Technical Tools & Resources for IT Staff
Technical Tools Home | General | Authentication | Data Storage & Server Hosting | Network | Security
About Firewalls
A firewall is either a software package installed on a computer or a piece of hardware installed onto the network to limit network access to either a single computer or a group of computers. In general, firewalls are installed to improve the security of the computers behind them.
Firewalls on campus are split into three different categories: those protecting individual hosts, those which protect groups of computers providing a single service, and firewalls protecting the campus as a whole.
NOTE: Departmental firewalls are NOT offered or allowed because of the expense of deploying department-wide firewalls that do not reduce the availability of the network as a whole.
Looking for information on Managed (Hardware) Firewalls? Managed Firewalls
Firewall Principles
- Firewalls are the most effective when close to the host they are protecting.
- Firewalls are one part of the security of a system. They can be helpful in protecting systems, but are useless if other measures are not also taken.
- Firewalls should interfere minimally with the network.
Firewall Types
- Firewalls Protecting Individual Hosts.
Each host on the University's network should be protected by some sort of individual firewall. - Firewalls Protecting Groups of Computers.
Groups of computers offering a single service can be protected by a single firewall when appropriate. - Firewalls Protecting the Campus at Large.
Firewalls at the University's network gateway are installed to protect the otherwise unprotected. These firewalls block very little traffic and only address the most common of threats.
If you have questions about the firewall strategy, or to request consultation on local deployment of firewalls, please email the Firewall Team at firewalls@uchicago.edu
Firewall Requirements
These rules govern all firewalls and devices that provide network address translation installed on the University's network. Firewalls which do not meet these minimum requirements must not be installed on the network and may be removed if discovered.
For the purposes of this document, a firewall is defined as any device which: a) sits between multiple computers and the University network, and b) filters traffic or translates network addresses. Firewalls which are installed in front of a single computer (that is, host firewalls) are exempt from this document.
- All firewalls must be registered with the Network Security Center and be coordinated with the Firewall Team at firewalls@uchicago.edu.
- Firewalls may not be placed in front of networking equipment run by NSIT.
- The organization installing the firewall agrees to act as the first line of support for all networking issues involving machines behind the firewall. If NSIT is contacted by someone trying to connect through the firewall that person may be directed to contact the firewall maintainers.
- If the firewall runs any sort of address translation for more than one machine the maintainers must keep at least three months of logs indicating which machine made every connection through the firewall. The maintainers must provide this information to NSIT/the Network Security Center upon request.
- The firewall must allow through connections from NSIT that are necessary to ensure the integrity of the data network and to allow for vulnerability scans by the Network Security Center.
- If a machine behind the firewall is in violation of the Eligibility and Acceptable Use Policy and would normally be removed from the network, the firewall will be removed from the network (isolating all machines behind it).
- The organization installing the firewall understands that many modern threats to security are specifically designed to bypass firewalls. Machines behind firewalls must be kept secure.
Last updated: 6/17/09