Home Campus Directory | A-Z Index

Firewall Policy

Purpose

The purpose of this policy is to outline the requirements, procedures, and operation of the Penn State Wilkes-Barre network firewalls.   This policy is in place to protect the Penn State Wilkes-Barre network from outside attacks and minimize the possibility of compromises and/or possible litigation by increasing network integrity, availability, and confidentiality.

Scope

This policy applies to all equipment connected to the Penn State Wilkes-Barre network and all personnel using said equipment.

Definitions

Device – A computer, electronic tool or communication apparatus with the ability to connect to a data or communication network

Internet - A worldwide system of computer networks

Firewall – An electronic device used to monitor and inspect data transmission traveling between data networks (i.e. The Internet and the Mont Alto data network.) Based on a programmed rule set managed by the campus ITS department, the firewall with either allow or disallow traffic with the aim of preventing unauthorized access to the campus private data network.

IP Address - A unique network addressed assigned to a device connected to a network.

ADG01 - Glossary of Computerized Data and System Terminology

Guidelines

  1. The default policy of all campus firewalls will be to deny all traffic unless exceptions are requested via procedure outlines in exceptions section below, and approved.
  2. Any exception that poses a security risk, regardless if they were previously approved will be revoked immediately.
  3. Critical security patches must be installed in a timely fashion (less than 72 hours after release) unless the patch prevents functionality or reliability.
  4. All network traffic on the campus network may be subject to inspection by intrusion detection/intrusion prevention systems.
  5. Only recognized network contacts (administrative, technical, security) may view or modify firewall rules.
  6. Firewall rule set will be reviewed on a quarterly basis by authorized personnel.

Standard Rules

The initial configuration assumes that all inbound connections from outside the Penn State Wilkes-Barre campus are un-trusted, and therefore blocked with exceptions. The following exceptions have been researched thus far and are to be placed into the active exceptions.

Outbound Rules

No rules 

Inbound Rules

http, https – Allow access to the web servers
Remote Desktop – Only allowed from the PSU VPN or PSU Wilkes-Barre Wireless 2.0
AIS Printing – Allow printing from AIS business services
Active Directory – Ports used to communicate with the active directory servers
Tivoli Endpoint Manager – Ports used to communicate with the Tivoli Endpoint Manager Servers at U-Park
Library Services – Ports used to allow DLT to manage the library computers
Scanning – Ports used to allow the secure Credit Card network to be scanned (only opened during scanning)
Seismic Server – Ports used to allow U-Park to monitor the seismic server at PSU Wilkes-Barre
Signature Stations – Ports used to allow U-Park to administer the PSU Wilkes-Barre Signature Stations

Exceptions

All proposed changes to firewall must be submitted in writing to wbitsupport@psu.edu.  This submission must include the following items:

  • The specific need for the exception documented thoroughly.
  • The IP addresses of the devices involved on the LAN.
  • The IP addresses of the devices involved on the outside network.
  • Point of contact to administrator of devices involved on the outside network.
  • Ports, protocol, and justification required for incoming traffic.

All proposed changes must be approved by the campus director of IT, the network administrator, and the requesting member’s supervisor.   Requests that do not support the University’s mission or pose security risks will not be approved.

Testing and Verification

Testing outside firewall rules will be accomplished through the use of the PSU wireless network.   The PSU wireless network has a dedicated interface on the edge router and is not treated as a local LAN by our campus firewall.