Departmental Firewall Service Definition
This document has been drawn up to describe the UCL Information Systems Managed Departmental Firewall Service. The document is a communication tool to help manage expectations, clarify responsibilities, and provide an objective basis for assessing service effectiveness.
2 Purpose of Service
The departmental firewall service provides College departments with a firewall service which protects traffic leaving or entering the departmental LAN, in accordance with a policy specified by the department’s IT or Networking representative. The firewall inspects traffic at the boundary between the departmental LAN and its connection point into the College’s backbone network, and forwards only that traffic which is permitted by the policy. Other traffic is dropped. The policy is encoded as a series of departmentally defined rules known as ACLs. In addition to this traffic control, the firewall can optionally log significant events (eg. connection setup, packets denied by the firewall, URL logging, etc). The firewall should be viewed as one component in a department’s overall network and IT security architecture
3 Eligibility for Service
Departments that are connected to the College’s high-speed Gigabit Ethernet backbone network are eligible to receive the departmental firewall service. In practise this means the majority of those departments that are located within the main College rectangle and its immediate environs. In the case of departments located beyond this area, guidance as to eligibility should be sought in the first instance as described in section (12). Where a department is not eligible for the service (eg. on account of location or inappropriate connectivity to the campus network), other firewalling arrangements may be possible but any such arrangement is beyond the scope of this document.
4 Detailed Service Description
The College has provided an Institutional Firewall (IFW) service since autumn 2004. College policy dictates that all departments will be connected via the IFW unless exempted by agreement with the UCL Information Security Group (ISG). For example, a departmental research network might be exempted where a custom security solution is agreed. For connected departments, this service protects traffic between the campus network and any external organisation.
The IFW however should be seen as an outer firewall tier only, since it cannot protect traffic between any two departments within the campus network. Experience shows that other College departments have to be treated as “hostile” in that they may be the source of virus infection, denial-of-service attacks, and other malicious infestation. This in turn emphasises the need for an inner firewall tier as part of a “defence-in-depth” approach to IT security. The departmental firewall service provides this second tier, on a per-departmental basis.
Departmental firewall services are based on a common technology. This uses the Cisco Systems Firewall Services Module (FWSM) which is available on the Catalyst 6500 switch platform. Each departmental firewall is configured and managed as a distinct “virtual” entity called a VFW (Virtual FireWall). Each VFW is independent of other VFWs on the same or other Catalyst 6500 switches. This means that each such firewall is its own management domain and may be configured with its own policy, ACLs, logging levels, management rights etc.
Where departments have a single LAN and associated IP address range, the firewall is configured with two interfaces. These are conventionally known as “inside” and “outside” interfaces. The inside interface is also known as the “secure” or “protected” interface, and corresponds to the LAN. The outside interface is also known as the “insecure” or “unprotected” interface and corresponds to the uplink between the firewall and the campus network.
Where departments have multiple LANs and associated address ranges on the same 6500 switch, the firewall will be configured with multiple inside interfaces and an outside interface. By default the inside interfaces will be configured at the same security level, and traffic will be allowed to flow without restriction between them.
Firewall policy is expressed in terms of the ACLs configured on each interface. By default the departmental firewall will inherit the rules configured for the LAN(s) on the IFW. This is mandatory because otherwise legitimate external access to departmental LAN services will cease to work. Other than this, the default policy is that all outbound connections are permitted and all inbound connections are denied.
The default rules can be modified by agreement with the IS Network Group at the time of service adoption, by modification of the web-based rules list for the department, or by emailing a change request to firstname.lastname@example.org.
The departmental firewall is managed by the IS Network Group. Nominated departmental representatives can be permitted read-only access to the firewall so as to be able to monitor connections through the firewall, check firewall rules, examine real-time logs, etc. This access is enabled through personalised firewall accounts and trusted client workstation addresses. The latter must be provided before access can be granted.
Departments which subscribe to this service must nominate one or more departmental contacts who will be added to the email@example.com mailing list.
5 ServiceAvailability and Quality Expectations.
The service is generally available for 24 hours a day, 7 days a week. ‘At Risk’ periods are announced in advance to the departmental firewall contacts list (firstname.lastname@example.org) in order to enable system software upgrades, and may limit service provision on Tuesday and Thursday mornings, between 08.00 and 09.00. Occasionally weekend service shutdowns are arranged which affect all UCL services; these weekend shutdowns are agreed with senior College management and advance notice is given. Every effort is made to minimise the number of weekend shutdowns. Network Operations cover is from 8am to 7pm - Monday to Friday. All IS systems run unattended overnight and at weekends. If they fail, service may not be restored until the next working day.
Advice and support related to this service is provided through a specific support channel. First line support is available via the email list email@example.com, and responses to queries or comments posted on the list will be returned within 24 hours or the next working day when a weekend, bank holiday, or period of College closure intervenes. Queries or comments should be limited to the provision, operation or performance of this service, and should be submitted by a nominated contact only.
Where problems cannot be resolved through this channel, a member of the support team will approach the departmental contact in person with a view to seeking a speedy resolution of the problem.
General queries relating to ISD services should be directed to the ISD Service Desk on 020-7679 5000 (x25000 within UCL), or emailed to firstname.lastname@example.org. Further information about the IS HelpDesk may be found at http://www.ucl.ac.uk/isd/common/servicedesk/.
7 Exclusions, Exceptions and Limitations
Exclusions, and limitations in respect of the use of the departmental firewall service are detailed in sections (5) and (7). The principle exclusion relates to those departments which are ineligible to use the service because of a topological relationship with the campus network which does not permit a direct network connection at a backbone switch.
UCL IS will not be held responsible for any damage or liabilities that arise from use of this service.
8 Service Change Requests
Change requests for modifications to ACL rulesets are covered in section (5). Changes to the service are dealt with by a departmental service change request procedure internal to UCL. Subscribers are welcome to make requests for service changes on the understanding that such changes may be deemed inappropriate, difficult to implement, or unrealisable owing to lack of development resource or conflicting priorities within IS.
UCL IS reserves the right to change the service without prior notice or consultation. Service changes may entail the addition of components in order to enhance the service; or the removal of components whose continued use is believed to pose an unacceptable risk to the security, integrity or performance of the service, the underlying network or other supported services.
The service is not charged for.
10 Service Conditions
Use of UCL IS services is subject to UCL Computing Regulations, as described in http://www.ucl.ac.uk/cert/swg/policy/Regulations.html.
Use of the JANET network must be in accordance with the JANET Acceptable Use policy, a copy of which is available at http://www.ja.net/company/policies/aup.html.
UCL IS reserves the right to monitor traffic either on an occasional basis, or in response to specific incidents. This is in order to guarantee the integrity of the network service and user compliance with this service definition and/or associated computing regulations listed in this section. In any case of misuse, UCL reserves the right to suspend the subscriber’s use of the departmental firewall service.
11 Contact Details
The first point of contact for further information on this service is the UCL IS Network Group HelpLine. Contact details for the HelpLine are as listed in section (7).
 Subsequently referred to as the “departmental firewall service” for brevity.
 Local Area Network. In practise, departments may have multiple LANs corresponding to multiple IP address ranges. Arrangements for firewalling multiple LANs are discussed in section (5).
 Access Control Lists. ACLs are applied to each firewall interface and may be used to control traffic at several levels, eg. on the basis of source/destination IP addresses, IP protocol type, TCP/UDP port numbers or ranges, ICMP types, etc.
 In practise not all outbound connections can be permitted. A number of specific ports are blocked outbound by CST dictat, because they are associated with known malicious activity on a wide scale. A list of blocked ports can be obtained by emailing email@example.com.
 This is for future development. It is anticipated that nominated representatives will be able to submit requests for firewall rule changes via a web page which will hold details of a department’s ACLs in an easy-to-read format. The first point of contact for further information on this service is the UCL IS Network Group HelpLine. Contact details for the HelpLine are as listed in section (7).