ISD

Firewall

Firewall

The corporate firewall service helps to protect and minimise the risk to University services.

Service Description

The University has deployed a corporate firewall service. The corporate firewall service helps to protect and minimise the risk to University services and data from external malicious attack. The firewall is used to help enforce the University's connection and acceptable use polices. The installation of the corporate firewall migrated the University from a "default permit" network to a "default deny" inbound network. This shift in design meant that instead of running a network which allowed all traffic through and blocked only that which is known to cause problems, the firewall now only permits acceptable traffic and services and blocks all other traffic. This change does not affect legitimate University services and has the benefit of making the existing services and infrastructure more secure. The firewall service is intended as a defensive mechanism and, while managing external access to legitimate University systems and services, access from within the University to external services will not be blocked (except in those cases where access contravenes University AUCoP).

It should be noted that the "default deny" inbound firewall is a risk reduction measure, not a risk elimination measure. Therefore, services that are visible through the firewall will need to be secure and best practice guidelines followed. Failure to follow these practices can still result in infection from hackers, viruses, trojans and malware on network ports that are open through the firewall. These systems and services will therefore be policed for conformity with the University's technical standards and access policies. Services that do not comply with the server connection policy will not be allowed access through the firewall.

ISD therefore enforces a University approved Server Connection Policy that details the necessary procedures that must be in place before remote access through the firewall is granted. This policy requires that for each server visible through the firewall there must be

  • An administrator of the system.
  • A deputy contact to cover if the administrator is absent in an emergency.
  • It states that the system must be patched and maintained.
  • The server must be in a secure location and have restricted administrative access.
  • If the administrator is contacted by ISD, they must respond to the request.

ISD have produced a Server Connection Application Form for departments to request the necessary network ports that they require opened for application access through the firewall. This form records the above information along with the necessary IP addresses, the required network ports and the location of the server. This form must also be signed and approved by the Head of Department. This authorisation ensures that the request is in support of the teaching aims of the Department.

What system administrators must do?

All system administrators that are supporting services that are visible through the firewall are required to implement the following best practices:

  • Install anti-virus software and keep the definition files up to date;
  • Turn off or remove unused network services;
  • Change all default passwords;
  • Change all administrator or privileged account passwords regularly;
  • Keep operating systems and applications patched to the latest revision;
  • Make regular backups of critical data.

Business Process

  • User logs onto sharepoint and completes the online Server Connection Application Form. The user can log onto the sharepoint portal with their current email address (e.g.j.bloggs@ulster.ac.uk)  and password.
  • Once the user completes and submits the online form, an email will be sent to the Approver to approve the application.
  • Once the Approver has authorized the change a copy of the request will be sent to the Network Team.
  • Network Team perform a risk analysis of the request and scan the server for vulnerabilities.
  • If the risk is low and no vulnerabilities are detected or when any detected vulnerabilities are patched, an access rule will be added to the firewall.
  • The User will be emailed to inform them that the service is now active through firewall.

Supporting Materials

The online Server Connection Application Form can be accessed and completed by connecting to the University sharepoint service at:

http://ulster.sharepoint.com/sites/forms/serverconnection

How to obtain help

Contact the ISD Service Desk.

Service Metrics (KPI/SLA statement)

  • Servers made visible to external network within one day of post-registration security analysis, dependent on application of appropriate security patches
  • Review of all firewall rules over a 12 month period, removing rules and services that are no longer required or comply with the connection or security policies

Who can avail of the service?

Any staff or postgraduate student working for the University

Service Owner

Network Team