UW Madison Campus Firewall Service
DoIT Network Services is offering a firewall service as part of the 21st Century Network. This service will provide increased security and protection for your subnets by enabling you to place restrictions on inbound and outbound network traffic. It is only available to collaborative and centrally managed workgroups and is included as a standard network service.
Firewall services will be implemented via distributed management for virtual local area networks from the nearest nodal network electronics using the Cisco Systems Adaptive Security Appliance (ASA). The design provides for redundant ASA installation with a failover process. Each virtual firewall acts the same as a standalone physical firewall with its own configuration and security rules, but provides for full capacity of the link to radial buildings, typically 1GB. As with the data switches, workgroup firewall configurations will be backed up daily. Authorized Agents will be able to configure and manage their own firewall(s) independent of others located on the same ASA.
Workgroup network traffic is analyzed and controlled by the ASA at each VLAN interface. Each workgroup VLAN will have a separate “Firewall Context” (Virtual Firewall). Network Services will create a private VLAN(s) for the connection between the ASA and your local area network. Public VLAN(s) will be connected to theASA on the outward facing side. The current firewall context implementation allows up to 4 VLANs per bridge-group and up to 8 bridge-groups per firewall context. The standard service model with a single VLAN is illustrated in SingleVLANConfig.pdf.
The campus firewall service is limited to building specific VLANs and cannot accommodate cross-campus VLANs. The strategy of cross-campus VLANs aggregating VLAN traffic for a workgroup to one firewall was cost effective for firewall appliances, but resulted in increased vulnerability at the point of concentration. Configuring one firewall context per VLAN will reduce this risk.
The Campus Network Engineers will work with those of you with cross-campus VLANs to transition them to multiple building specific VLANs. Although this will increase the number of firewalls you will need to manage, it also will reduce complexity and make your network(s) easier to troubleshoot and manage overall. The standard service model with multiple VLANs is illustrated in MultipleVLANConfig.pdf
De-Militarized Zones (DMZs)
DMZs should not be necessary unless you have a substantial number of servers. The ASA does support creation of a DMZ on the LANs behind the service. If you must create a DMZ there are a couple of options:
- Put your servers on a separate subnet, in return setting up a new firewall. (See DMZVLANConfig.pdf)
- Work with a network engineer to add an additional bridge-group or possibly an additional VLAN to your existing firewall bridge-group.
- If you previously used a NetScreen firewall, it is possible to re-use it to set up a DMZ. Be advised that if your NetScreen has a throughput capacity of 100Mb, you will not be able to take advantage of the full 10Gb/s available bandwidth. (See DMZNetscreenConfig.pdf)
AdministrationThere are three firewall management options available:
- Collaborative network with Authorized Agents and DoIT managing the firewall
- Collaborative network with DoIT managing the firewall
- Centrally managed network with DoIT managing the firewall
Tools for firewall management have been added to the aants (Authorized Agent Network Tool Suite) software at https://aants.net.wisc.edu/ . The module, My Firewalls, enables authorized agents to:
- Log into their firewall devices and configure them using the built-in GUI
- Access graphs and statistics about firewall contexts
- Checkin firewall changes and backup configurations manually (Firewall Admin)
The primary method is an online firewall administration training course available at Firewall Online Training Course. Please plan on completing this course before your firewall service implementation.
A course is offered by the DoIT Academic Technology group is also available, please see https://it.wisc.edu/services/training-faculty-staff/ to find out more.
In addition to the items outlined below, this course includes a number of lab exercises to provide participants with an opportunity to gain hand-on experience with firewall configuration.Course Outline
- The origin of the DoIT firewall project - Internet Worms
- How a firewall works
- The DoIT Firewall
- Hardware Used
- Advantages of centralized hardware/decentralized administration
- Network Diagrams
- The migration process
- Connecting to your firewall management interface
- Working with Firewall Rules
- Hosts and Host Groups
- Service Groups
- If you are interested in this service, initiate the process by creating a helpdesk case at https://helpdesk.wisc.edu/page.php?id=9.
- A Campus Network Engineer will be assigned to work with you on your implementation.
- A requirements survey will be emailed to you. This will enable your network engineer to analyze your needs in advance and prepare a preliminary design.
- Attend a Firewall Administration training class or go through the online training.
- Your network engineer will schedule an initial consultation / design meeting with you. S/he will help you with:
- Configuration and setup of your private VLAN(s)
- Creation and testing of your firewall security rule set
- Developing a migration plan (gradual migration or one-time cutover)
- Developing a plan for reconfiguring cross-campus VLANs, if applicable
Production SupportDoIT will provide support for all facets of the firewall service including:
- Initial design
- Configuration and setup
- Testing and implementation assistance
- Automated configuration backups
- Equipment maintenance and upgrades
In addition, your network engineer will provide a week of one-on-one business day support following your migration to the firewall service. After this initial support period, Authorized Agents may contact the NOC (3-4188) directly for 24 x 7 support.
Q & A
Who is the manufacturer of the Campus firewall equipment?
UW has chosen the Cisco Systems Adaptive Security Appliance (ASA) for it's ability to run 150+ virtual firewalls (called contexts) in transparent mode.
What is a transparent firewall?
A transparent firewall runs at layer2 of the OSI model (bridging), allowing both the public and private side of the firewall to use the same IP space. Since no routing is occuring between the public and private side, the firewall is essentially in stealth mode. Protecting your network without anyone even knowing it's in place.
Will DATN/multicast continue to work after moving behind the ASA?
Yes - Since the firewall is running in transparent mode, the firewall will allow multicast to pass through it.
How much bandwidth does the ASA support?
20Gb/s(half duplex) in one direction or 10Gb/s in both directions(full duplex).
Once my firewall has been installed and I have my rules configured, how do I move a host behind the firewall?
AANTS->EdgeConf - Since the ASA uses VLANs for the public and private side of the firewall, by using AANTS->EdgeConf you can simply select the port you are interested in and move it from the public VLAN to the private VLAN.
Does the ASA firewall support VPN connections?
The ASA supports VPN connections through it but it does not support VPN connections terminating to it.
How do I give specific users access to configure my firewall?
Refer to article http://support.doit.wisc.edu/ns/page.php?id=4817