Firewall Rule Change Policies
- We require 24 hour lead time for all firewall rule change requests.
- All firewall rule changes will be made before 7 pm each Friday evening or as scheduled with Change Management.
- All firewall rule change requests will be evaluated to ensure that they conform to current security best practices and current security policy.
- Emergency firewall rule change requests must be approved by the Information Security Manager/Lead Software Engineer.
- Firewall exceptions are subject to removal after 90 days of inactivity to keep the firewall rule base clean and prevent accidental network exposure.
Rule Change Request Procedure
To complete the request form, you will need the following:
- Source address(es), including IP's and domain names (where applicable)
- Destination address(es), including IP's and domain names (where applicable)
- Name of application or system requiring firewall exception
- Destination ports/applications/services that need to be accessible
- Port(s) requested to be open.
- Date when the change should be made
- Description of any sensitive data to be stored/processed on this system
- Point of contact
- If security issues are uncovered, it will be the system owner's responsibility to address those issues before the rule is approved for implementation.
- When planning firewall rules, it is important to take this additional delay into consideration. If your request exposes a system externally, you will not be able to request the rule the day before you need it to be open.
- Rule requests that open up ports between two internal systems in different cores will not require additional vetting. Those rules will be evaluated and applied according to our regular firewall change process.
Please Note: The following services will not be granted Internet-facing firewall exceptions by default in most circumstances. Anyone needing to access these services remotely must connect to the VPN (VPC-Proxy) first.
- File sharing protocols such as SMB, NFS, AFS
- Database services such as SQL, MongoDB