Google+
ITS and UVa logos for printed output

Firewalls & Network Security

Firewall Options

Introduction

ITS's Level III Firewall Service is offered to support customized secure zones within the UVA network. Typically these are for small groups of departmental servers that have specific access requirements which cannot be accommodated on the free UVA More Secure Network.

A departmentally-purchased and maintained hardware firewall cannot be allowed to partition off a section of the UVa network. However, a firewall is permitted between the network port and the server itself.

Access Policy and Configuration

Under the Level III Firewall Service, policy governing access through the firewall is set by the department. The rules configured into the firewall are developed by ITS to meet the department's policy. ITS then configures and operates the firewall in accordance with the Service Options described below. ITS maintains a record of all firewall configuration changes requested by the department. Access to the firewall logs is available to departmental service owners.

ITS Level III Firewall Services

ITS's standard Level III firewall services are listed below to provide a baseline for departmental planning. Additional services or special needs are evaluated on a project-by-project basis and will be priced accordingly.

Option 1 - Departmental Server(s) hosted and administered by ITS

A - ITS Hosted Servers Departmental Firewall Service

This free service includes:

  • Server hosting on firewall protected networks with other departmental servers having similar protection needs
  • Configuration requests via ITS Virtualization and Microsoft Services or ITS Systems and Storage (firewall rule adds/removes within accordance with ITS security policies)
  • ITS Support per ITS Virtualization and Microsoft Services or ITS Systems and Storage hosting contract
  • Requirement: Department servers must be under contract with either ITS Virtualization and Microsoft Services or ITS Systems and Storage, where the department has paid for the server to be located in an ITS Data Center

Option 2 - Departmental Server(s) located in the University Data Center (UDC)

A - UDC Shared Departmental Firewall Service

This free service includes:

  • A firewall virtual context on a redundant Cisco ASA 5585 firewall pair shared by departments
  • Servers are co-housed with other departmental servers
  • Service is accessed via a VLAN available on top-of-rack gigabit Ethernet switches
  • Initial configuration
  • ITS Support 24x7 (See note below)
  • Minor configuration tweaks (host/firewall rule adds/removes)

B - UDC Private Departmental Firewall Service

$1,850 annual fee includes:

  • A dedicated firewall virtual context on a redundant Cisco ASA 5585 firewall pair
  • Service accessed via a dedicated VLAN available on top-of-rack gigabit Ethernet switches
  • Initial configuration
  • ITS Support 24x7 (See note below)
  • Minor configuration tweaks (host/firewall rule adds/removes)

Option 3 - Private/Dedicated hardware

Required for protection of hosts containing/interacting with certain types of sensitive data

A - Single Departmental Firewall Service

$1,850 annual fee includes:

  • One Cisco ASA 5510 Security Plus firewall
  • Cisco hardware and software maintenance
  • One 24 port gigabit Ethernet switch
  • Initial configuration and installation
  • Software upgrades as needed for bug patches, etc.
  • ITS Support 8-5 M-F (See note below)
  • Hardware replacement, including a locally maintained set of spare equipment for rapid service restoration, and periodic equipment replacement on a three to four year cycle.
  • Minor configuration tweaks (host/firewall rule adds/removes)

B - Redundant Departmental Firewall Pair with Failover Service

$4,000 annual fee includes:

  • Two Cisco ASA 5510 Security Plus firewalls configured in a redundant pair
  • Cisco hardware and software maintenance
  • One 24 port gigabit Ethernet switch
  • Initial configuration and installation
  • Software upgrades as needed for bug patches, etc.
  • ITS Support 24x7 (See note below)
  • Hardware replacement, including a locally maintained set of spare equipment for rapid service restoration, and periodic equipment replacement on a three to four year cycle.
  • Minor configuration tweaks (host/firewall rule adds/removes)

Important Note: The support fee does not include log monitoring or detailed analysis. Logs will, however, be made available to the departmental contact. In-depth troubleshooting, requiring one or more hours after the initial configuration has been established, will be billed at the standard consulting rate.

If you have an ITS contract server and would like to inquire about option 1, please contact ITS Virtualization and Microsoft Services or ITS Systems and Storage. For inquires about all other options, please submit a consultation request and a Network Engineer will help you navigate the options that are right for your needs.

  Page Updated: Thursday 2018-01-18 15:45:01 EST