DoIT Network Services Knowledgebase

• DoIT
• UW
• MyUW
• PEOPLE

UW Madison Campus Firewall Service

Overview
Cross Campus VLANs
DMZ
Firewall Administration
Training
Implementaion Process
Production Support
Q & A

DoIT Network Services is offering a firewall service as part of the 21st Century Network Upgrade project. This service will provide increased security and protection for your subnets by enabling you to place restrictions on inbound and outbound network traffic. It is only available to collaborative and centrally managed workgroups and is included as a standard network service.

Firewall services will be implemented via distributed management for virtual local area networks from the nearest nodal network electronics using the Cisco Systems Firewall Services Module (FWSM). The design provides for redundant FWSM installation with a failover process. Each virtual firewall acts the same as a standalone physical firewall with its own configuration and security rules, but provides for full capacity of the link to radial buildings, typically 1GB. As with the data switches, workgroup firewall configurations will be backed up daily. Authorized Agents will be able to configure and manage their own firewall(s) independent of others located on the same FWSM.

Workgroup network traffic is analyzed and controlled by the FWSM at each VLAN interface. Each workgroup VLAN will have a separate “Firewall Context”. Network Services will create a private VLAN(s) for the connection between the FWSM and your local area network. Public VLAN(s) will be connected to the FWSM on the outward facing side. The current firewall context implementation allows one public and one private VLAN pair per firewall context. The standard service model with a single VLAN is illustrated in SingleVLANConfig.pdf.

The campus firewall service is limited to building specific VLANs and cannot accommodate cross-campus VLANs. The strategy of cross-campus VLANs aggregating VLAN traffic for a workgroup to one firewall was cost effective for firewall appliances, but resulted in increased vulnerability at the point of concentration. Configuring one firewall context per VLAN will reduce this risk.

The Campus Network Engineers will work with those of you with cross-campus VLANs to transition them to multiple building specific VLANs. Although this will increase the number of firewalls you will need to manage, it also will reduce complexity and make your network(s) easier to troubleshoot and manage overall. The standard service model with multiple VLANs is illustrated in MultipleVLANConfig.pdf

DMZs should not be necessary unless you have a substantial number of servers. The FWSM does not support creation of a DMZ on the LANs behind the service. If you must create a DMZ there are a couple of options:

• Put your servers on a separate subnet. (See DMZVLANConfig.pdf)
• If you previously used a NetScreen firewall, it is possible to re-use it to set up a DMZ. Be advised that if your NetScreen has a throughput capacity of 100Mb, you will not be able to take advantage of the full 1GB available bandwidth. (See DMZNetscreenConfig.pdf)

1. Collaborative network with Authorized Agents and DoIT managing the firewall
2. Collaborative network with DoIT managing the firewall
3. Centrally managed network with DoIT managing the firewall

Tools for firewall management have been added to the aants (Authorized Agent Network Tool Suite) software at https://aants.net.wisc.edu/ . The module, My Firewalls, enables authorized agents to:

1. Log into their firewall devices and configure them using the built-in GUI
2. Access graphs and statistics about firewall contexts

The primary method is an online firewall administration training course available at Firewall Online Training Course. Please plan on completing this course either online or in person before your firewall service implementation. Course dates and times are available at:

under the Firewall Service Administration Training link.

An instructor-led course offered by the Professional and Technical Education(PTE) group is also available. However, this course would only take place if there are enough interested participants. If you are interested in taking an in-person training course, please contact PTE to find out more.

In addition to the items outlined below, this course includes a number of lab exercises to provide participants with an opportunity to gain hand-on experience with firewall configuration.

1. The origin of the DoIT firewall project - Internet Worms
2. How a firewall works
3. The DoIT Firewall
1. Hardware Used
2. Advantages of centralized hardware/decentralized administration
3. Network Diagrams
4. The migration process
5. Connecting to your firewall management interface
6. Working with Firewall Rules
1. Hosts and Host Groups
2. Service Groups

1. If you are interested in this service, initiate the process by creating a helpdesk case at https://helpdesk.wisc.edu/page.php?id=9.
2. A Campus Network Engineer will be assigned to work with you on your implementation.
3. A requirements survey will be emailed to you. This will enable your network engineer to analyze your needs in advance and prepare a preliminary design.
4. Attend a Firewall Administration training class.
5. Your network engineer will schedule an initial consultation / design meeting with you. S/he will help you with:
• Configuration and setup of your private VLAN(s)
• Creation and testing of your firewall security rule set
• Developing a migration plan (gradual migration or one-time cutover)
• Developing a plan for reconfiguring cross-campus VLANs, if applicable

• Consulting
• Initial design
• Configuration and setup
• Training
• Testing and implementation assistance
• Automated configuration backups
• Equipment maintenance and upgrades

In addition, your network engineer will provide a week of one-on-one business day support following your migration to the firewall service. After this initial support period, Authorized Agents may contact the NOC (3-4188) directly for 24 x 7 support.

Who is the manufacturer of the Campus firewall equipment?
UW has chosen the Cisco Firewall Services Module (FWSM) for it's ability to run 100 virtual firewalls (called contexts) in transparent mode.

What is a transparent firewall?
A transparent firewall runs at layer2 of the OSI model (bridging), allowing both the public and private side of the firewall to use the same IP space. Since no routing is occuring between the public and private side, the firewall is essentially in stealth mode. Protecting your network without anyone even knowing it's in place.

Will DATN/multicast continue to work after moving behind the FWSM?
Yes - Since the firewall is running in transparent mode, the firewall will allow multicast to pass through it.

How much bandwidth does the FWSM support?
5Gb/s(half duplex) in one direction or 2.5Gb/s in both directions(full duplex).

Once my firewall has been installed and I have my rules configured, how do I move a host behind the firewall?
AANTS->EdgeConf - Since the FWSM uses VLANs for the public and private side of the firewall, by using AANTS->EdgeConf you can simply select the port you are interested in and move it from the public VLAN to the private VLAN.

Does the FWSM firewall support VPN connections?
The FWSM supports VPN connections through it but it does not support VPN connections terminating to it.

How do I give specific users access to configure my firewall?
Refer to article http://support.doit.wisc.edu/ns/page.php?id=4817