Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Fortinet Hardware Firewall Consulting and Maintenance Service

ISC LAN Technology Services (LTS) and ISC Networking and Telecommunication (N&T)consultants provide assistance to Local Support Providers and System Administrators in every stage of the planning, configuration and deployment of Penn's Recommended Hardware Firewall. Planning, Security and Best Practices are provided by LTS at no cost. We provide a complete solution which includes:

Planning, Security and Best Practices

Network Bandwidth Utilization Assessment:

An LTS consultant along with an N&T consultant will work with you to plan a network bandwidth utilization assessment. A bandwidth utilization assessment consists of gathering statistical data, using network tools sanctioned and used by ISC Networking.

For example,

  • Arbor Report: Statistical data is gathered by monitoring uplink traffic from the core to a building entrance router.  The report provides you with the Top 25 talkers, raw flows, packet size, etc, utilizing the network. The report can include IP addresses, Port Number, and amount of inbound and outbound traffic. 
  • InfiniStream Report: Statistical data is gathered by monitoring uplink traffic from a specific port on the switch. By mirroring that port (usually a server port) to a port on the switch, all data is sniffed by the InfiniStream appliance.  The statistics available in the InfiniStream can help you quickly indentify network anomalies.  Each statistical element is expressed in terms of packet source address, destination address and protocol.

Identifying or Defining the Firewall Perimeter:

An LTS consultant can advise and assist you on how to create or update your network diagram. An accurate network diagram is an extremely valuable tool for obtaining a visual understanding of all hosts in your current environment.  If you have two sites, it is extremely important that you update the network diagram for both sites. We can also guide you on to how to complete an inventory of servers and services running on each host you intend to place behind the firewall. A thorough understanding of the type of traffic you will need to allow through the firewall is important to help generate the policies. During our meeting, a number of questions will be addressed for example,

  • Do you intend to place all the servers behind the firewall?
  • What type of servers (roles) do you have?
  • Do you intend to place workstations?
  • Is there a need for a site-to-site VPN?

Segmenting Traffic Using vLANs:

Through the use of vLANs you can improve security by segmenting traffic between trusted servers (such as file servers and domain controllers), public servers (such as web servers), and workstations. The firewall acts as a gateway to vLANs, examining incoming and outgoing traffic to see if it meets a certain criteria defined by the firewall policy. Criteria commonly used to allow or block traffic are IP addresses/ranges, application ports and protocol. A consultant will work with you on how to inventory services and application ports & protocol in order to identify and define which network port goes into which vLAN. For a fee, N&T will configure the number of vLANs needed. To request vLAN configuration from N&T please send email to services-request@isc.upenn.edu

Selecting the Right Firewall Model:

LTS has expertise and experience in deployment and maintenance of all Juniper and Fortinet hardware firewalls. We can assist with selecting the firewall model that would meet your school or department needs. Based on traffic load, site-to-site VPN tunneling, current and anticipated future infrastructure needs an LTS consultant will help in the selection of the appropriate firewall model. When a making a firewall selection, special attention is also paid on throughput impact when enabling Deep Inspection module and High Availability configuration.

Implementation and Support, for-fee service:

Deploying the Firewall:

Once the firewall model is selected, the network diagram updated, the number of vLANs identified, and firewall policies defined, an LTS consultant can assist with complete firewall set-up - patching the firewall OS, configuring network connecivity, setting up a HA cluster, configuring policies, testing, and backup. We also work with you to develop a test environment to help test out policies before the firewall is deployed. An LTS consultant will be onsite working hand in hand during migration day.

Firewall configuration options:

  • Stand Alone Mode: A single firewall is deployed without a backup hardware firewall is not a long-term recommended solution but, can serve as a short- term solution.
  • High Availability: Two same-model firewalls configured in high availability for failover. The firewall configuration is set for active/passive.
  • Load Balancing: Two same-model firewalls configured for load balancing. The firewall configuration is set for active/active.

Additional software license features for Deep Inspection, Anti-Virus and Anti-Spam are available for an additional cost. Careful planning is required as the software license features decrease firewall throughput when enabled.  The software license features are processed by the firewall CPU instead of the ASICs.

Firewall Maintenance-

Firewall maintenance is available as a for-fee service at $110/hour. For more information on firewall maintenance please send email to magida@isc.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania