Skip to content. | Skip to navigation

Information Technology Services

You are here: Home Be Safe Firewall Service
Sections

Firewall Service

— filed under: ,

By securing your local area network (LAN) behind a firewall, you make it harder for would-be attackers to invade your network.


Why Use a Firewall?

Network connected devices at Penn State are being probed daily for vulnerabilities. By securing your local area network (LAN) behind a firewall, you make it harder for would-be attackers to invade your network. The Information Technology Services (ITS) Firewall Service will provide you with cost-effective, practical, real-world protection and prevention for your LAN, securing the network from external attacks and internal abuses.

Firewalls filter incoming traffic, and according to a set of rules, hide University workstations from would-be attackers, and prevent internal users from University network misuse.

Firewall configurations can be as simple as a layer of protection for workstations on a LAN or as advanced as a barrier that safeguards both workstations and production servers. Only your department can determine the appropriate level of protection needed.

ITS encourages departments with LANs that support production servers (sometimes called enterprise servers) and local workstations to consider the relocation of the production servers to a different backbone interface. This will allow differentiated filter restrictions to be assigned to the enterprise server(s).

What Does the ITS Firewall Service Offer?

  • Centralized LAN protection instead of relying on individual workstation or server protection
  • Control of access to/from specific IP addresses or ports
  • Rapid blocking of IP traffic for coordinated network or Internet attacks
  • Customizable rules governing inbound and outbound traffic
  • Continuous ITS maintenance for departmental LANs

The service is available for all ITS maintained backbones, including those with customer maintained LANs behind the firewall. The firewall is located on the uplink to the Integrated Backbone, between a customer’s backbone router and the first switch in their LAN. The firewall device, typically, will be installed in the customer's telecommunications closet. The device will allow desired communications with networked computers and servers on the LAN and the Internet, while simultaneously blocking undesired communications.

The ITS Firewall service offers options for large, medium and small networks with the following features:

  • Throughput: Variable data throughput, dependent on the backbone bandwidth, which can be either 100Mb or 1000Mb (Gigabit Ethernet). Throughput numbers reflect the total packets/second inbound and outbound that the hardware device can process. Please contact TNS via the Firewall Service Request Form or by phoning 865-1696 and a Network Service Engineer will call you to discuss your network requirements.
  • IP addresses supported: Unlimited number of IP addresses (large and medium), 100 IP addresses (small).
  • Software: Firewall-1 by CheckPoint Software.

What Are the Types of Service?

Both types of service, Basic and Custom Firewalls, define the rules for filtering inbound and outbound communications. Each service includes a preset list of rules, which was developed based on common or typical LAN use. For departments with more complex filtering requirements, the Custom Firewall allows a department to write more tailored rule sets using the full capabilities of the firewall hardware and software.The default rule set is automatically supplied.

Basic Firewall Service
With the Basic Firewall, a department can select from a predetermined set of rules for inbound and outbound filters.

Default Rule Set
    1. Allows all traffic originating from the internal network to reach external networks, except SNMP-read.
    2. Allows all traffic from the external network to the internal network only if it is associated with an established session that was initiated within the internal network.
    3. Denies all other traffic originating from all external networks destined for the internal network that is not associated with an established session initiated within the internal network.

Additional rules can be added, based on customer responses on the ITS Basic Firewall Service form. On the form, the customer may specify, using IP address, one internal device and an alternate device for external network access for each listed service protocol. These devices are typically servers, but could be services and functions run on a workstation (web server, mail server, etc.). Under special circumstances, rules that are dictated will be installed and the customer will be notified. Rules that are suggested or required by Security Operations and Services, (or other units with the proper authority at the university) will be added to the mandatory rule set of the Basic Firewall service. Any deviation from the rules available under the Basic Firewall will require a transition to the Custom Firewall service.

Custom Firewall Service
The Custom Firewall Service, which includes the above default rule set, allows a department to develop a tailored set of inbound and outbound firewall rules, including the sequence of the rule determination.

How do I Request the Firewall Service?

Contact the TNS Service Manager via the Firewall Service Request Form or by phoning 865-1696.

Basic Firewall Service

  • Complete the ITS Basic Firewall Service form and LAN Design Request form.
  • Review the ITS-developed rule set and suggest changes if necessary.
  • Provide final approval of rule set.
  • Provide ongoing rule set maintenance, which includes reviewing log files to determine if any changes are necessary for the rule set.

Note: For customers unable to manage their own firewall rules, ITS will also supply a list of vendors who may assist in developing a security policy and firewall rules. These vendors would be able to be contracted to provide functions that the customer could not perform themselves.

Only the LAN Administrative, Technical or Security Contact are authorized to submit the initial rule set and submit changes to the firewall rule set. (access to the LAN Administrative, Technical or Security Contact list is restricted to authorized personnel).

Custom Firewall Service

    1. Complete the ITS Custom Firewall Service form and LAN Design Request form.
    2. Develop the inbound and outbound rule set, including the order of the evaluation of the rules.
    3. Submit the rule set to firewallmanager@psu.edu. Rule sets must be submitted by the LAN Administrative, Technical or Security Contact via email attachments using PGP encryption (access to the LAN Administrative, Technical or Security Contact list is restricted to authorized personnel). The public key for the PGP encryption should be sent to firewallmanager@psu.edu. (Note: there may be certain conditions under which this information can be FAXed to TNS, with a verification call back for authenticity.)
    4. Provide ongoing rule set maintenance, which includes reviewing log files to determine if any changes are necessary for the rule set.

Note: For customers unable to manage their own firewall rules, ITS will also supply a list of vendors who may assist in developing a security policy and firewall rules. These vendors would be able to be contracted to provide functions that the customer could not perform themselves.

Only the LAN Administrative, Technical and Security Contact are authorized to submit the initial rule set and submit changes to the firewall rule set. (access to the LAN Administrative, Technical or Security Contact list is restricted to authorized personnel).

Post-Implementation Rule Modification

Basic Firewall Service
To modify the rules checklist, the LAN Administrative, Technical or Security Contact should submit a revised checklist to firewallmanager@psu.edu. (access to the LAN Administrative, Technical or Security Contact list is restricted to authorized personnel). ITS will return the revised filter rules to the Contact for review.

Exception: From time to time, ITS may suggest filters that are to be installed on all firewalls at the University. Basic Firewall customers will be contacted and informed that the new filter will be installed by ITS. If Basic Service customers do not want the filters automatically installed, the department will need to convert to the Custom Firewall service.

Custom Firewall Service
To modify the Custom Firewall rule set, the LAN Administrative, Technical or Security Contact should submit a new filter rule set to firewallmanager@psu.edu. (access to the LAN Administrative, Technical or Security Contact list is restricted to authorized personnel). ITS will return the revised filter rules to the Contact for review.

Exception: From time to time, ITS may suggest filters that are to be installed on all firewalls at the University. Custom Firewall customers will be contacted, and if they want the filter installed will need to submit a new filter rule set.

Intervention by ITS

All firewall administrators are expected to remain current with security advisories affecting operating systems or applications on their networks, and to formulate requests for filters where applicable.

However, there may be times when ITS may recommend that a filter be centrally added to all Basic and Custom Firewalls immediately. These requests will be classified as either Condition Yellow (recommended filter additions) or Condition Red (mandated filter additions).

Condition Yellow

On occasion, ITS may want to highlight a filter that is highly recommended for widespread implementation. The firewall administrator should not rely on receiving such recommendations in lieu of his/her own judgment, since not all possible filters will be promulgated by ITS but only those deserving of particular attention. The filters recommended by ITS for widespread implementation will be categorized as Condition Yellow: not mandatory for unit firewall administrators to adopt, but highly recommended.

Impact on Basic Firewall
Customers will be notified that the new filter will be installed in the mandatory rule set. If Basic Service customers do not want the rule installed they will need to transition to the Custom Firewall.

Impact on Custom Firewall
Customers will be notified of the recommendation, and if they would like the filter installed, will need to submit a new filter rule set via firewallmanager@psu.edu.

Filters will be updated within 48 working hours of the ITS request.

Condition Red

From time to time, a situation may arise where it is of critical urgency for a particular filter or filters to be applied to all ITS-maintained firewalls. In the rare instances where such action is required, the mandatory filtering will be categorized as Condition Red. This is anticipated to be a very rare occurrence. However, in a network emergency, ITS may direct implementation of a critical filter. Such filter(s) are mandatory and will be installed, at the top of the rule set, within 24 hours.

Impact on Basic Firewall
The filter rule will be automatically installed. ITS will determine the proper location in the Basic Firewall rule set.

Impact on Custom Firewall
Custom Firewall customers will be contacted, and they may opt to install the filter rule, or not. If the rule is to be installed, the Custom Firewall customer should reply with an update to the rule set, specifying the location of the new rule.

Maintenance of Firewalls

Customers will be notified via L-PSUDB listserv that patches and upgrades will be installed on the firewall. Installation of upgrades and patches will usually occur during the normal maintenance window.

ITS will not bypass the firewall while troubleshooting either the firewall or an ITS-maintained LAN behind the firewall without prior written permission from the customer.

To keep the service current, ITS will, from time to time, generate RFPs for a device to support the service. This timeframe is typically 18-24 months but could be shorter if the current device vendor is unable to provide the current product offerings. ITS will review the service offering to ensure it is providing the functions deemed necessary.

ITS will retain firewall logs for 30 days.