SECURITY PROCEDURE
I.
Firewalls
Purpose
To outline the process for requesting firewall services from CSSD, including





Firewall requests
Firewall zone builds
Firewall changes
Firewall monitoring
Firewall VPN client installation
Firewalls are implemented to protect the University’s network from unauthorized use and
to protect sensitive data stored on University computing systems.
This procedure includes terms and definitions to be used consistently throughout the
University.
II.
Scope
This procedure applies to all members of the University community who are authorized
to have access to University computers, computer networks, and University
administrative data, together with the information generated, stored, and/or maintained
in such computer systems.
III.
Procedure
1.
All Firewall Requests
1.1
Requests for firewall implementation and rule changes are processed through
the University’s CSSD Technology Help Desk service. The Technology Help
Desk can be accessed by telephone at (412) 624-HELP [4357], by submitting an
e-mail to helpdesk@pitt.edu, or by going to the online Helpdesk page at
technology.pitt.edu. For firewall changes, the requestor must complete the
firewall change request form, which should include the following information:










Name of requestor
Department of requestor
Requestor’s Phone Number
Requestor’s Email
Name of Department’s firewall zone(s) for the change
Source of traffic (IP/hostname)
Destination of traffic (IP/hostname)
Port number and name of service needed (ex. 25/SMTP):
Specify if port number and name of service should be opened or closed
Reason/Justification for the requested change
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 1 of 15
SECURITY PROCEDURE
Firewalls
1.2
All requests for implementing and modifying firewalls will be reviewed by CSSD
to ensure they comply with CSSD firewall standards, documented in CSSD
Standard STD-2004-0803 Firewall Security Standard.
1.3
All approved network-based firewalls on the University’s network will be ordered,
installed, managed and supported by CSSD.
1.4
Only authorized IT administrators or departmental managers may request firewall
builds and changes. CSSD’s IT Security Team will maintain a list of approved
firewall contacts.
2.
New Firewall Zone Build Process
2.1
The authorized IT administrator or departmental manager contacts the
Technology Help Desk to initiate a firewall zone build request.
2.2
The Technology Help Desk will record the firewall zone build request, the name
of the departmental contact, and any additional information necessary to review
the request. The request is then forwarded to the University’s CSSD IT Security
Team, which will begin to track the new request using the CSSD Firewall Build
Report.
2.3
Plan Phase: the IT Security Team will review the firewall zone build request and
schedule an initial meeting with the University departmental contact provided in
the request. A Port Inventory Form—intended to identify both network ports as
well as computer systems that will be migrated behind the new firewall zone—will
be sent to the departmental contact for listing all computing assets that will be
protected by the firewall. The Port Inventory Form must be fully completed by
the individual department and returned to the IT Security Team one week prior to
the initial meeting. Firewall zone design will not commence until the Port
Inventory Form is complete; this is to ensure that information is accurate and that
the number of systems can be accurately ascertained in order to assign an
appropriate new IP address range for systems moving into the new zone.
2.4
Design Phase: at the initial meeting, the Security Team will review the firewall
zone build request, Port Inventory Form, and a preliminary design with the
University departmental contact and any other appropriate team members. The
IT Security Team will create a firewall zone diagram using CSSD’s firewall zone
diagram template prior to the initial meeting. The University department will also
identify a primary authorized contact and a secondary authorized contact for
handling any issues with the request and its implementation. The final proposed
firewall configuration will be reviewed by CSSD’s IT Security Team and Network
Engineering Team. Any changes will be communicated to the University
departmental contact in writing.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 2 of 15
SECURITY PROCEDURE
Firewalls
2.5
Build Phase: Upon approval of the final firewall configuration by CSSD and the
University department, CSSD will install and configure the firewall zones for the
University department. The IT Security Team will submit a Help Desk ticket to
request the firewall build be started; this ticket will be escalated to CSSD’s
Network Engineering team for them to complete the firewall zone build. The
Network Engineering team will also be responsible for creating VLANs, reserving
IP address space, and any additional routing or switch work needed to complete
the firewall zone build.
2.6
Migrate Phase: Upon completion of the firewall zone build, CSSD will assist the
University department with migration of several test workstations behind the
firewall. During the test period, firewall rule-sets may be made during business
working hours. Once testing has concluded, all firewall ruleset changes must be
made in accordance with the CSSD Change Management policy, as the zone is
now considered to be production. Departments are responsible for testing
systems once they have been migrated to the new firewall zone to ensure
network connectivity has been maintained.
2.7
CSSD will verify proper operation of the firewall zones and obtain University
departmental verification that the new firewall zone build is successful.
3.
Firewall Zone Configuration Change Process—Including Express Queue
3.1
The authorized University departmental contact submits a Firewall Configuration
Change Request to the Help Desk. The Help Desk will create a helpdesk ticket
using Remedy’s New Pitt Call Ticket form under the Quick Close category
Security, title Firewall Change Request. Information to collect from the contact
includes:










Name of requestor
Department of requestor
Requestor’s Phone Number
Requestor’s Email
Name of Department’s firewall zone(s) for the change
Source of traffic (IP/hostname)
Destination of traffic (IP/hostname)
Port number and name of service needed (ex. 25/SMTP):
Specify if port number and name of service should be opened or closed
Reason/Justification for the requested change
The Helpdesk will then assign the firewall zone change helpdesk ticket to the
CSSD IT Security Team.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 3 of 15
SECURITY PROCEDURE
Firewalls
Figure III.1:
Screenshot of Remedy Ticket Screen with Firewall Request Quick Close
3.2
The CSSD IT Security Team will review the helpdesk ticket for completeness and
compliance, and, if approved, will then create a Remedy change management
ticket to document the request. The IT Security Team will verify the request with
the authorized University departmental contact. If the request is denied, the IT
Security Team will notify the contact by e-mail of the denial and the reason for
the denial. Suggestions will also be made on how to change the request so that
it can be accepted.
Express Queue:
normal firewall zone changes must be submitted by
Wednesday noon to the Help Desk for review and approval; these changes will
be executed on Saturday evenings at 11:00 pm. However, certain firewall zone
changes can be placed in an “express queue,” in which the change will be
executed the night after the request is received.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 4 of 15
SECURITY PROCEDURE
Firewalls
Express Queue requests include:





New rules opening or closing network ports with defined source and
destination IP address ranges
Deletion of existing firewall rules
Source and destination IP address changes to existing rules
Network port changes to existing rules
Timeout adjustments on existing rules
Express queue requests must satisfy certain conditions, including:

Request comes from a designated department firewall contact.

All information needed to process the request has been provided by the
department firewall contact.

The change is a “zone apply” change (changes to a firewall zone ruleset,
which includes source and destination IP addresses as well as changes
to network ports allowed/denied).

The change meets the University’s firewall configuration standards
(example, no inbound * rules, requests for cleartext or insecure ports like
telnet and ftp, etc.) as defined in CSSD Standard STD-2004-0803
Firewall Security Standard.

The departmental firewall contact must be prepared to test the change
the morning after the change has been executed.
Express Queue request deadlines to the Help Desk are:



3.3
Mondays at noon (execute Tuesday night)
Wednesdays at noon (execute Thursday night)
Thursdays at noon (execute Saturday night)
The firewall change request will be formally reviewed by Security and by Network
Engineering during a weekly “NetSec” meeting (Wednesday at 2 PM) for
compliance to CSSD firewall guidelines and standards, as well as to potential
impact to University network services and systems operation. If compliant, the
change request ticket will be approved by the Information Security Officer. If the
request is denied, the Security Team will notify the contact by e-mail of the denial
and the reason for the denial. Suggestions will also be made on how to change
the request so that it can be accepted.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 5 of 15
SECURITY PROCEDURE
Firewalls
Express Queue: firewall zone changes placed in Express Queue will be
formally reviewed during the weekly NetSec meeting as well as on conference
calls on Mondays and Thursdays at 2:30 pm with representatives from Security,
Network Engineering, and the NOC.
3.4
Once the firewall change request has been approved, the change will be
presented at CSSD’s change management call (Thursdays at 9 am). If
approved, the change management request ticket will be set to scheduled, and
the change will be staged in LSMS for execution during the next applicable
maintenance window. An e-mail will be sent to the contact confirming that the
change will be executed, with information on when the change will be executed,
and with a reminder that the contact will need to ensure that end-user
acceptance testing is to be performed immediately after the change is executed.
Express Queue: firewall zone changes placed in Express Queue will be
reviewed during the daily helpdesk ticket call on Tuesdays and Fridays at 9 am.
3.5
CSSD’s Network Operations Center will take change request tickets in scheduled
status and execute during the next change implementation period (Saturdays at
11 PM).
Express Queue: firewall zone changes placed in Express Queue will be
executed by the Network Operations Center on Tuesday, Thursday and Saturday
evenings at 11 PM.
Express Queue requests will be scheduled by the IT
Security Team in the Remedy change ticket form’s Implementation Date-Time
field. Once the NOC implements the change, results of the implementation will
be included by the NOC into the change ticket’s work log.
3.6
CSSD’s IT Security Team will notify by e-mail the departmental contact that the
change was implemented, with a reminder that end-user acceptance testing
should be completed immediately.
4.
Firewall Problem Reporting
4.1
For any firewall problem, the authorized University departmental firewall contact
will submit a Remedy ticket with a detailed description of the firewall problem,
including affected hostnames, network addresses, target hosts and accessed
services. Standard CSSD Help Desk resolution procedures will be followed.
5.
Firewall Removal
5.1
CSSD will not permit the removal of any network-based firewall.
6.
Firewall Log Access
6.1
SSH to fwlmgr-2.ns.pitt.edu or fwlmgr-2-bak.ns.pitt.edu (real-time logs which
roll-over to datacomm-stor-pr every 3-4 minutes).
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 6 of 15
SECURITY PROCEDURE
Firewalls
6.2
SSH to datacomm-stor-pr.ns.pitt.edu (contains log entries for each day).
6.3
Log viewer on LSMS (filters must be defined; log output is easier to understand
as the fields are labeled. However, this method is not very reliable and at times
has a huge delay of up to 15 minutes).
7.
Firewall VPN User Creation
Note that the following procedure is to be used only for legacy IPSec VPN customers.
CSSD no longer allows end users to implement IPSec VPN, and instead recommends
that they use SSL VPN for secure remote connectivity to PittNet resources.
Firewall VPN User Creation allows for registered users to remotely access systems
protected by network firewall zones. Note that the user will need to be added to groups
that will permit access to firewall zones affiliated with those groups. To add a VPN user:
7.1
Start up the LSMS software
7.2
If this is an existing VPN user, find the username and right-click, then select
Copy.
7.3
Click on the Browse button in the copy window.
7.4
Select the appropriate destination folder and then click the OK button.
7.5
If the user is not an existing user, open the User Auth folder and then select the
Users folder.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 7 of 15
SECURITY PROCEDURE
Firewalls
7.6
Right-click an empty area on the right side of the screen and select New User.
7.7
Enter the required information in the User Editor window. Under
Authentication Service select RADIUS. Change the Authentication Timeout
to 480 minutes. When finished, go to the File menu and select Save and
Close.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 8 of 15
SECURITY PROCEDURE
8.
Firewalls
Firewall VPN Group Management
Firewall VPN Groups allows authorized users with a registered VPN user account to
access firewall zones associated with a group. To associate a user with a group:
8.1
In LSMS, go to the User Groups folder. There should be a list of VPN user
groups. Double-click on the one you want and a new window will appear.
8.2
Select the desired new user from the left side of the window and then click the
Add button. Go to the File menu and select Save and Close.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 9 of 15
SECURITY PROCEDURE
IV.
Firewalls
Definitions
Availability - Assurance that the systems responsible for delivering, storing and
processing information are accessible when needed, by those who need them.
Business Assets - The term Business Assets, as it relates to Information Security, refers
to any information upon which the organization places a measurable value. By
implication, the information is not in the public domain and would result in loss, damage,
or even business collapse, if the information were to be lost, stolen, corrupted or in any
way compromised.
Communications Equipment - Hardware, with associated software, relating to the ability
of computers to receive data from, and transmit data to, locations separated from the
central processor.
Communications Line - Within a communications network, the route by which data is
conveyed from one point to another.
Communications Network - A system of communications equipment and communication
links (by line, radio, satellite, etc.), which enables computers to be separated
geographically, while still ‘connected’ to each other.
Computer System - One or more computers, with associated peripheral hardware, with
one or more operating systems, running one or more application programs, designed to
provide a service to users.
Confidentiality - Assurance that the information is shared only among authorized
persons or organizations. Breaches of Confidentiality can occur when data is not
handled in a manner adequate to safeguard the confidentiality of the information
concerned. Such disclosure can take place by word of mouth, by printing, copying, emailing or creating documents and other data, etc.
Cracker - A cracker is either a piece of software (program) whose purpose is to ‘crack’
the code (i.e.: a password), or ‘cracker’ refers to a person who attempts to gain
unauthorized access to a computer system. Such persons are usually ill intentioned and
perform malicious acts.
Data/Information - In the area of Information Security, data is processed, formatted, and
re-presented, so that it gains meaning and thereby becomes information. Information
Security is concerned with the protection and safeguard of that information, which in its
various forms can be identified as Business Assets.
Default - A default is a setting or value, that a computer program (or system) is given as
a standard setting. It is likely to be the setting that ‘most people’ would choose.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 10 of 15
SECURITY PROCEDURE
IV.
Firewalls
Definitions (con’t)
Denial of Service - A Denial of Service (DoS) attack, is an Internet attack against a Web
site whereby a client is denied the level of service expected. In a mild case, the impact
can be unexpectedly poor performance. In the worst case, the server can become so
overloaded as to cause a crash of the system.
Dual Homing - Having concurrent connectivity to more than one network from a
computer or network device. Examples include: Being logged into the Corporate
network via a local Ethernet connection, and dialing into AOL or other internet service
provider (ISP).
e-Commerce - Electronic transaction, performed over the Internet – usually via the World
Wide Web – in which the parties to the transaction agree, confirm, and initiate both
payment and goods transfer.
Firewall - Security devices used to restrict access in communication networks. They
prevent computer access between networks (i.e.: from the Internet to your corporate
network), and only allow access to services, which are expressly registered.
Fix - An operational expedient that may be necessary if there is an urgent need to
amend or repair data, or solve a software bug problem.
Hacker - An individual whose primary aim in life is to penetrate the security defenses of
large, sophisticated, computer systems. A truly skilled hacker can penetrate a system
right to the core, and withdraw again, without leaving a trace of the activity.
Incursion - A penetration of the system by an unauthorized source. Similar to an
Intrusion, the primary difference is that Incursions are classed as ‘hostile’.
Integrity - Assurance that the information is authentic and complete. Ensuring that
information can be relied upon to be sufficiently accurate for its purpose. The term
integrity is used frequently when considering Information Security as it represents one of
the primary indicators of security (or lack of it). The integrity of data is not only whether
the data is ‘correct’, but also whether it can be trusted and relied upon. For example,
making copies (say by e-mailing a file) of a sensitive document, threatens the integrity of
information. By making one or more copies, the data is then at risk of change or
modification.
Internet - A publicly accessible Wide Area Network that can be employed for
communication between computers.
Intranet - A Local Area Network within an organization, which is designed to look like,
and work in the same way as, the Internet. Intranets are essentially private networks,
and are not accessible to the public.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 11 of 15
SECURITY PROCEDURE
IV.
Firewalls
Definitions (con’t)
Intrusion - The IT equivalent of trespassing. An uninvited and unwelcome entry into a
system by an unauthorized source. While incursions are always seen as hostile,
intrusions may be innocent.
IP Address - The IP address or ‘Internet Protocol’ is the numeric address that guides all
Internet traffic, such as e-mail and Web traffic, to its destination.
Lab - A Lab is any non-production environment, intended specifically for developing,
demonstrating, training and/or testing of a product.
Laptop - Laptop has become a generic expression for all portable computers. Laptops
require extra security measures because of the portability and obvious attractiveness to
thieves.
Local Area Network - A private communications network owned and operated by a
single organization within one location. This may comprise one or more adjacent
buildings; however a local network will normally be connected by fixed cables or, more
recently short-range radio equipment. A LAN will not use modems or telephone lines for
internal communications, although it may well include such equipment to allow selected
users to connect to the external environment.
Log on / off - The processes by which users start and stop using a computer system.
Network - A configuration of communications equipment and communication links by
network cabling or satellite, which enables computers and their terminals to be
geographically separated, while still connected to each other. See also Communications
Network.
Network Administrator - Individual(s) responsible for the availability of the Network, and
the controlling of its use.
Operating System - Computer programs that are primarily or entirely concerned with
controlling the computer and its associated hardware, rather than processing work for
users. Computers can operate without application software, but cannot run without an
operating system.
Penetration - Intrusion, trespassing, unauthorized entry into a system.
Penetration Testing - The execution of a testing plan, the sole purpose of which is to
attempt to hack into a system using known tools and techniques.
Peripherals - Pieces of hardware attached to a computer rather than built into the
machine itself. These include printers, scanners, external hard drive units, portable
drives, and other items that can be plugged into a port.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 12 of 15
SECURITY PROCEDURE
IV.
Firewalls
Definitions (con’t)
Physical Security - Physical protection measures to safeguard the organization’s
systems, including restrictions on entry to premises, restrictions on entry to computer
department, locking/disabling equipment, disconnection, fire-resistant and tamperresistant storage facilities, anti-theft measures, anti-vandal measures, etc.
Policy - A policy may be defined as ‘An agreed approach in theoretical form, which has
been agreed to / ratified by a governing body, which defines direction and degrees of
freedom for action’.
Privilege - Privilege is the term used throughout most (if not all) applications and
systems to denote the level of operator permission, or authority. Privilege can be
established at the file or folder (directory) level and can allow read only access, but
prevent changes. Privileges can also refer to the extent to which a user is permitted to
enter and confirm transactions / information within the system.
Privileged User - A user who, by virtue of function, and/or seniority, has been allocated
powers within the computer system, which are significantly greater than those available
to the majority of users.
Process - In computer terms, a process refers to one of dozens of program which are
running to keep the computer running. When a software program is run, a number of
processes may be started.
Production System - A system is said to be in production when it is in live, day to day
operation.
Protocol - A set of formal rules describing how to transmit data, especially across a
network. Low level protocols define the electrical and physical standards to be
observed, bit and byte ordering and the transmission and error detection and correction
of the bit stream. High level protocols deal with the data formatting, including the syntax
of messages, the terminal to computer dialogue, character sets, sequencing of
messages, etc.
Security Administrator - Individual(s) who are responsible for all security aspects of a
system on a day-to-day basis.
Security Incident - A security incident is an alert to the possibility that a breach of
security may be taking, or may have taken, place.
Sensitive Information - Information is considered sensitive if it can be damaging to the
University or its’ reputation.
Split-tunnelling - Simultaneous direct access to a non-University network (such as the
Internet, of a home network) from a remote device while connected into the University’s
network via a VPN tunnel.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 13 of 15
SECURITY PROCEDURE
IV.
Firewalls
Definitions (con’t)
Spoofing - Spoofing is an alternative term for identity hacking and masquerading. The
interception, alteration, and retransmission of data in an attempt to deceive the targeted
recipient.
Spot Check - The term ’spot check’ comes from the need to validate compliance with
procedures by performing impromptu checks on records and other files, which capture
the organization’s day-to-day activities.
Unauthorized Disclosure - The intentional or unintentional revealing of restricted
information to people who do not have a legitimate need to know that information.
VPN - Virtual Private Network (VPN) is a method for accessing a remote network via
“tunneling” through the Internet.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 14 of 15
SECURITY PROCEDURE
V.
Firewalls
References
University Policy 10-02-06, Administrative University Data Security and Privacy.
CSSD Guideline GDL-2004-0803, Firewall Guidelines.
CSSD Standard STD-2004-0803, Firewall Security Standards.
CSSD Standard MSB-2004-0101, Firewall Minimum Security Baseline Standards.
Procedure: PRC-2004-0803
Effective Date: May 24, 2005
Revision: 0.2.6
Page 15 of 15