Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Network Firewall Standard


These standards cover the configuration of LoyolaUniversity’s network firewalls.


To establish a uniform set of standards for implementing and maintaining established network firewall policies. Including, but not limited to, defining network security zones within the University’s network and the type and nature of traffic which will be allowed or denied access to those zones.  Also, to maintain the stability of the network and increase the security for identified resources.


Ownership and Responsibility

All equipment and applications within this scope will be administered by Network Services. 

Network Security Zones

A set of clearly defined network zones, with different levels of security requirements, built to provide the proper secure levels of networking access to the University community.

A semi-restrictive network, or group of networks, whose purpose is to publish content for public and/or Internet consumption.  This zone contains a mix of ITS and Academic resources. 

A semi-restrictive network, or group of networks, which contain the majority of Loyola’s network traffic whose purpose is to provide internal and external connectivity to network and system resources as well as the Internet.

A restricted network that contains ITS network devices, such as network firewalls, routers, switches and managing servers, used in providing and controlling access to Loyola’s network. 

A restricted access network, or group of networks, whose purpose is to publish high security content for public and/or Internet consumption.  This zone will contain ITS resources that serve as an interface for the protected, mission critical systems. Only traffic that has previously been justified will be allowed to enter and leave this security zone.    

A highly restricted network, or group of networks, whose purpose is to protect Loyola mission critical resources.  This security zone will store, transmit or process Loyola Protected and Sensitive data (see Data Classification Policy).  Only traffic that has previously been justified will be allowed to enter and leave this security zone.   

Firewall Ruleset

Each network security zone shall have a different set of access restrictions applied to them, ranging from least restrictive to most restrictive.  The ruleset for each network security zone is located in the ITS Network Firewall Supporting Documentation document.

All ports opened within either of the High Security DMZ, High Security Internal and the Management Network zone must have accompanying justification, documented within ITS Network Firewall Supporting Documentation, as well as an approved change management ticket.

Administrative Access

All administrative access to Loyola network firewalls will be governed by the following rules:

“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action in accordance with the appropriate handbook, and may be reported to law enforcement. There is no right to privacy on this device."


All network firewalls will be configured to use the syslog protocol for system log transport, and abide by the audit and logging strategy based on the ITS Log Management Standard.


No private address, as defined in RFC 1918, shall ever be routed to the Internet.  Port Address Translation (PAT) or Network Address Translation (NAT) will be used to shield all internal address from being reveled externally.

Firewall Rule Set / Open Port Validation

In order to verify that there are no undocumented openings to the Internet, a quarterly review of the firewall rule set will be performed by a joint team consisting of one member from the University Information Security Office and Network Infrastructure Services. This review will follow the PCI-DSS Firewall Rule Review Procedure.

Baseline Security Configuration

All vendor-supplied defaults must be changed. All unnecessary default accounts must be removed or disabled before installing a firewall on the network.  This applies to ALL default passwords, including but not limited to those used by the operating system, software that provides security services, application and system accounts, Simple Network Management Protocol (SNMP) community strings, etc.


Exceptions to this policy will be handled in accordance with the ITS Security Policy.


This policy will be maintained in accordance with the ITS Security Policy.


Documents Referenced:

ITS Log Management Standard

ITS Network Firewall Supporting Documentation

Data Classification Policy

PCI-DSS Firewall Rule Review Procedure


NIST:  Guidelines on Firewalls and Firewall Policy.  Special Publication 800-41.

RFC 1918


August 25, 2008: Initial Policy

October 29, 2012: Added ruleset review information

June 23, 2015: Annual review for PCI Compliance


Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS


Notice of Non-discriminatory Policy