Network Firewall

Layout for printing
Policy Number:
UW-513
Responsible Office:
Division of Information Technology (DoIT)

University Policy

Rationale/​Purpose:

This policy establishes the guiding principles and collaborative decision-making process for the administration, configuration, and operating procedures for network firewalls at UW–Madison. The purpose is to provide more extensive, adaptable, and consistent network protection in order to counter increasingly sophisticated and persistent attacks on university data and systems.

Strong and adaptable rules provide better and more consistent protection. However, strong and adaptable rules are more likely to have a short-term impact on university operations as they are tuned to maximum necessary protections and minimize inadvertent interference.

The principles and decision-making process established by the policy help reduce cybersecurity risk to the institution by enabling stronger and more adaptable protections than would otherwise be possible. The policy and implementation plan are designed to:

  • Enable more extensive and adaptable use of common (shared) network firewall rules. This is accomplished by applying firewall management principles that are responsive to the needs of the institution, along with a collaborative decision-making process to ensure that those needs are heard and addressed.
  • Increase the consistency of firewall protection. Common (shared) firewall rules add protection to all subnets behind the firewalls. When new threats are identified, common firewall rules reduce the risk of leaving some of those subnets vulnerable due to staff vacancies or lack of available staff time.
  • Introduce more advanced firewall protection features which can quickly detect and block new threats. These advanced features are necessary to protect data and assets from increasingly sophisticated and persistent attacks.

The immediate need is to select and manage the common (shared) network firewall rules that are specific to the Next Generation firewalls. Sound principles and a collaborative decision-making process are necessary because the common rules apply to all devices and services on subnets which are protected behind a Next Generation firewall.

Beyond the common (shared) network firewall rules, there is a longer-term need to more generally improve the administration, configuration, and operation of UW–Madison network firewalls, using the same principles and collaborative decision-making process.

Scope:

Applies to all network firewalls at UW–Madison.

Policy:

  1. Guiding Principles

    1. The purpose of network firewall rules and operating procedures is to support and expedite research, teaching, and learning at the university, while reliably providing protection for all devices, services, and subnets connected to the UW–Madison network.
    2. UW–Madison will have network firewall rules and operating procedures that are consistent with the academic and business needs of the university and with widely recognized best practices in cybersecurity.
    3. Free and open access to information and resources available on the internet will continue as the university implements firewall protection against known threats and malicious actors.
    4. Network firewall rules and operating procedures will be reviewed through an ongoing collaborative decision-making process that includes subject matter experts and participants from representative UW–Madison academic and business units.
    5. Administration of network firewalls will be federated when technologically practical so that a firewall administrator for a subnet can manage rules and operating procedures that are specific to that subnet.
    6. If federated administration is not technologically practical, the shared (i.e. non-federated) operating procedures will, to the extent practical, accommodate the timely, efficient, and effective administration of subnet-specific rules.
    7. There will be open and transparent communication with ample opportunities for feedback and engagement from IT professionals and impacted users, in order to gauge the effect of the policy on the university.
    8. When a firewall interdiction occurs that prevents access to a resource, the end-user should receive context for why the interdiction occurred and actionable steps they can take to mitigate or resolve the issue.

  2. Policy

    1. The administration, configuration, and operating procedures for network firewalls will follow the guiding principles. In order to meet evolving needs, additional guiding principles, consistent with those already in the policy, may be added to the implementation plan.
    2. UW–Madison will establish an ongoing collaborative advisory group that includes subject matter experts and participants from representative UW–Madison academic and business units. The group is advisory to the chief information security officer (CISO). The CISO is assisted by the other sponsors of the advisory group.
      1. The group will initially advise on the common (shared) network firewall rules and operating procedures that apply to all devices and services on subnets protected behind the Next Generation firewalls.
      2. Longer-term, the group will advise more generally on the administration, configuration, and operating procedures for network firewalls at UW–Madison.
      3. The executive sponsors of the advisory group will at a minimum include the chief information officer (CIO) and the chair of the Information Technology Committee (ITC) and may include other senior academic and business leaders.
      4. The sponsors of the advisory group will at a minimum include the CISO and may include other academic, business, or IT leaders to assist the CISO.
      5. The organization and functioning of the advisory group will be further defined in the charter of the group, as approved by the executive sponsors. The provisions of the charter must be consistent with this policy.
    3. Special Cases:
      1. Personally-owned devices or other non-UW–Madison-owned devices and services are subject to this policy while they are connected to the university network.
      2. Exceptions to the policy will be reviewed by the advisory group, sponsors, and if necessary, executive sponsors of the group and the risk executives of the affected systems.

  3. Authority

    1. The UW System Board of Regents policy 25-3 "Acceptable Use of Information Technology Resources" authorizes the UW System to:

      "…take reasonable measures to protect the privacy of its IT resources and accounts assigned to authorized users... Any activity on UW System IT resources may be monitored, logged and reviewed by UW System-approved personnel... The UW System has the right to employ appropriate security measures, to investigate as needed, and to take necessary actions to protect UW System IT resources…"

    2. The Network Firewall policy is approved by the ITC, representing shared governance, and issued by the vice provost for information technology.
    3. Mandatory portions of the Network Firewall Implementation Plan and operating procedures are extensions of this policy and inherit the authority of this policy.

  4. Enforcement

    1. The executive sponsors and immediate sponsors of the advisory group will ensure that the advisory group is adhering to the guiding principles and policy.
    2. All system administrators of network firewalls at UW–Madison will ensure that the administration, configuration, and operation of the network firewalls that they administer are consistent with the security controls included in the unit’s Risk Management Framework System Security Plan as accepted by the unit’s risk executive, and with the operating procedures established by the advisory group and its sponsors.
    3. Any device or service connected to the UW–Madison network, or that accesses or is accessed by such devices and services, that through its configuration or activity poses an unacceptable risk to the network; the other devices and services connected to the network; or the availability, integrity or confidentiality of UW–Madison data, may have its access to the network limited or blocked until that risk is eliminated or reduced to an acceptable level.
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

Policy Administration

Approval Authority:
Chief Information Officer & Vice Provost for Information Technology
Policy Manager:
Assistant Director, Cybersecurity Program and Business Services
Contact:
IT Policy Writer and Analyst -- Heather Johnston, itpolicy@cio.wisc.edu
Effective Date:
06-18-2018
Revised Dates:

11-16-2018

Retrieved:
04-19-2024 18:02:44