Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
To ensure authorized access and to prevent unauthorized access to University information and IT resources, select networked systems must be protected through the use of network firewalls. Network firewalls reduce risk by restricting access to those who require access to the system, application, or data.
Security Controls
Network Firewall
The following table defines the baseline security controls for network-based firewalls.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
NF.A.01 | Segmentation of traffic with a dedicated network firewall | Required | Recommended | Optional |
NF.A.02 | Enable in default deny mode (deny all traffic) and permit the minimum necessary services | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
NF.A.03 | Document the firewall rules including purpose, justification, and approvals for use of all services, protocols, and ports allowed. For insecure protocols, include the additional security features implemented for the protocol | Required | Required Effective July 2019 |
Recommended |
NF.A.04 | Configure network to deny all traffic upon firewall failure | Required Effective July 2019 |
Required Effective July 2019 |
Required Effective July 2019 |
NF.A.05 | Review usage of firewall rules and remove rules that are no longer needed (suggest: annual)1 | Required | Recommended | Recommended |
1 PCI DSS requires a review of firewall rules every 6 months for all systems that store, process or transmit cardholder data, or support the credit card processing environment.
Resources Covered
This applies to IT resources owned or contracted by the University.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Network Firewall
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to network firewalls.
Published Date
November 2014
Last Reviewed
April 2019