• Section Navigation
• Financial Resources
• Forms
• Human Resources
• IT Resources
• Policy & Procedures
• Safety & Training
• Services
• Templates & Tutorials
• Visitor Resources

IT Policies - MRI Firewalls

Purpose

The purpose of this policy is to ensure secure and reliable network access and performance for the MRI community. Internet access to MRI resources and MRI access to Internet resources, and to define the configuration, implicit and explicit rules of, and exemptions to the perimeter firewalls of the MRI networks.

Scope

This policy applies to the perimeter firewalls in the MRI and MRL Buildings, the users of the MRI networks and those who request exemption to the firewall rulesets.

Rationale

The MRI network is scanned every day from the Internet. Much of this scanning is done to determine the number and location of potentially vulnerable systems on the network. Risks to our systems, research and academic mission are most apparent. The loss or corruption of data or unauthorized disclosure of information on research and instructional computers, student records, and financial systems is unacceptable. MRI also has a legal responsibility to secure its computers and networks from misuse. This policy will allow MRI to handle network security responsibly.

Policy

Thou Shall

• Web servers that are externally accessed shall be isolated from the internal network of the organization. The isolation may be physical, or it may be implemented by technical means such as an approved firewall. An approved firewall include:
  
  • Disabling IP forwarding, avoid dual-homed servers
  • Employing least privilege
  • Limiting functionality of Web server implementation
  • Employing tools to check configuration of host
  • Enabling and regularly examining event logs
• MRI will periodically run scans of systems within the firewall and work with system administrators to identify changes needed to keep their systems secure
• Secure servers must be within the MRI firewall
• Identify and remain within trust zones: The very first step in securing a network is to decide on the different zones of trust present. In its most basic form, network security is about zones of trust. A simple example would be the Internet (a ‘no trust’ zone) and an internal network (a ‘high trust’ zone); a firewall controls traffic between these different zones of trust.
• Change Control: With any firewall it is very important to have change control. Far too often firewalls are found with rules that nobody remembers adding. When rules are introduced there should be a well-defined method for documenting these and, in the case of temporary rules, the removal date for the rule should be added in a comment field.
• Log and review traffic: One of the primary purposes of a firewall is to log traffic going through the firewall. Logging is no good unless these logs are reviewed on a regular basis. MRI's IT unit is responsible for reviewing this information.
• Monitor stability: A firewall should be monitored for availability to ensure maximum uptime. If a firewall isn’t stable people will find ways of avoiding the firewall that leads to a low level of security. MRI's IT unit is responsible for network security
• Report security issues: if a user should encounter or observe a flaw in system or network security, this discrepancy must be reported to IT. Individuals must refrain from exploiting any such lapse in security.
• Get prior approval: Units, groups or departments that wish to provide Web or other network access to individuals or networks not directly affiliated with the University must get prior approval from IT.
• Register with IT: All devices placed on MRI's network must be registered with IT.
• Use assigned address: All authorized network users (faculty, staff or students) must be assigned a physical network port and network address by IT. Network connections at public access ports are restricted to authorized members of the MRI community.
• Users will take action to prevent source network address forgery (spoofing) of internal network addresses from the Internet.
• Have adequate security: Systems on the network must have adequate security installed and maintained. All systems connecting to the network must be configured and maintained in such a manner as to prohibit unauthorized access or misuse.

Further More:

• Physical access to MRI's networking equipment (routers, switches, hubs, etc.) is not permitted without the prior approval of IT.
• Some network services through standard ports is supported. However, services may be restricted to a limited number of subnets or hosts.
• IT will investigate any unauthorized access of University or MRI computer systems. IT will work with administrative departments and law enforcement when appropriate.

Thou Shall Not

• Engage in activities deemed inappropriate: these include, but are not limited to:
  • Establishing unauthorized network devices, including router, gateway or remote dial-in access server; or a computer set up to act like such a device.
  • Engaging in network packet sniffing or snooping.
  • Operating network servers of any sort in violation of guidelines.
  • Setting up a system to appear like another authorized system on the network (Trojan).
  • Other unauthorized use prohibited by the University's or MRI's acceptable use policies.