Chapter 4 – Information Technology

49130.4  Policy Directives

• The department shall use a multi-layered approach to protect computer resources and assets. Network security design shall include firewall functionality at all places in the network where opportunities exist for outside exploitation. This may include placing a firewall in areas other than the network perimeter to provide an additional layer of security and protect devices that are placed directly onto external networks (i.e. the demilitarized zone or DMZ) or between different trusted and untrusted segments of the network. 

• Firewall Configuration
  The department shall:

  • Implement configurations that restrict all inbound and outbound traffic associated with untrusted wired/wireless networks and hosts.

  • Deny all traffic by default and only allow inbound and outbound traffic thru approved exceptions.

  • Disable unnecessary user accounts and default accounts (e.g. Administrator, Guest, etc.).

  • Disable all unused and unnecessary ports, protocols, and services before deployment into a production environment.

  • Implement a Demilitarized Zone (DMZ) that limits inbound traffic to the internal trusted network and permits authorized publicly accessible services, protocols, and ports/services.

  • Log all changes to firewall configuration parameters, enabled services, and permitted connectivity paths for a period of one (1) year. The department data retention procedures shall be followed.

  • Physically secure firewalls in a location accessible only to authorized personnel. The placement of firewalls in an open area within a general-purpose data center is prohibited.