Network Firewall Standard


To ensure authorized access and to prevent unauthorized access to University information and IT resources, select networked systems must be protected through the use of network firewalls. Network firewalls reduce risk by restricting access to those who require access to the system, application, or data.

Security Controls

Network Firewall

The following table defines the baseline security controls for network-based firewalls.

Control Security Level
ID Description High Medium Low
NF.A.01 Segmentation of traffic with a dedicated network firewall Required Recommended Optional
NF.A.02 Enable in default deny mode (deny all traffic) and permit the minimum necessary services Required
Effective July 2019
Effective July 2019
Effective July 2019
NF.A.03 Document the firewall rules including purpose, justification, and approvals for use of all services, protocols, and ports allowed. For insecure protocols, include the additional security features implemented for the protocol Required Required
Effective July 2019
NF.A.04 Configure network to deny all traffic upon firewall failure Required
Effective July 2019
Effective July 2019
Effective July 2019
NF.A.05 Review usage of firewall rules and remove rules that are no longer needed (suggest: annual)1 Required Recommended Recommended

1 PCI DSS requires a review of firewall rules every 6 months for all systems that store, process or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019

Document Feedback

Notification: Please be aware that while we rarely receive these data requests, any information submitted through this comment form is public, including your name, email address and comment/question, unless you are a student.