© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.

ITC Network Security Information
Overview
My Computer's Network
LSP Technical Information
Frequently Asked Questions
Building List
Presentations
Tested Applications
Rules for Participation
Level 3 Networks
JointVPN Service
More Secure Network VPN
Oracle Special Services VPN
Contact Us
Level III Network Security Zones

The general concept of firewalls and the services that they provide is discussed in the Overview Section of this web site. Also discussed in the Overview Section is the UVa More Secure Network. The More Secure network is a standard service that provides firewall protection for network jacks throughout the university. Since the More Secure network is designed to support large numbers of computers, the rules configured into the firewall are fixed and can not be modified to meet extra requirements that departments may have for specialized protection of servers and other equipment.

The Level-III network firewall service is designed to meet the specialized security needs that departments may have that can not be met using the More Secure network by itself. While a typical Level-III network is implemented as a specialized high security zone for a small number of carefully administered servers, Level-III networks are also often implemented as weaker security areas that provide additional protection for servers that must provide services to the general public.

The key philospohy behind a Level-III network is that it is a service that is customized to meet the needs of a specific department or research group. The policy for access through the firewall is set by the department. The rules configured into the firewall are developed by ITC to meet the policy established by the department. ITC then configures and operates the firewall as per the different Service Options described below. ITC maintains a record of any firewall configuration changes requested by the department. Departmental access to the firewall logs is available to departmental service owners who have one of the iKey authentication tokens that are also used for departmental delegation of network port control on the More Secure network. (Note: departmental log access should be available in summer or early fall 2004).


ITC's Level III Firewall Service Options

ITC's Level III Firewall Service is offered to support customized secure zones within the UVa network. Typically these are for small groups of departmental servers that have specific access requirements which cannot be accommodated on the free "more secure" UVa network. The options listed below depict our standard services given as a baseline for departmental planning. Additional services or special needs are evaluated on a project-by-project basis and will be priced accordingly.

  1. Option for Departmental Server(s) administered by ITC
    If the servers in question are under contract with either ITC Microsystems or Unix Systems and have paid to be located in one of the Carruthers Hall machine rooms, the department has the option to request the server(s) to be located in the ITC contracted firewall pool at no additional cost. They will co-exist with other departmental servers with similar protection needs.

  2. Single Departmental Firewall Service
    Fee $1,850 annually
    Includes:
    • One Cisco PIX 515 E firewall with 100 Mbps Ethernet
    • Cisco hardware and software maintenance
    • One Nortel 450 Switch
    • Initial configuration and installation
    • Software upgrades as needed for bug patches, etc.
    • ITC Support 8-5 M-F
    • Hardware replacement including a locally maintained set of spare equipment for rapid service restoration and periodic equipment replacement on a three to four year cycle.
    • Minor configuration tweaks

    The support fee does not include log monitoring or analysis, however logs will be made available to the departmental contact. In depth troubleshooting requiring one or more hours after the initial configuration has been established will be billed at the standard consulting rate of $44 per hour.

  3. Redundant Departmental Firewall Pair with Failover Service
    Fee $4,000 annually
    Includes:
    • A Cisco PIX 515 redundant pair with stateful failover and 100 Mbps Ethernet
    • Cisco hardware and software maintenance
    • One Nortel 450 Switch
    • Initial configuration and installation
    • Software upgrades as needed for bug patches, etc.
    • ITC Support 24x7
    • Hardware replacement including a locally maintained set of spare equipment for rapid service restoration and periodic equipment replacement on a three to four year cycle.
    • Minor configuration tweaks

    The support fee does not include log monitoring or analysis, however logs will be made available to the departmental contact. In depth troubleshooting requiring one or more hours after the initial configuration has been established will be billed at the standard consulting rate of $44 per hour.