The University of Arizona
UITS Home » Services » Managed Local Firewalls

Managed Local Firewalls

Managed local firewalls use Cisco network firewall contexts or reflexive access-lists which Security Operations deploys on request in conjunction with departmental IT staff to help protect a specific network/VLAN. Stateful Cisco firewall contexts are available for most networks which are physically on-campus, and reflexive access-lists can be used in most cases where firewall contexts are not available.

For Further Information 
How to Access or Request 

This service is only available to registered network managers for the network to be firewalled. Submit a request through CID Service Request form. Upon receiving your initial request, a SecOps group member may request that you fill out an Excel worksheet which walks through the process of creating a new firewall/RACL managed-firewall-template.xls Initial deployment/cutover of a new firewall typically involves a 30 minute maintenance window, and the times are arranged between departmental IT and Security Operations. Typically recommendations for cutover times would be to start at least one hour before start of business for a department, or one hour after close of business, and for departmental IT to announce the downtime two weeks before the cutover to their constituents.

For Support and Assistance 

Support must be requested by a registered network manager for the network in question in one of the two following ways: 1. Web page: Submit a request through CID Service Request form. 2. Email: Send email to secops at arizona dot edu Please note that for any firewall changes or troubleshooting you will need the following information: (three examples included for opening up SSH to the computers with IP address from 150.135.0.2 to 150.135.0.254, a web server to the world, and a DNS server to campus):

 

  1. Source IP range (IPs that should be permitted to your new service -- ie, '150.135.0.2 to 150.135.0.254 (150.135.0.0/24)', or 'any/world', or 'campus only')
  2. Destination IP(s) (IP of machine(s) on your network that are hosting this new service -- ie, SSH server '128.196.1.2', or Web Server '128.196.101.201', or DNS server '128.196.101.215')
  3. Destination: IP port(s) (IP ports which your new service is using -- ie, 'tcp/22', or 'tcp/80 and tcp/443', or 'udp/53' for DNS).
  4. A brief description of the service, and if the requested hole is temporary or permanent

- Routine firewall changes will be processed by the end of next business day, although changes are often processed much sooner. Firewall changes may be expedited by calling 626-TECH during business hours and asking for your change ticket to be expedited (please provide either the ticket number or the email address from which you sent the change request) - Emergency changes may be processed 24/7 by calling the NOC at 621-7999 and asking for Red Pager to be paged. Emergency firewall changes are defined as those which critically impact a department's services and cannot wait until regular business hours. *Business hours are defined as 8:00am to 5:00pm Monday through Friday, except for holidays

Hours of Availability 

Firewall services function 24/7 other than during maintenance windows. Please see our maintenance calendar for more information. Request processing and support hours are available during the hours stated above under "How to Access or Request" (for new firewalls) and "For Support and Assistance" (for firewall changes).