High Security Managed Firewall Service
What We Do
The Information Security Office (ISO) offers a High Security Managed Firewall Service for departments that regularly and broadly work with P4 Data. This service offers a common set of rules and profiles using more restrictive policies than the standard Shared Firewall Service to provide for the increased security needs of a department’s targeted user base. This service is offered as part of the bSecure project.
ISO maintains the High Security Managed Firewall which contains a few standardized rules that allow the outbound access typically needed for client systems utilizing P4 or similarly sensitive data. Most outbound communication to servers and the larger internet is allowed, with a caveat for blocking of network threats such as malware downloads and known phishing sites. Inbound connections are limited to a small selection of services that may be requested by departments and are allowed only to specific users that utilize the Global Protect software to securely identify themselves to the firewalls.
Why We Do It
By providing High Security Managed Firewalls with a minimal set of rules and more restrictive policies, we can offer a better level of firewall coverage to units that require more security and isolation than what is provided by the Shared Firewall Service. Additionally, we can maintain a higher level of control than what is allowed under the Shared Firewall Service by offering a few common customizations that are only provided as needed and are limited to specific users.
Departments that need more security and isolation than the basic level provided by the Shared Firewall Service, but don’t have the local IT resources to do so.
Requirements for Use
File, web, and mail servers can not be hosted behind the firewall if they are in any way accessible to those outside of the network.
The network cannot be shared with other units or groups that do not have the same security requirements and data usage.
The majority of users of the Unit must be utilizing P4 or similarly sensitive data.
Type of Customizations Allowed
Some of these features may require ISO to set up a calgroup to allow specific users access remotely for the purposes of printing or remote system access. These users will have to use the VPN or another source of integrated user-id information to use these services.
UCSF Print Management
If you have printers managed by UCSF this option will allow them access to the systems on the secure side of the firewall.
Network printing from the unprotected side of the firewall
This will enable users in the remote access group for the individual firewall instance to remotely print to printers on the protected network.
Campus BigFix Support
This enables systems using the centrally managed BigFix servers access to the protected network for managing any systems on that network.
ITCS/EOS Computer Support
This enables access to the protected network from specific bastion hosts setup by EOS and ITCS and is used to remotely troubleshoot issues.
- Remote Access
This option allows access to SSH, Microsoft RDP and/or Apple Remote Desktop for users in the remote access group.
How to Get Started
Request this service by completing theShared Firewall Telcat form. When making the request, please specify the level and type of data accessed (e.g., P3, P4, or other sensitive data) in the comments. It will also help to specify where the data is stored and how it is accessed by your Unit. Finally, please let us know if you need any of the above customizations.