MUSC Internet Firewall Procedures

$Id: firewall-procedure.html,v 1.3 2002/08/30 15:09:10 gadsden Exp $

i. Purpose and Scope

The MUSC Internet Firewall Policy document defines the policies which govern the administration of the Internet Firewall, and of certain aspects of the administration of the Servers which fall within the scope of those policies. This Procedures document explains the specific procedures which systems administrators and firewall administrators are expected to follow, in accordance with the aforementioned Policy.

At present, the infrastructure needed to implement the Perimeter Network has not been established. The same is true of the infrastructure needed to perform some network security functions, such as network security auditing and remote event logging. For this reason, some of the procedures documented below are already Implemented, while others are still in the Planned stage. This document will be updated frequently as planned procedures are implemented.

I. Procedures for System Administrators

A. Requesting A Firewall Rule

The System Administrator of a Server which is located on, or which is to be relocated to, the MUSC Perimeter Network, may request a Firewall "Rule" to allow inbound connections from the Internet to a specific service or set of services on his Server. [Implemented]

The System Administrator of a Server located on the Internal Network may request a Firewall Rule to allow inbound communication, from one or more systems on the Perimeter Network, to his Server. [Planned]

1. If the Server is a Web server, use the form at the following URL to register the Web server in MUSC's Web Server Directory: http://www.itlab.musc.edu/sitereg. [Implemented]

2. Use the on-line form at the following URL to register a firewall rule request: http://www.itlab.musc.edu/fwreg. The following information must be supplied on this form:
   
   

   • System Administrator -- name, department, title, etc.[Implemented]

   • Request type -- Internet->PerimeterNet, or PerimeterNet->InternalNet [Planned]

   • Firewall Rule specifications -- specific set(s) of protocol(s)/port(s)/direction(s) being requested, and the specific initiator and target IP address(es) if known [Implemented]

   • Server specifications -- description of software (operating system, application software, and any middleware) that will be handling inbound requests on the open port(s), including complete software version information [Planned]

   • Description of application -- in general terms, what information will be provided to whom, how it will be provided, and why it needs to be provided this way [Planned]

   • Justification -- how the requested network service will support MUSC's mission, and the impact on MUSC if the request were denied [Planned]

   • Begin Date -- when the Rule should be activated [Planned]

   • End Date -- when the Rule should be terminated [Planned]

   • Management Contact -- name, title [Planned]

   • Emergency Contacts -- names, roles, pagers, etc. [Planned]

3. If notified by Network Security that the request has been approved, then proceed to implementation (Section I.B below). If the request is denied, then the System Administrator may appeal through the process described in Section III.A.

B. Implementing A Firewall Rule

1. Cooperate with Network Security in scheduling the initial network audit (vulnerability assessment) of the Server. Complete any remedial actions specified by the auditor. [Planned]

2. Set up remote logging to the loghost specified by Network Security, and demonstrate conformance to the remote logging specifications provided by Network Security. [Planned]

3. If the Server is providing Internet services, it will be located in (or will be relocated to) the Perimeter Network. If necessary, coordinate readdressing of the Server with Network Security. [Planned]

C. Maintaining A Firewall Rule

1. Promptly notify Network Security of any changes to any of the information documented in the Firewall Rule Request, using the on-line form referenced in I.A.2 above. [Implemented]

2. Promptly notify Network Security of any security incidents or anomalies involving the Server, by logging a call with the CCIT Help Desk. [Implemented]

3. Promptly address any deficiencies identified in any on-going audit of the target system performed by Network Security. [Planned]

4. If a vulnerability affecting the target hardware and software is discovered, apply necessary patches or implement workarounds without excessive delay. [Implemented]

5. Follow procedures for renewing the rule on an annual basis if it is still needed. [Planned]

II. Procedures for MUSC Network Security

Under construction...

III. Administrative Procedures

A. Appeals Process

If a System Administrator requests a firewall rule and the request is denied by Network Security, that decision can be appealed through the following escalation path:

1. CCIT Director of Computer and Network Security

2. MUSC Network Infrastructure Committee

3. MUSC Information Management Council

Appendix A: Points of Contact

• CCIT Help Desk, telephone (843) 792-9700.

• CCIT Director of Computer and Network Security: Richard Gadsden, telephone (843) 792-8307, e-mail gadsden@musc.edu.

• MUSC Network Infrastructure Committee, Chair: Dr. Frank Starmer, Associate Provost, telephone (843) 792-0215, e-mail starmerf@musc.edu.

• MUSC Information Management Council, Chair: Dr. Thomas Higerd, Associate Provost, telephone (843) 792-4333, e-mail higerdtb@musc.edu.