Requirements for Managed (Hardware) Firewalls
These rules govern all firewalls and devices that provide network address translation installed on the University's network. Firewalls which do not meet these minimum requirements must not be installed on the network and may be removed.
For the purposes of this document, a firewall is defined as any device which: a) sits between multiple computers and the University network, and b) filters traffic or translates network addresses. Firewalls which are installed in front of a single computer (that is, host firewalls) are exempt from this document.
- All firewalls must be registered with the Network Security Center.
- Firewalls may not be placed in front of networking equipment run by NSIT.
- The organization installing the firewall agrees to act as the first line of support for all networking issues involving machines behind the firewall. If NSIT is contacted by someone trying to connect through the firewall that person may be directed to contact the firewall maintainers.
- If the firewall runs any sort of address translation for more than one machine the maintainers must keep at least three months of logs indicating which machine made every connection through the firewall. The maintainers must provide this information to NSIT/the Network Security Center upon request.
- The firewall must allow through connections from NSIT that are necessary to ensure the integrity of the data network and to allow for vulnerability scans by the Network Security Center.
- If a machine behind the firewall is in violation of the Eligibility and Acceptable Use Policy and would normally be removed from the network, the firewall will be removed from the network (isolating all machines behind it).
- The organization installing the firewall understands that many modern threats to security are specifically designed to bypass firewalls. Machines behind firewalls must be kept secure.