusion - The IT equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorized source. While incursions are always seen as hostile, intrusions may be innocent.

IP Address - The IP address or ‘Internet Protocol’ is the numeric address that guides all Internet traffic, such as e-mail and Web traffic, to its destination.

Lab - A Lab is any non-production environment, intended specifically for developing, demonstrating, training and/or testing of a product.

Local Area Network - A private communications network owned and operated by a single organization within one location. The network may comprise one or more adjacent buildings. A local area network will normally be connected by hard-wired cables or short-range radio (wireless) equipment. A LAN will not use modems or telephone lines for internal communications, although it may well include such equipment to allow selected users to connect to the external environment.

Log on / off - The processes by which users start and stop using a computer system.

Network - A configuration of communications equipment and communication links by network cabling or satellite, which enables computers and their terminals to be geographically separated, while still connected to each other. See also Communications Network.

Network Administrator - Individual(s) responsible for the availability of the Network, and the controlling of its use.

Operating System - Computer programs that are primarily or entirely concerned with controlling the computer and its associated hardware, rather than processing work for users. Computers can operate without application software, but cannot run without an operating system.

Password - A string of characters put into a system by a user to substantiate their identity, and/or authority, and/or access rights, to the computer system that they wish to use.

Penetration - Intrusion, trespassing, unauthorized entry into a system.

Penetration Testing - The execution of a testing plan, where the sole purpose is to attempt to hack into a system using known tools and techniques.



III. Definitions (continued)

Physical Security - Physical protection measures to safeguard the organization’s systems, including restrictions on entry to premises, restrictions on entry to computer department, locking/disabling equipment, disconnection, fire-resistant and tamper-resistant storage facilities, anti-theft measures, anti-vandal measures, etc.

Policy - A policy may be defined as ‘An agreed approach in theoretical form, which has been agreed to / ratified by a governing body, which defines direction and degrees of freedom for action’.

Privilege - Privilege is the term used throughout most (if not all) applications and systems to denote the level of operator permission, or authority. Privilege can be established at the file or folder (directory) level and can allow read only access, but prevent changes. Privileges can also refer to the extent to which a user is permitted to enter and confirm transactions / information within the system.

Privileged User - A user who, by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users.

Process - In computer terms, a process refers to one of dozens of program that are running to keep the computer running. When a software program is run, a number of processes may be started.

Production System - A system is said to be in production when it is in live, day-to-day operation.

Protocol - A set of formal rules describing how to transmit data, especially across a network. Low-level protocols define the electrical and physical standards to be observed, bit and byte ordering and the transmission and error detection and correction of the bit stream. High-level protocols deal with the data formatting, including the syntax of messages, the terminal to computer dialogue, character sets, sequencing of messages, etc.

Remote Access - Any access to Company X’s corporate network through a non-Company X controlled network, device, or medium.

Security Administrator - Individual(s) who are responsible for all security aspects of a system on a day-to-day basis.

Security Incident - A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place.



Sensitive Information - Information is considered sensitive if it can be damaging to the University or it’s reputation.

Split tunneling - Simultaneous direct access to a non-University network (such as the Internet, of a home network) from a remote device while connected into the University’s network via a VPN tunnel.III. Definitions (continued)

Spoofing - Spoofing is an alternative term for identity hacking and masquerading. The interception, alteration, and retransmission of data in an attempt to deceive the targeted recipient.

Spot Check - The term ’spot check’ comes from the need to validate compliance with procedures by performing impromptu checks on records and other files, which capture the organization’s day-to-day activities.

Unauthorized Disclosure - The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to know that information.

VPN - Virtual Private Network (VPN) is a method for accessing a remote network via “tunneling” through the Internet.



IV. References

University Policy 10-02-06, Administrative University Data Security and Privacy.

CSSD Guideline GDL-2004-0803, Firewall Guidelines.

CSSD Procedure PRC-2004-0803, Firewall Procedures.


Firewall Standard - University of Pittsburgh · Web viewFirewall - Security devices used to...

Documents

Transcript of Firewall Standard - University of Pittsburgh · Web viewFirewall - Security devices used to...