Firewall Management Standard

1. Description

Firewalls play a crucial role as the first line of defense in safeguarding the confidentiality, integrity, and availability of university information systems and data. This standard sets forth guidelines for ensuring the secure setup, administration, and supervision of firewalls to reduce the potential threats linked to unauthorized entry and network-based assaults.

2. Scope

This standard applies to all firewalls deployed within the university's network infrastructure, including those managed by Library and Technology Services (LTS) and any decentralized units.

3. Security Requirements

NIST 800-171 references the following security requirements relevant to firewall management:

• 3.13.1: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.  

• 3.13.5: Control the flow of CUI in accordance with approved authorizations.

• 3.13.7: Employ boundary protection devices, such as firewalls, to monitor and control communications at the external and internal boundaries of the system.

• 3.13.11: Employ intrusion detection systems to monitor network traffic for suspicious activity and aid in identifying unauthorized use of information systems.

Other compliance requirements:

• HIPAA: Implement technical safeguards to protect ePHI, including firewalls to control access to systems containing ePHI.

• PCI DSS: Install and maintain network security controls, such as firewalls, to protect cardholder data.

4. Implementation

   1. Firewall Configuration:

      1. All firewalls must be configured in accordance with Lehigh’s configuration standards based on industry best practices and security hardening guidelines.

      2. Firewall rulesets should be regularly reviewed and updated to reflect current network requirements and security threats.

         1. Failure to reauthorize the rule should default to expire the rule.

         2. Rules that would make the device publicly addressable will require the device run LTS anti-malware & IDS tools as well as configured for credentialed scans by LTS vulnerability management systems. Discovered vulnerabilities must be addressed.

      3. Default deny policies should be implemented, allowing only explicitly authorized traffic.

      4. Firewall configurations must be documented and version controlled.

   2. Firewall Management:

      1. Firewall administration access should be restricted to authorized personnel with appropriate training.

      2. Firewall changes must be subject to a formal change management process, including review and approval.

      3. Firewall logs should be centrally collected and monitored for suspicious activity.

      4. Regular vulnerability assessments and penetration testing should be conducted on firewalls.

   3. Firewall Monitoring:

      1. Real-time monitoring of firewall activity should be implemented to detect and respond to potential security incidents.

      2. Firewall logs should be retained for a minimum period as defined by the university's data retention policy.

      3. Security alerts generated by firewalls should be promptly investigated and addressed.

5. Related

This Firewall Management Standard is created under the Information Security Policy and is related to the following standards:

• Incident Response Standard

• Vulnerability Management Standard

• Change Management Standard

6. Definitions

• Firewall: A network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.  

7. References

• NIST 800-171 Rev. 2

• HIPAA Security Rule

• PCI DSS

8. Revision History