UW Firewall Administration Policy Summary

With the campus IT policy and the universities guiding principles in mind the firewall advisory group, comprised of a mix of subject matter experts and members from representative campus units, devised an administrative solution to generally improve the administration, configuration, and operation of UW-Madison network firewalls. These two avenues have been named collaborative and delegated. To learn more, please reference: https://kb.wisc.edu/itpolicy/it-network-firewall-plan

The collaborative model design:

  • The Office of Cybersecurity will need a WiscIT ticket opened by the department containing information about the firewall(s) that will be modified e.g. administrator contact information, firewall virtual system information, etc. For prioritization purpose, the WiscIT ticket should include an approximate date range that the unit could migrate the advanced security features.

  • The Office of Cybersecurity staff will review the WiscIT ticket and the existing firewall advanced protection ruleset currently in place. In order to provide guidance to the firewall administrators on the possible impact of the change, the Office of Cybersecurity will contact the firewall administrator to arrange a consultation, once a ticket has been created.

  • The collaborative model enables more extensive and adaptable use of common (shared) network firewall rules. This is accomplished by applying firewall management principles that are responsive to the needs of the institution, along with a collaborative decision-making process to ensure that those needs are heard and addressed.

  • With common (shared) firewall rules, the collaborative model increases the consistency of firewall protection to all subnets behind the firewalls. When new threats are identified, common firewall rules are centrally updated to reduce the risk of compromise. This helps departments that are unable to maintain up-to-date rulesets due to staff vacancies or lack of available staff time.

  • The Office of Cybersecurity assists departments to introduce more advanced firewall protection features which can quickly detect and block new threats. These advanced features are necessary to protect data and assets from increasingly sophisticated and persistent attacks.

The delegated model design:

  • This model provides an option for unit admins who wish to administer the rules and profiles of their firewall virtual systems (vsys).

  • The Office of Cybersecurity will need a WiscIT ticket opened by the department containing information about the firewall(s) that will be delegated e.g. administrator contact information, firewall virtual system information, etc.

  • The advisory group will advise on the knowledge or training needed by someone serving as a firewall administrator; will help set criteria to become a certified firewall administrator and what privileges that conveys. See the UW-Madison Palo Alto Firewall Services Readme KB article for training resources.

  • The Office of Cybersecurity will review the implementation plan and the operating procedures, and measure the success of the rulesets to report to the advisory group and sponsors.

  • The advisory group and the Office of Cybersecurity will work together to develop success criteria.

    • Data could include log files gathered by the Next Generation Firewalls or other systems, incident or event tracking, self assessments, surveys, meeting notes, exception requests, or other sources.

    • The initial goal is to have an annual assessment, but that could be extended to biennial or triennial assessments.

Firewall administrative roles:

To provide clear communication regarding responsibilities, expectations and firewall changes, the advisory group has designed two roles for the campus network firewall service. Modeling off of the AANTS role design the advisory group decided to follow along with this model. Depending on departmental staffing, the roles may be held by the same person. The roles designated are:

  • fw-admin-c

  • fw-tech-c

 

The fw-admin roles & responsibilities are:

  • Make policy and procedure decisions about configuration and operation of the units' vsys.

  • Guide the authorized firewall technician on the implementation of the decisions.

  • Primary contact for Network Services and The Office of Cybersecurity.

  • Responsible for review of vsys policies, procedures and administrative access.

  • Inform unit management of any major decisions and significant risks associated with vsys changes.

The fw-tech roles and responsibilities are:

  • Included and informed of all routing vsys information, i.e. configuration, operational changes.

  • Responsible for applying vsys configuration changes in accordance with campus and unit policies and procedures.

  • Notify the fw-admin of any security and operational concerns.