skip navigation
University of Illinois | Home | Help Desk | Status | CIO | Site Map |
CITES logo
skip navigation

Firewall Service Participation

CITES > firewall > campus firewall > participation

 

Rules for participating in the Firewall Service Plan

IP range rules:

  • IP ranges selected for inclusion in the firewall plan must be contiguous (for example, you cannot say "everything from 192.0.0.0 to 192.0.0.63 except for 192.0.0.3 and 192.0.0.7").

  • You must divide your network into no more than six IP ranges.

  • Any selected IP range must contain a power of 2 number of hosts.

  • The range of IP addresses for a firewall group must be representable by a combination of a starting IP address and a subnet mask describing the size of the range.

    Since the campus firewalls use the combination of a valid range-starting IP address and a subnet mask to describe a segment of the network, all IP ranges used to define firewall groups must obey each of these rules.

For more assistance on determining what is a contiguous group of IP addresses matching the "Powers of Two" requirement, see Calculating Firewall Ranges.

Procedural rules:

  • The head of the department must approve participation in the plan.
  • All IP space in a selected range must be assigned to one of the firewall packages. However, it is not required to use all of the available firewall packages. (For example, you can place one contiguous group in the Fully Closed plan and another contiguous group in the Mostly Open plan, but are not required to place a machine group in each of the available plans.)

  • Paperwork from CITES must be signed and returned to CITES before any hosts can be placed in the firewall groups. Complete this form (in either Microsoft Word or Adobe PDF format) and return it to the Network Design Office (mail code 256, 1540 DCL, 1304 W. Springfield, Urbana, IL 61801 or fax 217-244-7089).

    • Optional: A number of network administrators have commented to us that they felt uncomfortable agreeing to the conditions in the statement of compliance form in that they have no oversight for the machines that research groups request be placed in the fully open portions of their subnet(s).

      In response to (and in partnership with) those groups, we have developed an additional form for use by network administrators. This Departmental Statement of Compliance is intended to be a tool for network administrators. You may require it be completed before agreeing to place faculty or staff machines on fully open portions of your subnet(s).

      While not required, CITES Security would greatly appreciate receiving a copy of this form once you've signed off on it. Please send these forms to securitysupport@uiuc.edu.

What to do when you've determined the groups for your machines

  1. Fill out the CITES firewall paperwork and return it to the Network Design Office. The NDO will check your group assignments for their conformance to the subnet masking rules. You will then be contacted about the information you have submitted. When the subnet masking rules are met, you can then contact the DNS hostmanager.

  2. When you have the NDO-approved IPs and subnet masks for your machines, contact hostmgr@uiuc.edu to arrange a time to move your machines from their current IPs and subnet masks to their new locations. Two to four working weeks is a recommended amount of lead time for arranging the IP shifts, because there are multiple steps involved:

    1. Arrange a time to change the IP addresses. (There will be a period when no users should access the machines in order to make the change; it is advisable to schedule the IP address change during your lowest-use periods.)

    2. Send a preliminary notice to any users who will be affected by the outage, telling them when it's scheduled for and what the new IP addresses will be. In addition to users with accounts on the machines, this also includes system administrators who use TCP/IP wrappers for security and anyone who runs an email server on one of the affected machines.

    3. Four days before the IP shift, the time-to-live (TTL) settings for those machines will be changed in the DNS system. At this time, a second reminder should be sent to affected users and system administrators.

  3. After the IP shift has been finished, contact the NDO to arrange a time to move the newly assigned IP ranges into the firewall groups you selected. This date should be at least a week later, to allow time to diagnose and correct any networking confusion that might arise from the IP shift.

Placing and removing hosts from the firewall groups is a "normal business hours" service.

 
 

 

  Services by Category   Services by Audience
* Calendaring * New to Campus?
* Classroom Technologies * Students
* Computer Facilities * Faculty & Staff
* Computing Accounts * Instructors
* Educational Technologies * Techsupport Providers
* Email  
* Networking & Remote Access   Other Help
* Passwords * Training
* Security * Computing & Networking 101
* Services For Departments * Contacts
* Software * Glossary
* Telecommunications    
* Complete List of Services    

 

CITES welcomes comments about our services and comments about our web site.
Return to the top of this page.
Last modified August 23, 2006