SERVICE DESCRIPTION |
|
Description: |
Firewall service is required for dedicated subnets located in the Data Center. Service is provided using Cisco Systems' Firewall Service Module (FWSM). All Data Center firewall instances are highly available. |
SLA link: |
|
For: |
department |
Charges: |
recharge |
Costs: |
Data Center HA firewall (per subnet):
|
Contact: |
Technical Account Management (TAM), |
A department customer requiring from one to three IP addresses will be placed behind a Cisco FWSM administered by IST at no additional charge. Customers needing more than three IP addresses will be put on a dedicated subnet that will be set up with dual FWSM's to provide high-availability. The customer pays for the cost of maintaining the FWSM's.
The FWSM's are configured as transparent bridging devices and support the hidden VLAN security model. Each firewall 'instance' can support one subnet, with an 'inside' and 'outside' VLAN. A server connected to a port assigned to the inside VLAN is effectively 'behind' the firewall. IST maintains the firewall hardware and software upgrades; while departments have the flexibility to administer their own rulesets using a management interface accessible via command-line or GUI interface.
Within the Data Center, the FWSM's are set up to provide redundancy. There are two FWSM's installed in two switches. These are the same switches that provide connectivity to hosts on the Data Center floor. The FWSMs are configured such that a change made on one is automatically propagated to the other. If one of the FWSM units fails, the other will take over automatically.
The firewalls are delivered by a card that plugs into the existing switches in the Data Center. Since the cards access the backplane directly, there are no extra port charges for the FWSM.
Firewall configurations are periodically reviewed by the Security (SNS) group, who provide tips for making subnets more secure.