Host-based Firewall Software Guidelines

All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices (MSSND). The recommendations below are provided as optional guidance to assist with achieving the Host-based Firewall Software requirement.

MSSND Host-based Firewall Software Requirement

Network attached systems must, wherever possible, utilize host-based firewalls or access control lists (ACLs). These controls must be enabled and configured to block all inbound traffic that is not explicitly required for the intended use of the device. Use of a network-based firewall does not obviate the need for host-based firewalls.

  • Microsoft Windows, macOS, or Linux/Unix devices are all equipped with firewalls though they may not have them enabled by default. 
  • Further, many printers, and network attached equipment have access controls to restrict connections to a limited number of hosts or networks in compliance with this policy. Where available, these must be enabled. 

Background and Description of Risk

Insufficient restrictions on system access over the network increases exposure to attack from viruses, worms, and other malicious activity. Further, a lack of proper restrictions will also allow undesired access to resources such as printers. To enable proper protection, it is necessary to have a rule that denies any inbound traffic that is not specifically necessary to the proper use of the device.

Recommendations

1. Limit Remote Access

If remote access to the host is desired (e.g., via Remote Desktop Protocol (RDP) or ssh), limit remote access to a finite number of IPs and/or subnets. If the device must be accessed from off-campus, only allow access from the campus VPN for remote connectivity.

2. Allow Incoming Traffic from Information Security Office Security Scanners

Configure your firewalls to allow network-based scanning by Information Security Office (ISO) vulnerability scanners. ISO will scan hosts on the campus network to determine if hosts are vulnerable to common network threats or if a system appears to have been compromised.

3. Additional Security

3.1 Restrict Outbound Traffic

Many times firewalls are configured such that rules are only placed on inbound traffic and allow all outbound traffic. Restricting outbound traffic provides an additional layer of security against misuse or data loss in the event of a compromised host and should be used where appropriate.

3.2 Log Firewall Activity

A firewall will reduce the likelihood of compromise, but cannot prevent all attacks. Firewall logs, if enabled, can be used to identify successful attacks. In the event of a system compromise, these logs are used in forensic analysis to determine the extent of the compromise, scope of the damage, and nature of the attack. 

When enabling logs:

  • retain at least 30 days of data; 
  • collect at least source and destination IP addresses and ports, application, protocol, direction, date and time, and rule.
  • Log files should be read only, and with write access granted only to the firewall service account.

3.3 Review Firewall Settings Periodically