Applies to all network firewalls at UW-Madison.
The Network Firewall Policy establishes the Guiding Principles and collaborative decision-making process for the administration, configuration, and operating procedures for network firewalls at UW-Madison.
Network and host-based firewalls:
Network firewalls filter traffic between two or more networks. There are typically many computers or devices connected to each network.
Host-based firewalls provide a layer of software on one computer or device that controls network traffic in and out of that single machine.
Firewall rules, firewall policy, and the firewall decision-making process:
"Firewall rules" are the technical configuration of a firewall. This is also referred to as “firewall policy”, but are referred to here as “rules” to avoid confusion.
"Firewall policy" is campus IT policy about the decision-making for firewalls.
"Firewall decision-making" selects the firewall rules, and defines operating procedures for managing firewalls.
Local firewall rules and common firewall rules:
Local firewall rules only affect a specific subnet. The rules may be managed and maintained by the network administrator of that subnet, or may be managed and maintained centrally.
Advisory Group Charter
The Advisory Group Charter is a separate document. The charter and revisions to the charter must be consistent with the Policy and Implementation Plan, and must be approved by the Executive Sponsors.
The Advisory Group members are a mix of subject matter experts and members from representative campus units. The representative campus units should include both larger and smaller units. The larger units should include at least L&S, CALS, and SMPH.
As described in the Policy,
"The Group will initially advise on the common (shared) network firewall rules and operating procedures that apply to all devices and services on subnets protected behind the Next Generation firewalls."
As described in the Policy,
“…Longer-term, the Group will advise more generally on the administration, configuration, and operating procedures for network firewalls at UW-Madison.”
Firewall Operating Procedures
The Advisory Group develops and maintains operating procedures for network firewalls at UW-Madison. The operating procedures are subject to review by the Sponsors and Executive Sponsors.
The Advisory Group will advise on the knowledge or training needed by someone serving as a firewall administrator. The Advisory Group will help set criteria to become a Certified Firewall Administrator, and what privileges that conveys.
Regardless of who owns a device or who manages a device:
Connection of a device to the network automatically makes that device subject to the firewall rules in force at the connection point.
Firewall rule exceptions are granted based upon academic or business need, balanced with the risk posed by the rule change, and the availability of alternatives the meet the need or reduce the risk.
While a device is connected to the network, the network access of the device may be blocked or limited if it posses an unacceptable risk. This can be resolved by eliminating the risk, by reducing the risk to an acceptable level, by disconnecting the device, or by making the case that the risk is not, in fact, unacceptable, (i.e. it’s a mistake or a false positive.)
The Science DMZ is not affected by the common (shared) firewall rules.
Policy and Firewall Rule Exceptions
The operating procedures should include a quick emergency process for resolution of firewall rule exceptions for rules that are interfering with academic or business operations. This should include adjustments requested by faculty and staff, adjustments needed for testing and debugging by local firewall administrators, or other cases not yet identified. There should be a well known contact point to request emergency adjustments.
The general process described below is for finding long-term solutions where there is sufficient time to discuss and plan. It is not intended for use during emergency resolution. The operating procedures may elaborate upon the criteria or process as necessary.
Academic or business need.
Additional risk and compensating controls.
Contractual, regulatory, or legal requirements.
Acceptance of liability costs.
Concerns are discussed informally, and resolved if possible.
If concerns are not sufficiently resolved, the unit seeking an exception documents a proposed plan for an alternative arrangement and compensating controls. The unit communicates or meets with the Advisory Group. The situation is discussed, with the goal of understanding and resolving concerns.
If concerns are not sufficiently resolved, the Advisory Group makes a recommendation on the extent to which the proposed plan is an appropriate alternative.
The recommendation is automatically forwarded to the CISO, who may call upon the other Sponsors of the Advisory Group for assistance. The exception will be resolved in some manner. The Sponsors and/or the unit may elect to escalate to the Executive Sponsors of the Advisory Group and/or the Risk Executives of the affected systems.
The Office of Cybersecurity will measure the success of the Policy, the Implementation Plan, the Advisory Group, and the operating procedures, and will report these to the Advisory Group and the Sponsors.
The Advisory Group and the Office of Cybersecurity should work together to develop success criteria. Data could include log files gathered by the Next Generation Firewalls or other systems, incident or event tracking, self assessments, surveys, meeting notes, exception requests, or other sources. The original goal is annual assessment, but that could be extended to biennial or triennial assessment.
Please address questions or comments to firstname.lastname@example.org.