ITS Security Policy 105 - Firewall, Router, and Switch Administration

Status: TDX Submitted Draft (Updated)
Last Revision Date: 13 July 2022

Statement of Purpose

Clackamas Community College employs multiple cybersecurity measures to protect its digital infrastructure. At the core of these defenses is the firewall system, which safeguards the network perimeter against external attacks and intrusions. This policy outlines the essential principles for the configuration, maintenance, and administration of the College’s firewall infrastructure.

Policy Summary

All network connectivity paths and services to and from the Clackamas Community College network must be managed and protected by firewalls. Firewalls, routers, and switches must be configured and administered following established, documented procedures.

Changes to firewall hardware, software, or security rules must be reviewed, approved, logged, and implemented in accordance with the College’s change control procedures.

This policy is subject to and superseded by all applicable regulations and legal requirements.

Policy

  1. All network connectivity paths and services must be managed by Clackamas Community College firewalls unless explicitly approved as an exception by the Chief Information Officer (CIO). Exception requests must include supporting documentation outlining the network path and its interconnections.

  2. All externally initiated inbound traffic is only permitted into a firewall-segmented demilitarized zone (DMZ). This traffic must be restricted to only the necessary ports required for Clackamas Community College’s business operations.

  3. The Network Manager must conduct a comprehensive review of each firewall rule set at least once every six months and document the findings.

  4. Internal IP addresses must be obfuscated using Network Address Translation (NAT) or Port Address Translation (PAT).

  5. Anti-spoofing technologies must be configured on all perimeter devices.

  6. Outbound traffic from internal production systems must be restricted to only the required protocols and services.

  7. On-premises enterprise databases must be segmented from the main Clackamas Community College network.

  8. Specially regulated services (e.g., HIPAA, PCI) must be hosted on dedicated, isolated network segments that comply with relevant regulatory standards.

  9. Internet and wireless access to the College’s core network must be managed through next-generation firewalls.

  10. When VLANs are used for network segmentation, appropriate security measures such as access control lists (ACLs) must be implemented.

  11. All network hardware and operating systems must be updated, patched, and maintained according to manufacturer recommendations and industry best practices.

Exemptions

Emergency actions, such as implementing a firewall block rule to mitigate an active cyberattack, may be executed immediately without prior approval. However, all emergency changes must be documented and subjected to a follow-up review.

Exceptions

Any exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

 

Print Article