Departmental or Site Firewall Service

The Departmental or Site Firewall Service provides advanced security features to protect an organizational unit’s IT assets and data. Features may include firewall, VPN, Intrusion Prevention, Malware Protection, and URL filtering.

firewall image

In computing, a firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted. Firewalls are the primary method for keeping computers and networks secure from intruders. 

A firewall allows or blocks data network traffic into and out of a private network and/or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a segment of the network (e.g., a company's public Web server) from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might want extra protection against snooping from within the enterprise.

In the context of this Service, the firewall would be a stand-alone network device (aka “appliance”), inserted between the incoming general network connection and the various internal/departmental devices needing to be protected. It is a device that filters out unwanted data network traffic, the rules for which would be defined during the design stages of the project implementation.

Request Service

Requesting this service involves two major phases:

Initial Deployment

  • Submit an initial request for service via this Google form.
  • ITS will clarify the initial request with the requesting department and generate a Final Request Document (agreed to by all parties), which will include an estimated budget for proceeding into the actual detailed scoping stage, as well as a Rough Order Magnitude (ROM) budget for the entire project (based on information so far gathered).
  • If the requesting department approves, the Project Scope and Detailed Evaluation phase begins. The result of this stage determines a refined version of the anticipated funding needs (hardware, software, services, etc.) for both the implementation as well as the ongoing operation.
  • If the requesting department approves, ITS proceeds (in partnership with the Customer) into Final Design, Procurement, Testing, and Implementation.

Ongoing Operation

Requesting changes to any of the implemented services involves opening a SlugHub Ticket and select "Security" (for Service) and "Firewalls" (for System/Application).

The various ongoing operation services include:

  • Firewall Services
    • Intrusion Protection System (IPS), Web Filtering and Anti-virus, VPN, and security monitoring
    • Firewall rule changes
    • VPN account creation
    • Static IP address management
    • IPS and firewall rule tuning and troubleshooting
    • OS upgrades and security patches
    • Opening, working, and resolving manufacturer support tickets
  • Security Services
    • Monthly Vulnerability scans and assessment
    • Basic System/Network Forensics when incidents occur
      • If offsite disk forensics are required in the event of a breach, CoreTec InfoSec will coordinate the outside service on behalf of the requesting department
    • Monthly IPS, firewall, Malware, URL, and VPN log monitoring
    • Review firewall and router rule sets at least every six months
    • Annual penetration test
      • PCI Exception: If the requesting department is subject to formal PCI-compliant PEN tests, those remain the responsibility of the department to cause to be independently conducted, and provide results to ITS for appropriate record keeping.
    • Actual computing systems protected by the Firewall are specifically excluded from any special scans or treatment. Rather, the requesting department must engage SDS for standard desktop support, which includes patches, virus protection, and other components.
    • PCI addition: If the requesting department is subject to any PCI compliance requirements, then they would remain solely responsible for determining that component of these activities. It is strongly encouraged to work with SDS should the standard services not provide an acceptable level of compliance for desktop systems
  • Documentation
    • ITS and the requesting department shall use current processes for approving and testing all network connections and changes to the firewall and router configurations.
    • ITS and the requesting department shall jointly produce a current network diagram that identifies all connections between the firewall protected data environment and other networks, including any wireless networks.
    • The requesting department shall produce and maintain (and provide to ITS for record keeping) a current diagram that show how all firewall protected data flows across all systems and networks.
    • ITS and the requesting department shall utilize current processes to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
    • The requesting department shall maintain (and provide to ITS for record keeping) documented firewall user access and business needs.

Hardware maintenance contracts are required for all deployed devices

  • Contracts will be managed by Coretech-Infosec, and the cost will be funded by the customer as part of Ongoing Operation
  • CoreTech-Infosec will advise the requesting department when and if any hardware replacements are anticipated (given equipment life expectancy).

Network equipment and design & integration services required to implement secure distribution of firewalled security domains can be provided at additional cost.

Additional requirements may exist for specific projects (e.g., PCI), and shall be evaluated and estimated during the Initial Deployment phases.

Cost of Service

Initiation Stage - No charge to the requesting department

  • Initial Request
  • Clarification Sessions
  • Final Request Document
    • Estimate for Project Scope and Detailed Evaluation
    • ROM Estimate for Full Design, Implementation, and Ongoing Operation

Detailed Project Scope and Evaluation - Variable costs based on the above result for each specific project

  • Funded by Department FOAPAL
  • Project Scope Document
    • Refined Estimate for Detailed Design, Implementation, and Ongoing Operation

Detailed Design, Procurement, Testing, and Installation - Variable costs based on the above results for each specific project

  • Funded by Department FOAPAL
  • $106 (or current netweek engineering rate) per hour, quantity of hours determined for each specific project
  • Hardware procurement costs, as determined for each specific project
  • Other costs as determined for each specific project

Ongoing Operation - Variable costs based on the above results for each specific project

  • Funded by Department FOAPAL
  • Depending on agreements made during the above phases, a fixed or variable number of hours per month, at $104 per hour, and/or other costs as agreed
  • Hardware maintenance contract costs, as determined for each specific project
  • Other costs as determined for each specific project

Materials and vendor support costs vary by project scope and scale, and are funded via the customer FOAPAL(s) as part of the Implementation or Ongoing Operation stages, as applicable.

Should anything occur during these stages to increase the earlier anticipated funding levels, ITS will work with the customer to determine an equitable solution. If there are no increases to the earlier anticipated funding levels, the project will proceed on schedule -- but only actual costs (up to but not exceeding the earlier anticipated funding) will be charged.

Multitenancy Operation - For Site Firewalls sometimes diverse needs may arise that must be balanced with a design and support load that is sustainable. For multitenancy operations a virtual counsel consisting of designated group advocates and IT staff is setup to ensure communication and a voice in changes to be made. 

Get Help

Contact the ITS Support Center if you need help with the Departmental Firewall service. When you open a support ticket, select "Security" (for Service) and "Firewalls" (for System/Application).