Host-based Firewall Software Guidelines

On This Page

UC Berkeley security policy mandates that all devices connected to the UCB network comply with Minimum Security Standard for Networked Devices.  The recommendations below are provided as optional guidance to assist with achieving the Host-based Firewall Software requirement.

Requirement

For Microsoft Windows, Apple OSX, or Linux/Unix devices for which host-based firewall software is available, host-based firewall software must be running and configured to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based firewall does not obviate the need for host-based firewalls.

Background and description of risk

Insufficient restrictions on system access over the network increases exposure to attack from viruses, worms, spyware, and may also facilitate undesired access to resources. Not having a rule which denies incoming traffic by default unnecessarily exposes a system to compromise.

Recommendations

Outbound traffic

Many times firewalls are configured such that rules are only placed on inbound traffic and allow all outbound traffic. Restricting outbound traffic provides an additional layer of security against misuse or data loss in the event of a compromised host and should be used where appropriate.

Log firewall activity

A firewall will reduce the likelihood of compromise, but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise and nature of the attack.

Enable logs; retain at least 30 days of data; and collect at least source and destination IP addresses and ports, application, protocol, direction, date and time, and rule.

Log files should be read only, and with write access granted only to the firewall service account.

Allow incoming traffic from the Information Security and Policy (ISP) security scanners

Configure your firewalls to allow network based scanning by Information Security and Policy (ISP) vulnerability scanners. ISP will scan hosts on the campus network determining if hosts are vulnerable to common network threats or if a system appears to have been compromised.

Limit remote desktop access

If remote desktop access to the host is desired, limit remote desktop access to a finite number of IPs and/or subnets. If the device must be accessed from off-campus, use the campus VPN pool for remote connectivity.