Access Control Gateway Security Policy
Information Technology Services
Information Technology Services
The growing need to connect the Worcester State enterprise network to external networks, including the Internet, as well as business partner networks, presents a critical necessity to ensure that the integrity and security of the Worcester State enterprise network is not compromised by these connections.
All network interconnections between any external network and the Worcester State enterprise network must be protected by an access control gateway
- All external accesses to the Worcester State enterprise network must pass through an access control system (such as a firewall), where all traffic between the enterprise network and external networks can be controlled, monitored, and examined for any access violations.
- Annually, a security assessment of the architecture, design, practices and operations should be performed. There must be the capability to demonstrate and periodically validate that the claimed level of security protection is being enforced, and confirmation that the system carries out policy rules.
- The enterprise network must be protected by at least one authorized firewall that defines and enforces rules over information and users crossing internally to external systems, or from external systems to internal resources, including Worcester State information services provided via a Service Segment (e.g. a Demilitarized Zone [DMZ]).
- Firewalls must employ a strong authentication process to verify a user’s identity (logon and related password) before access to the Worcester State’s internal network is granted. Strong authentication mechanisms include a one-time password, token cards, or a cryptographic-based method of authentication. With management approval, a User ID and reusable password may be used if transmitted over an encrypted session.
- All access to the Worcester State enterprise network must have an approved business purpose and associated risk assessment. Remote users may not access Worcester State systems through unauthorized modems placed behind a Worcester State firewall.
- All Worcester State firewall servers must have inbound and outbound rules to specifically allow or deny connections. All access not explicitly allowed must be denied. All traffic to/from the enterprise network must employ application-level proxies, whenever possible. If no application proxy exists, it is the responsibility of the Data Security Officer to determine if the traffic will be allowed, using packet-filtering or stateful inspection processes.
- All Worcester State owned and operated firewall servers must be equipped with approved, dynamic intrusion detection and alerting mechanisms. Intrusion thresholds must be set so that automated alarms and/or preventative actions are initiated. All Worcester State firewall server configurations will be reviewed quarterly. Firewall rules to prevent source routing and spoofing attacks must be included in the configuration. All changes to the firewall require a risk assessment and must be approved prior to implementation.
- If a Worcester State firewall requires an operating system, a secured version of the operating system, with all patches installed, must be a part of the firewall. These patches must be installed not later than forty-eight (48) hours after their availability from the vendor. (Note that there should be an identified need for the patch in the Worcester State computing environment and that the patch should first be tested offline to ensure it will not cause instability or malfunction before being introduced into production systems.) Firewall passwords must follow the standard Worcester State policy for equipment of this type.
- All Worcester State firewall servers must contain mechanisms for logging traffic, suspicious activity, and must contain mechanisms for log reduction to ensure that logs are readable and understandable.
- Firewall passwords must be recorded and securely maintained. Knowledge of firewall passwords and rules must be restricted to the minimum number of people necessary. Worcester State firewall server consoles must not display the last user to log in. All Worcester State firewall servers must be logged off when unattended.
- Network Address Translation (NAT) is in use for all External IP addresses.
This policy was originated via the State Audit (SOA) process in 2008.