Firewall Management

 
 

7. DNS Firewall Management

Are all of the servers under my control, on-premise, in the public or private cloud (AWS, Azure, etc.), protected by a DNS firewall (note, a DNS firewall serves a separate function to a network firewall)?

For Educloud and standalone physical servers this is achieved by using the UBC DNS service. Virtual servers provisioned by UBC IT will use this service by default, unless reconfigured.

Infrastructure as a service (AWS, Azure etc.) servers require different approaches to put a DNS firewall in place.

Why is this Essential?

DNS firewall is a preventive control that stops malicious internet connections before they occur. It blocks known or found Indicators of Compromise (IoC) and prevents malicious domain access across UBC's systems.

Reference Links​

Automatic Blocking of Malicious Websites
UBC DNS and Network Settings
myDNS System Overview
Cisco Umbrella

Instructions​

A DNS firewall serves as a separate function to that of a network firewall. A DNS Firewall is a network security solution that prevents network users and systems from connecting to known malicious Internet locations. DNS Firewall works by using available threat intelligence to block known bad locations. Some examples of DNS firewall are Cisco Umbrella, CIRA DNS Firewall, Cloudflare DNS Firewall, Route 53 Resolver DNS Firewall by AWS, enhanced DNS features in Azure Firewall, etc.

What is Acceptable?

Servers on-premises and in the cloud (Infrastructure as a Service) must be protected by a DNS firewall. It is recommended that Servers on-premises use UBC Domain Name Servers, which make use of DNS firewall protection.

UBC-owned Devices that access, process or store Medium, High or Very High Risk Information must be protected by a DNS firewall. It is recommended that on-premises Devices use UBC Domain Name Servers, which make use of DNS firewall protection. For all other Devices, a DNS firewall is recommended.

85% of servers and UBC owned devices using- as informed by a system inventory or confidence of protection by a DNS firewall through systems configuration checklists for new systems and a historic inventory.

 
 

---

 

8. Network Firewall Architecture

All servers under my control are protected by a network firewall, e.g. a Cisco Virtual context ASA firewall?

Why is this Essential?

Properly configured firewalls provide an additional layer of defense that works with anti-virus and regular patching, in the overall protection of UBC Systems and UBC Electronic Information.

Firewalls also provide an effective compensating control for many types of vulnerabilities for which patches are not readily available; these are known as zero-day vulnerabilities. UBC Systems storing Medium, High or Very High Risk Information must be protected by a firewall.

Reference Links​

Firewalls
Firewalls Guideline
UBC IT Virtual Firewall Service

Instructions​

If network based firewall is required for a department or faculty, UBC IT provides a Virtual Firewall Service. You may refer to the Virtual Firewall Service link under the Reference Links section.

Further, firewalls guideline focusing on host based firewalls has been issued by the Chief Information Officer to supplement the Securing Computing and Mobile Storage Devices/Media standard. Refer to the Firewalls Guidelines link under the Reference Links section.

If your firewalls are entirely managed by UBC IT, you can refer to your service level commitment for response.

What is Acceptable?

You have a list, or are aware of all firewalls, configured at each department both on Premise and/ or on cloud (public and private) to protect all your servers or networked assets.

 

---

 

9. Network Firewall Rules

Are rules associated with all network firewalls under my control reviewed annually and configured as follows?

• a “Deny by Default” policy must be implemented on all firewalls;
• services that are not explicitly permitted must be denied;
• firewalls must use ingress filtering at a minimum and must use egress filtering if it is used to protect High or Very High-Risk Information;
• ACLs must restrict traffic to the minimum necessary to conduct University Business;
• if a firewall becomes a single point of failure, it must fail in a closed state and not allow passage of data traffic through it;
• firewalls are capable of “stateful packet inspection” and this capability is permanently turned on.

Why is this Essential?

Firewalls are only as effective as their Access Control List (ACL) rule set, which determines how traffic is blocked or passed. By configuring firewall as highlighted in the UBC Vulnerability Management Standards(M5) and reviewing existing rules periodically (at least annually), the firewall can minimize the risk of unauthorized access to the network and reduces attack surface.

Reference Links​

Firewall Configuration
Vulnerability Management

Instructions​

N/A

What is Acceptable?

There is an annual review process to confirm the rules are configured appropriately and obsolete rules are purged/ deleted (for all firewalls).

 

---