Security update: deploying a centralized firewall for HMC

November 27, 2019, by Joseph Vaughan

As part of our efforts to increase security for the College’s data (and yours!), we are planning to deploy a centralized firewall.   We will work with the TCCS Networking staff to achieve this.   The goal is to prevent unauthorized access to computers connected to our network.  At the moment, we have parts of a distributed firewall, implemented at the campus network level (Access Control Lists).  But it is complicated, with some 900 rules scattered across the switches.   This new firewall initiative will modernize and centralize our approach.

I have discussed the initiative with the President’s Cabinet and with the Department Chairs Committee.  I did not discuss details as there are no details to discuss yet.   Our plan is to pilot and test on various parts of the network before visiting each department to work out details.

One thing to say up front:   The firewall will not prevent access from our network to the internet, nor will it prevent authorized access from the internet back in to our network.  Just as you would with your home network, we are aiming to make sure that you have authorized any access to your computer.

The HMC network is broken into a number of logical portions (VLANs) and we will deploy the firewall in phases VLAN by VLAN.  The default for the new firewall will be to deny access to unsolicited or unauthorized requests for access.  This means that there will be some people who need exceptions for the firewall rules. For example, if you are running a web server on a segment of the network that isn’t configured to allow that, you’d need an exception.  We want to make sure that exceptions are kept secure and will scan them regularly (as we have done in the past).

We have already set up the firewall for a test VLAN and for a VLAN that contains CIS servers.  We will do more extensive testing and then move on to another department.  Please watch for more news about this.