The University of Arizona
UITS Home » Services » Border Firewall Security Services

Border Firewall Security Services

The University of Arizona border/perimeter firewalls are intended to prevent unsolicited, and frequently malicious, traffic from the Internet at large from hitting the University's campus network. By default, a small list of TCP/IP ports associated with frequently vulnerable services are blocked on the perimeter. It is strongly recommended that network managers work with SecOps to establish a higher level of firewall protection than the minimal baseline provided, either by setting up a managed local firewall or opting to have their subnet blocked on the perimeter firewall.

For Further Information 

More information for registered network managers can be found here: https://www.secops.arizona.edu/netmgr-services/perimeter-firewall.php

How to Access or Request 

This service is only available to registered network managers for the network to be firewalled. Submit a request through CID Service Request form, click on the 'SecOps' radio button, then "New Firewall/RACL Request", and check the 'Border Firewall' checkbox. Upon receiving your initial request, a SecOps group member may request that you fill out an Excel worksheet which walks through the process of creating a new firewall/RACL perimeter-firewall-template.xls There is no downtime associated with the configuration of new perimeter firewall rules, although it is strongly recommended that the network manager/departmental IT be available when the new rules are implemented to test critical services, and that the initial rules be scheduled to be applied during non-peak hours.

For Support and Assistance 

Support must be requested by a registered network manager for the network in question in one of the two following ways: 1. Web page: Submit a request through CID Service Request form, click on the 'SecOps' radio button, then "Existing Firewall/RACL Change", and check the 'Border Firewall' checkbox. 2. Email: Send email to secops at arizona dot edu Please note that for any firewall changes or troubleshooting you will need the following information: (three examples included for opening up SSH to the computers with IP address from 150.135.0.2 to 150.135.0.254, a web server to the world, and a DNS server to campus):

 

  1. Source IP range (IPs that should be permitted to your new service -- ie, '150.135.0.2 to 150.135.0.254 (150.135.0.0/24)', or 'any/world', or 'campus only')
  2. Destination IP(s) (IP of machine(s) on your network that are hosting this new service -- ie, SSH server '128.196.1.2', or Web Server '128.196.101.201', or DNS server '128.196.101.215')
  3. Destination: IP port(s) (IP ports which your new service is using -- ie, 'tcp/22', or 'tcp/80 and tcp/443', or 'udp/53' for DNS).
  4. A brief description of the service, and if the requested hole is temporary or permanent

- Routine firewall changes will be processed by the end of next business day, although changes are often processed much sooner. Firewall changes may be expedited by calling 626-TECH during business hours and asking for your change ticket to be expedited (please provide either the ticket number or the email address from which you sent the change request) - Emergency changes may be processed 24/7 by calling the NOC at 621-7999 and asking for Red Pager to be paged. Emergency firewall changes are defined as those which critically impact a department's services and cannot wait until regular business hours. *Business hours are defined as 8:00am to 5:00pm Monday through Friday, except for holidays

Hours of Availability 

Firewall services function 24/7 other than during maintenance windows. Please see our maintenance calendar (not yet available) for more information. Request processing and support hours are available during the hours stated above under "How to Access or Request" (for new firewalls) and "For Support and Assistance" (for firewall changes).