Networks - External Firewall Policy

External Firewall Policy - DRAFT

The default policy for traffic inbound to CWU networks from the Internet is 'DISALLOW' unless the traffic is the normal result of a session initiated by a host on the internal network. This determination will be made dynamically by the firewall technology through the application of stateful inspection packet filtering.

Access to STAFF, LAB and other internal network resources from the Internet will be available through the dial-in and VPN services only. Sessions to Internet resources originating on these networks will function normally. Through this model, external connectivity with the vast majority of devices on the internal network will require a simple authentication step that precludes the constant exposure of our network to the second-by-second vulnerability probes originating on the Internet.

Exceptions to the default policy will be created to allow the normal operation of the university's public interfaces, such as www.cwu.edu and other well known resources around campus - which require the ability to respond to connection requests originating from the Internet. In all cases, proxy access will be preferred to direct access, such as using our content switch to front-end an Internet-visible web server.

Systems with Internet connectivity based on such exceptions will be subject to internal firewalling. Should such a system become compromised, it must not have full access to the complete inventory of devices on the internal network. For this reason, systems with exception-based external visibility should be dedicated to their specific task (e.g "web server") as the associated internal firewalling will render them unusable for tasks which require other communication with hosts on the internal network.

The default policy for traffic outbound from CWU networks to the Internet is 'ALLOW'. Exceptions to the default policy will ensure that CWU networks will not source traffic to the Internet which could disrupt the proper operation of other networks. For example, SMTP mail traffic is excepted; only our designated site-wide mail relay can originate outbound connections to tcp/25. By forcing all outgoing mail through a relay which is properly configured to reject spam and virus transmission, it is much more difficult for infected systems on our internal network to spread harm onto the Internet.

The effectiveness of any firewall diminishes proportionally as the number and complexity of exceptions to the default actions grow. The strength of this approach is the simplicity of the filtering model whereby the vast majority of all traffic is handled by the default policy. It is essential that implementation of this policy discourage the creation of exceptions which serve only to preserve the status quo (instead of adjusting a particular resource to achieve the same functionality in accordance with the paradigm put forward in this document).