11.2.5 Firewall Access Policy

1.0 Overview

All computer systems connecting to Middle Georgia State University networks are subject to access rules imposed by the firewall. These access controls are established to protect Middle Georgia State University networks from the numerous threats emanating from the Internet while allowing network activities necessary in performance of the University mission. 

2.0 Purpose

To establish guidelines for firewall configuration and access requests. 

3.0 Scope

All computer systems connecting to the Middle Georgia State University computer network. 

4.0 Policy

  1. All inbound network traffic to MGA internal systems must be filtered and controlled through an approved, centrally managed firewall. Direct, unauthorized inbound connections to internal networks are strictly prohibited.
  2. The default inbound firewall policy shall be ‘deny all.’ Any exceptions must be explicitly authorized, documented, and implemented in accordance with institutional standards and the principle of least privilege to support the University’s mission.
  3. Shared file systems between internal and external systems are prohibited. These configurations create a persistent trust relationship between internal and external environments, bypassing firewall segmentation and increasing the risk of data exfiltration or malware propagation.
  4. Any system requiring unrestricted public Internet access must reside in the designated Demilitarized Zone (DMZ). The DMZ is the only network segment where firewall rules may permit a source address of ‘any.’ All other network segments must enforce restrictive access controls based on the principle of least privilege.
  5. Remote access to the MGA network shall be provided only through the institution’s approved Virtual Private Network (VPN) solution. VPN access is restricted to authorized faculty, staff, and designated contractors who require such access for official business purposes. All VPN connections must use multi-factor authentication and encryption in accordance with institutional and USG security standards.
  6. A baseline firewall configuration shall be established, documented, and maintained to reflect approved security settings. All configuration changes, including rule additions or modifications, must be documented and authorized by the CISO or designated security team prior to implementation. Emergency changes shall follow incident response procedures and be logged for post-event review. 

5.0 Enforcement

Firewall and router rules shall enforce this policy. In the event of an emergency or security incident, only the CISO or designated security team may implement configuration or procedural changes to protect the MGA network. All exceptions or waivers must be approved by the CIO and include documented business justification and a risk assessment. 

6.0 Definitions

Firewall - A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

Access Rule - A configuration entry on the firewall that permits or denies traffic between specified source and destination IP addresses, ports, and protocols.

DMZ (Demilitarized Zone) - A network segment that hosts public-facing services (e.g., web servers, email gateways) and is isolated from the internal network to reduce exposure to external threats.

VPN (Virtual Private Network) - A secure, encrypted connection that allows authorized users to access internal network resources remotely