Policy # : 04-01
Effective: July 1, 2004
Subject: Firewall Exceptions
To describe the means by which one may request exceptions to the college's firewall rules.
POLICY APPLIES TO
All full and part-time employees of the college and other authorized users of the college's networks.
In short, a firewall is a device that can be placed at the edge of the network and configured to block network communication from un-trusted sources, thus preventing the attacks from ever reaching the computers located behind it. By our design, the firewalls are configured to block all unsolicited incoming traffic except icmp.
With the installation of the firewalls and their restrictive nature, comes the problem of legitimate network communication being blocked. Normally, this blocking can be overcome by the use of our approved VPN software. The process of obtaining the VPN software and necessary account changes can be initiated either through a service request or by contacting Information Systems and Services directly. VPN connections allow legitimate users to bypass the firewall. There are certain services though for which VPN will not suffice, such as a web server. Thus, the following requirements and instructions have been established to request an exception to the blocking, by which ports (i.e., holes) are opened in the firewall.
Requirements for Exceptions to Blocking
- Security patches must be installed on networked computers for which ports are opened in a timely fashion, usually within one week of the release of the patch. Occasional audits will be done to ensure that the latest security patches have been installed.
- If the computer is found to be compromised, it will be disconnected from the network and the ports opened for it on the firewall will be closed until the user can assure us that the computer has been cleaned and updated with the latest security patches.
- If the same computer is repeatedly compromised, the ports opened for it on the firewall will be closed indefinitely.
These steps may seem harsh but are necessary because if a single computer on the inside of the firewall becomes compromised, it could then attack the entire network unrestricted, potentially compromising many computers on the network.
How to Request Exceptions
Those requesting exceptions to firewall blocking should complete the Firewall Exceptions Form.
Exceptions will be reviewed carefully and those found to be too high of a risk or without a proven record of security to the operating system or application may be denied.