BP 8105 Firewall, Router, and Switch Administration

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

There are many components that make up the cyber-security defenses at PCC. However, at the core is the protection the perimeter of our network from external attacks and intrusions using firewall and supporting network technologies. This policy documents the core principles for the configuration and maintenance of our firewall infrastructure.

Scope Statement

This policy applies to PCC firewall installations and all PCC network infrastructure components. Accountable and responsible individuals are the Information Security team, IT operational support personnel, and network support management and staff.

Policy Summary

Each connectivity path and service to and within the Portland Community College (PCC) network shall be managed and protected by firewalls, routers, and switches that are configured and administered according to defined and documented procedures.

Changes to firewall hardware, software, or security rules shall be reviewed, approved, logged, and implemented using documented change control procedures.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

1. Every connectivity path and service shall be managed by PCC firewalls, unless specifically permitted by exception by the Chief Information Officer (CIO). Exceptions to this policy shall include supporting documentation showing the path and its interconnections to the PCC Network.

2. All externally initiated inbound traffic shall only be permitted into a firewall segmented demilitarized zone (DMZ) network. In all cases, this traffic shall be limited only to ports necessary for PCC’s business requirements.

3. At least every six months, the Network Manager shall ensure a thorough review occurs for each firewall rule set and record results of the review.

4. All mobile and employee-owned computers with direct connectivity to the Internet (e.g. laptops used by employees) that are used to access the PCC network shall have personal firewall software installed and activated.

5. Internal IP addresses shall be hidden utilizing Network Address Translation (NAT) or Port Address Translation (PAT).

6. Anti-spoofing technologies shall be configured on perimeter devices.

7. Outbound traffic from internal production systems shall be restricted to only required protocols and services.

8. On-premise enterprise databases shall be segmented from the larger PCC network.

9. Specially regulated services (e.g. HIPAA, PCI) shall be configured on dedicated, isolated network segments that conform to regulatory standards.

10. Internet and wireless access to the core PCC network shall be regulated using next generation firewalls.

11. Where VLANs are used for segmentation, appropriate network security principles (e.g. ACLs) shall be implemented.

12. Network hardware devices and operating systems shall be upgraded, patched and maintained to manufacturer recommendations and standards.

Exemptions

None

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Security Officer (CISO) / Director of Infrastructure Services

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

ARP Cache Flood
A form of computer hacking that “gridlocks” the network.

Access Control List (ACL)
A technical form of access control.

An ACL is a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall, but with less functionality.

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Cybercrime
Criminal activity or a crime that involves the Internet, a computer system, or computer technology.

Data Breach
Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.

Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. PCC legal council recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.

Demilitarized Zone (DMZ)
A way of configuring a network that separates Internet-facing systems from internal systems for security purposes.

Sometimes referred to as a perimeter network, the DMZ is a physical or logical sub-network that contains and exposes an organization’s external-facing services to a usually larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN).

Firewall
Technology that acts as a gatekeeper to prevent malicious traffic from entering a network. The moat around a castle that only allowed entry via a drawbridge acted as an early physical version of a firewall.

A network security system that monitors and controls the incoming and outgoing network traffic, usually based on predetermined security rules.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Information Security Manager (ISM)
(aka Associate CISO) Manager of the PCC Information Security team, reporting to the CIO and/or CISO.

Internet
A global network that facilitates electronic communication of data between any participating parties.

A network of networks that consists of private, public, academic, business, and government networks of local to global scope linked by a broad array of electronic, wireless, and optical networking technologies.

Internet Protocol Address (IP Address)
Uniquely identifies a computing device so that it can send and receive messages with other devices on a network.

A numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Network Address Translation (NAT)
A technology for more efficiently managing communication across a network.

A method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

Packet
A unit of data sent over a network. Most data networks break messages into packets that are reassembled by the receiving computer.

A formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream.

Port
(In IT) The end point of a network message. If network addresses are like a street address, port numbers are like suite or room numbers. Access to a network or computing resource can be controlled by identifying what messages are permitted to pass through a specific port.

A network port is a process-specific or application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).

Port Address Translation (PAT)
A technical mechanism for limiting the number of IP addresses needed.

An extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address.

Production Environment (PROD)
The technology environment where software and other products are actually put into operation for their intended uses by end users.

This is a highly controlled and monitored environment and separate from the development, test, or other environments where software is not intended for production use.

Router
A networking device that forwards data packets between computer networks.

Software
A set of instructions that tells a computer what to do.

Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.

Spoofing
A form of computer hacking in which one person or program successfully masquerades as another.

Stateful
(In IT) A form of communication between computers in which information is commonly maintained for the duration of the transaction or session.

A stateful protocol requires keeping the internal state of the session on the server. A TCPconnection-oriented session is a ‘stateful’ connection because both systems maintain information about the session itself during its life.

Switch
(In IT) A computer networking device.

A network switch (also called switching hub, bridging hub, officially MAC bridge) connects devices together on a computer network, by using packet switching to receive, process, and forward data to the destination device. Unlike less advanced network hubs, a network switch forwards data only to one or multiple devices that need to receive it, rather than broadcasting the same data out of each of its ports.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

Virtual Local Area Network (VLAN)
A technical method of separating different areas of a network, usually for security reasons.

Any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is an abbreviation for local area network. To subdivide a network into virtual LANs, one configures network equipment.

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO), Director of Infrastructure Services

Responsible Office

IT Information Security, IT Infrastructure Services Division

Last Revision Date

09-17-2019