(1) Safe and secure network services are essential for the University operational goals. Firewalls are the first line of defence against attacks and are part of the overall security of electronic equipment and the information they work with. They provide a point where security can be imposed and can provide the University with information about the traffic passing through them. (2) The purpose of the Firewall Security Guidelines is to define security standards for all equipment owned and/or operated by Victoria University,. These standards are designed to minimise the potential exposure of Victoria University to the loss of sensitive confidential data, intellectual property, damage to public image etc., which may follow from unauthorised use of Victoria University resources. (3) Modern attackers will use multi-pronged attack methodology to gain access to internal and external facing services. This requires the University ensure it operates all network services, regardless of perceived access levels with a stringent secure configuration and operation. (4) This Guideline applies to: (5) Firewall (6) Nil (7) Nil (8) All network firewalls will have a default deny mantra. (9) All servers providing services to directly to the Internet must be located in Presentation (External) zone. (10) Firewall rules must be in place and will govern the communication allowed into each tier and between the tiers. (11) Firewall rules are to be minimum required to deliver business needs — following a least privileged model. (12) All administrative and management access which is required to servers within the corporate and development silo will be provided by the Management VPN solution. (13) All Backup and Monitoring will be provided through the management network. (in the future). (14) IPs are to be issued by the Communications Team, according to the IP allocation process. Change of Tier/Silo will require an IP change. (15) Standard firewall change process will be carried out twice weekly. (16) Changes for BAU group assignment (e.g. Finance One access) will be performed on an ad hoc basis. (17) Additional changes are possible and should be included as part of the normal change management processes sent for CAB review (include firewall rules with system/service deployment changes noting ITSSO agreement or disagreement). (18) Where direct communication with other networks is not viable, a connection via proxy where viable is preferred over a NAT approach. (19) All network firewalls will have a default deny mantra. (20) All hosts will be issued with private IP addresses. (21) All servers providing services to directly to the Internet must be located in Presentation (External) zone. (22) Firewall rules must be in place and will govern the communication allowed into each tier and between the tiers. (23) Communication directly with production systems is to be discouraged. However, exceptions can — and will — be made where it is not possible or appropriate to have a completely isolated development environment. (24) All administrative and management access which is required to servers within the corporate and development silo will be provided by the Management VPN solution. (25) All Backup and Monitoring will be provided through the management network. (in the future). (26) All data transfers (e.g. production to development) must be perform through intermediary hosts within the management network (providing an "air gap" between prod and dev). (27) IPs are to be issued by the Communications Team, according to the IP allocation process. Change of Tier/Silo will require an IP change. (28) With the exception of communication to the wider internet and production silos, firewall changes can be performed ad-hoc and without in-depth scrutiny. (29) Where direct communication with other networks is not viable, a connection via proxy where viable is preferred over a NAT approach. (30) Default deny ingress traffic. (31) Allowing connections direct to client networks is expressly forbidden. (32) Dangerous or historically abused ports and services will be blocked where practical. (33) Where practical user traffic will be proxied provide further security to the user network. (34) Legacy Servers cannot request firewall changes and must migrate to the Server Network. (35) No new servers can be deployed into the legacy network. (36) Default deny ingress and egress traffic. (37) Rules allowing traffic must follow principle of least privilege. (38) Rules should limit access to defined expected users or services (e.g. VU Internal or DNS servers). (39) Rules allowing administrative access should be limited as much as possible.Information Security - Firewall Security Guidelines
Section 1 - Purpose / Objectives
Section 2 - Scope / Application
Top of PageSection 3 - Definitions
Section 4 - Policy Statement
Section 5 - Procedures
Section 6 - Guidelines
Server Network Production Firewall Operation Rules
Server Network Development Operation Rules
Border Firewall Operation Rules
Other Firewalls Including Host Based
View Document
This is not a current document. It has been repealed and is no longer in force.