Technical terms printed in italics are discussed in
detail in the "Technical Analysis" section.
The Firewall Task Force recommends that the Campus, IST/CIO in particular, begin to integrate Firewall technology into its plans for overall network security. We outline several specific recommendations. The analysis that led us to these recommendations can be found in the analysis section of the report. Our recommendations speak to several different implementations of firewall technology being supported across campus. In order to support departments deploying any of these, we further recommend that a Firewall Support Service be included in IST/CIO’s organization. The required support has three dimensions:
Installing and removing firewalls, and configuring and maintaining firewalls and firewall rules, and/or giving advice to unit personnel on how to do such tasks. Such services would normally be offered on a recharge basis.
Informing campus units about the proper uses of firewalls, helping them decide whether their security plans should include the use of firewalls, helping them decide which kind or brand of firewall is best for their security needs, identifying unit training needs with regard to firewall-related activities, and delivering firewall-related training as necessary.
The designs evaluated in this report are based on current firewall and network technology. As this technology is constantly changing, the FSS, in conjunction with the rest of SNS and CNS, should research new technologies and potential new firewall designs, and evaluate the feasibility of supporting and deploying these new designs on campus.
The Task Force estimates that at least two full time equivalent positions would be needed to provide this required support, and expects that more full time recharge positions would be needed as the level of firewall deployment grows. We place particular emphasis on the educational and outreach aspect of this service. As this particular service is consistent with the service originally envisioned for System and Network Security, we recommend that these FTE be included with that group.
· A border firewall is not a practical or effective solution in the campus environment.
· Individual routing firewall devices should not protect multiple subnets, as it is not a practical or effective solution for departments with multiple subnets. Departments with multiple subnets considering firewalls should seek other solutions.
· It is not feasible for Communication Network Services (CNS) to support network equipment behind a user-maintained firewall on a campus-wide basis. Departments wishing to use firewalls to protect entire subnets should consider the Hidden VLAN design. The alternative is a private network run entirely by the department — see below for a discussion of the benefits and challenges of such an implementation.
· We recommend that Information Systems and Technology (IST) offer a Secure Pen service, on a recharge basis, to departments needing to run high-availability, high-security servers. This model is already in place in Central Computing Services (CCS), where a secure pen is run for some campus units. We recommend that the service be formally offered to all departments.
· We recommend that CNS investigate and support the Hidden VLAN design for departments wishing to implement this topology for basic protection of many machines on a single subnet.
· We recommend that CNS modify and clarify the User Installed Network Equipment policy, with adequate input from the campus in general, to specifically allow the Host Cluster design. Departments that need to firewall several services could do so via the implementation of a Host Cluster, with CNS support to the wall jack only.
· We
recommend that IST encourage and support the use of Personal Firewalls
through a volume purchasing agreement. Additionally, in order to improve
consistency of operation of personal firewalls across campus, we recommend that
the selected product(s) be supported through their inclusion on the
Connecting@Berkeley CD and by offering training to departmental administrators.