Capital College --- Request for Exceptions to Firewall Security: CL–FEP–01

1.0  Purpose
The purpose of this guideline is to outline the requirements and procedure to request exceptions to firewall rules within the Capital College. These rules are in place to protect the employee and the Capital College.  Exceptions without proper precautions may expose the Capital College to a higher level of risk including virus attacks, compromise of network systems and services, and possible litigation.

2.0  Scope
This guideline applies to employees, students, contractors, consultants, temporaries, and other workers at the Capital College, including all personnel affiliated with third parties. This guideline applies to all equipment that is connected to the Capital College Administrative Network.*

3.0  Guideline

It is recognized that a firewall can restrict certain activities on the network and Internet at large that are necessary to conduct the teaching, research, and outreach functions of the College. Thus, the following guideline establishes requirements and guidelines before exceptions are established through a firewall protecting individual or groups of machines*: 

1.  All exception requests must be made by a work order submitted to IIT and after consultation with IIT Systems Administrators.  IIT Systems Administrators work with the Schools and Departments and are keenly aware of the security issues and needs within the Schools and Departments and are aware of existing servers within the College or Departments that may already have the necessary exception and may better provide the service.  Additionally, if an exception request must be made for a machine they are aware of, the School Director or their designate will need to make an informed decision such as the justification for each port included in the request.

2.  The computer(s) must be administered by an IIT staff member and should be a system dedicated to providing the services for which the exception is requested.  The purpose is to provide College and Departmental servers the accessibility they need to provide their intended services.  Dedicated appliances or servers that cannot be incorporated into the aforementioned services provided by the Department, College, or University (e.g., a web cam used for providing live video feed of lectures or experiments) due to technical reasons will be reviewed on a case-by-case basis.

3.  Security patches must be installed in a timely fashion (as soon as possible, but not to exceed 72 hours of release by the vendor) by IIT.  The only exception would be if the patch prevents the proper function of installed software and no satisfactory work-around can be found. Occasionally, the College staff will check computers granted exceptions to ensure that the latest security patches have been installed.

4.  A computer will be disconnected from the network if a security incident occurs and the port(s) granted the exception will be closed until the computer again complies with items 1 and 2.

4.0  Exceptions
Exception process – Any exceptions requested for a given interface must be thoroughly researched by the department making the request for both the necessity of the exception as well as the possible security risks associated with making the exception.  Upon approval by the department, a request must be made via a "Request for Exceptions to Firewall Security memo" to the School Director.  Requests for exceptions through the firewall may only be submitted through consultation with IIT Systems Administrators and placed into a work order.   Only the Penn State Harrisburg  LAN Administrative, Technical or Security Contact may submit changes for the firewall rules.  Work order instructions are listed below.  Any such requests will be reviewed by IIT staff, discussed with the School Director and either subsequently adopted for the Administrative Network or denied based on the lack of necessity or because of unavoidable security risks associated with adopting the exception.  Further discussion with the Senior Associate Dean for Academic Affairs may be necessary.  Lack of necessity would be determined based on the need for the service in question and/or the availability of alternate means to more securely use the service (e.g., tunneling the traffic via a VPN).

The work order must address the following items.

• The specific need for the exception and port(s) to be opened with justification for each.

• The Internet name and address of the computer(s) for the exception.

• The name, phone number, and email address of the IIT staff member responsible for administration of the computer(s). If staffing changes leave an excepted server unmanaged the exception(s) may be removed if an unreasonable security risk arises from the system remaining unmanaged.

• Security measures in force on the system including password guideline, auditing guideline, antivirus software (if any), and any additional security related software and/or settings of the machine.

• A statement to the effect that the user of the computer(s) “understands that the computer(s) will be disconnected from the network and the port(s) granted the exception will be closed if a security incident occurs with that computer, contact information for the IIT staff person responsible for the computer is not kept current, or security patches are not being applied in a timely manner.”

• Exceptions may not be granted for a request that the School Director and/or Senior Associate Dean for Academic Affairs in consultation with IIT considers too vulnerable to attack or for operating systems and applications without a proven record of adequate security.

5.0  Enforcement
If security measures are mitigated after exception has been granted, the exception can be immediately rescinded or in the judgement of Information Technology Services intervention is needed for Condition Yellow or Condition Red events occur.  See:  http://its.psu.edu/firewall/

6.0  Revision History

DEFINITIONS:

*Groups of machines - at Capital College, those groups of machines are called the *Administrative Network and consist of over 400 faculty and staff computers 75 printers, 27 multifunction (copier-printer-fax-scanner) units, about 20 servers, several card swipe locks, 36 projectors, and is constantly growing.

Last updated:  11/3/2006, ryb2 7/24/07