Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security

Firewalls - Principles, Types, & Requirements

This article explains general firewall topics, including principles, types of firewalls, and requirements.

A firewall is either a software package installed on a computer or a piece of hardware installed onto the network to limit network access to either a single computer or a group of computers. In general, firewalls are installed to improve the security of the computers behind them.

Firewalls on campus are split into three different categories:

  • those protecting individual hosts
  • those which protect groups of computers providing a single service
  • firewalls protecting the campus as a whole

NOTE: Departmental firewalls are NOT offered or allowed because of the expense of deploying department-wide firewalls that do not reduce the availability of the network as a whole.

For more information, see Requirements for Managed (Hardware) Firewalls.

Firewall Principles

  • Firewalls are the most effective when close to the host they are protecting.
  • Firewalls are one part of the security of a system. They can be helpful in protecting systems, but are useless if other measures are not also taken.
  • Firewalls should interfere minimally with the network.

Firewall Types

  • Firewalls Protecting Individual Hosts: Each host on the University's network should be protected by some sort of individual firewall. Firewalls are included with both Windows and Mac operating systems.
  • Firewalls Protecting Groups of Computers: Groups of computers offering a single service can be protected by a single firewall when appropriate. Group firewalls are firewalls which protect services which have a specific set of criteria:
    • There are multiple machines in a clump which provide a single service to its users.
    • The single service is easily protected by a firewall.
    • Due to the nature of the communications between the machines in the clump, it is impossible to firewall each machine individually.
    • There is a clear and compelling reason for the clump of machines to be behind a firewall.
  • Firewalls Protecting the Campus at Large: Firewalls at the University's network gateway are installed to protect the otherwise unprotected. These firewalls block very little traffic and only address the most common of threats.

If you have questions about the firewall strategy, or to request consultation on local deployment of firewalls, please email the Firewall Team at firewalls@uchicago.edu

Firewall Requirements

These rules govern all firewalls and devices that provide network address translation installed on the University's network. Firewalls which do not meet these minimum requirements must not be installed on the network and may be removed if discovered.

For the purposes of this document, a firewall is defined as any device which: a) sits between multiple computers and the University network, and b) filters traffic or translates network addresses. Firewalls which are installed in front of a single computer (that is, host firewalls) are exempt from this document.

  • All firewalls must be registered with IT Security and be coordinated with the Firewall Team at firewalls@uchicago.edu.
  • Firewalls may not be placed in front of networking equipment run by IT Services.
  • The firewall must allow through connections from IT Services that are necessary to ensure the integrity of the data network and to allow for vulnerability scans by IT Security.
  • If a machine behind the firewall is in violation of the Eligibility and Acceptable Use Policy and would normally be removed from the network, the firewall will be removed from the network (isolating all machines behind it).
  • The organization installing the firewall understands that many modern threats to security are specifically designed to bypass firewalls. Machines behind firewalls must be kept secure.
  • The organization installing the firewall agrees to act as the first line of support for all networking issues involving machines behind the firewall. If IT Services is contacted by someone trying to connect through the firewall that person may be directed to contact the firewall maintainers.
  • If the firewall runs any sort of address translation for more than one machine the maintainers must keep at least six months of logs indicating which machine made every connection through the firewall. The maintainers must provide this information to IT Services/IT Security upon request.



Keywords:security safety   Doc ID:19445
Owner:Synita C.Group:University of Chicago
Created:2011-08-02 19:00 CDTUpdated:2015-05-05 12:45 CDT
Sites:University of Chicago
Feedback:  0   0