WNC operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for WNC's computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this Firewall Policy is to describe how WNC's firewalls will filter Internet traffic in order to mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for business users.
The Firewall Policy is subordinate to WNC's general Security Policy, as well as any governing laws or regulations.
Firewall - Computer hardware or software that prevents unauthorized access to private data (as on a local area network) by outside computer users ( as of the Internet).
This Firewall Policy refers specifically to the WNC firewalls.
The role of the firewalls is to help WNC keep unauthorized visitors from accessing valuable college resources.
· Stop attacks before they penetrate the network perimeter
· Protect resources and data, as well as voice, video, and multimedia traffic
· Control network and application activity
· Reduce deployment and operational costs
WNC's Firewalls will (at minimum) perform the following security services:
· Access control between the trusted internal network and un-trusted external networks
· Block unwanted traffic as determined by the firewall rule set
· Hide vulnerable internal systems from the Internet
· Hide information such as system names, network topologies, and internal user IDs from the Internet
· Log traffic to and from the internal network
· Provide virtual private network (VPN) connectivity
All employees of WNC are subject to this policy.
Computing Services is responsible for implementing and maintaining WNC firewalls, as well as for enforcing and updating this policy. Logon access to firewalls will be restricted to a primary firewall administrator. Password construction for firewalls will be consistent with the strong password creation practices outlined in WNC's Password Policy.
Any questions or concerns regarding WNC firewalls should be directed to the Network/ Server Support Analyst.
The approach adopted to define firewall rule sets is that all services will be denied by the firewall unless expressly permitted in this policy. WNC firewalls permit the following outbound and inbound Internet traffic.
· Outbound - All Internet traffic to hosts and services outside of WNC
· Inbound - Only Internet traffic from outside WNC that supports the college mission of WNC as defined by NSHE policy
WNC employees may request changes to firewall configurations in order to allow previously disallowed traffic. A firewall change request form, with full justification, must be submitted to the Computing Services department for approval. All requests will be assessed by the Computing Services Administrator to determine if they fall within the parameters of acceptable risk. If approval is given, the Network/Server Support Analyst will make the changes and note those changes in the Firewall Change Order spreadsheet. In an emergency threatening the network, the Network/Server Support Analyst may make a temporary change without the Computing Services Administrator's or director's approval. In that case, approval would be sought as soon as the Computing Services Administrator or director is available and all changes would be recorded on the Firewall Change Order spreadsheet. Requested approvals are not guaranteed as associated risks may be deemed too high. If this is the case, an explanation will be provided to the original requestor and alternative solutions will be explored.
Turnaround time for the above stated firewall reconfiguration and network access requests is approximately five (5) days from the receipt of the request form.
Firewall logs will be archived 10 days. Firewall logs will be reviewed weekly.
Wherever possible, technological tools will be used to enforce this policy and mitigate security risks. Any employee who is found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
|Date Adopted||March 15, 2011||Dates Revised|