A firewall can be software or hardware. In some cases, a firewall is a software package installed on a computer. In other cases, a firewall is a piece of hardware installed onto the network to limit network access to either a single computer or a group of computers. In general, firewalls are installed to improve the security of the computers behind them.

Firewalls on campus are split into three different categories:

• Those protecting individual hosts
• Those protecting groups of computers providing a single service
• Firewalls protecting the campus as a whole

Note: Departmental firewalls are not offered or allowed because of the expense of deploying department-wide firewalls that do not reduce the availability of the network as a whole.

For more information, see Requirements for Managed (Hardware) Firewalls.

Firewall Principles

• Firewalls are the most effective when close to the host they are protecting.
• Firewalls are one part of the security of a system. They can be helpful in protecting systems but are useless if other measures are not also taken.
• Firewalls should interfere minimally with the network.

Firewall Types

• Firewalls protecting individual hosts: Each host on the University's network should be protected by some sort of individual firewall. Firewalls are included with both Windows and Mac operating systems.
• Firewalls protecting groups of computers: Groups of computers offering a single service can be protected by a single firewall when appropriate. Group firewalls are firewalls that protect services that have a specific set of criteria:
  
  • There are multiple machines in a clump that provide a single service to its users.
  • The single service is easily protected by a firewall.
  • Due to the nature of the communications between the machines in the clump, it is impossible to firewall each machine individually.
  • There is a clear and compelling reason for the clump of machines to be behind a firewall.
• Firewalls protecting the campus at large: Firewalls at the University's network gateway are installed to protect the otherwise unprotected. These firewalls block very little traffic and only address the most common of threats.

If you have questions about the firewall strategy or want to request a consultation for local deployment of firewalls, please email the Firewall Team at firewalls@uchicago.edu.

Firewall Requirements

Firewalls must meet minimum requirements in order to be part of the University network. These rules govern all firewalls and devices that provide Network Address Translation (NAT) installed on the network. Firewalls that do not meet these minimum requirements must not be installed on the network and may be removed if discovered.

For the purposes of this document, a firewall is defined as any device which: a) sits between multiple devices and the University network, and b) filters traffic or translates network addresses. Firewalls which are installed in front of a single computer (that is, host firewalls) are exempt from this document.

• All firewalls must be registered with IT Security and be coordinated with the Firewall Team at firewalls@uchicago.edu.
• Firewalls may not be placed in front of networking equipment run by IT Services.
• The firewall must allow through connections from IT Services that are necessary to ensure the integrity of the data network and to allow for vulnerability scans by IT Security.
• If a machine behind the firewall is in violation of the Acceptable Use Policy and would normally be removed from the network, the firewall will be removed from the network (isolating all machines behind it).
• The organization installing the firewall understands that many modern threats to security are specifically designed to bypass firewalls. Machines behind firewalls must be kept secure.
• The organization installing the firewall agrees to act as the first line of support for all networking issues involving machines behind the firewall. If IT Services is contacted by someone trying to connect through the firewall that person may be directed to contact the firewall maintainers.
• If the firewall runs any sort of address translation for more than one device, the maintainers must keep at least six months of logs indicating which device made every connection through the firewall. The maintainers must provide this information to IT Security upon request.