Networking, Firewall, Service Participation
For IT Pros: This page contains information about how campus IT pros can add groups of computers under their control to the different campus firewall groups.
Rules for participating in the Firewall Service Plan
IP range rules:
- Each firewall group your unit needs should be a separate subnet.
- If your unit currently has one network serving multiple purposes, breaking that network into purpose-driven network is encouraged.
- If you absolutely can't use one firewall group for your network, Legacy IP range rules are still supported, see that section for more information.
- The head of the department must approve participation in the plan.
- All IP space in your network (or if necessary a selected legacy IP range) must be assigned to one of the firewall group. However, for Legacy IP ranges it is not required to use all of the available firewall group. (For example, you can place one contiguous range in the Fully Closed plan and another contiguous range in the Mostly Open plan, but are not required to place a machine range in each of the available plans.)
- IPv4 and IPv6 ranges for a single network must be placed in the same firewall group. If you are using Legacy IP ranges, IPv6 use on that network is discouraged. If your unit must have Legacy IP ranges and IPv6 for the same network, then the entire IPv6 range will be placed in the most restrictive firewall group used by any of that network's Legacy IP ranges.
- Paperwork from must be signed and returned to Tech Services before
any hosts can be placed in the firewall groups. Complete this form (UIUC_network_request_firewall_agreement.doc) and return it to Tech Services Networking by emailing a copy to firstname.lastname@example.org or if you can't send it via email you can send a paper copy to mail code 256, 1304 W. Springfield, Urbana, IL 61801.
- Optional: A number of network
administrators have commented to us that they felt uncomfortable
agreeing to the conditions in the statement of compliance form in that
they have no oversight for the machines that research groups request be
placed in the fully open portions of their subnet(s).
In response to (and in partnership with) those groups, we have developed an additional form for use by network administrators. This Departmental Statement of Compliance is intended to be a tool for network administrators. You may require it be completed before agreeing to place faculty or staff machines on fully open portions of your subnet(s).
While not required, Security would greatly appreciate receiving a copy of this form once you've signed off on it. Please send these forms to email@example.com.
- Optional: A number of network administrators have commented to us that they felt uncomfortable agreeing to the conditions in the statement of compliance form in that they have no oversight for the machines that research groups request be placed in the fully open portions of their subnet(s).
What to do when you've determined the networks or groups for your machines1. Fill out the firewall paperwork and return it to Networking.
2. If hosts need to move once you have new networks or the Networking-approved Legacy IP ranges and subnet masks for your machines, you can use IPAM to move your machines from their current IPs and subnet masks to their new locations.
- IP ranges selected for inclusion in the firewall plan must be contiguous (for example, you cannot say "everything from 192.0.0.0 to 126.96.36.199 except for 192.0.0.3 and 192.0.0.7").
- You must divide your network into no more than six IP ranges.
- Any selected IP range must contain a power of 2 number of hosts.
- The range of IP addresses for a firewall group must be representable by a combination of a starting IP address and a subnet mask describing the size of the range.
Since the campus firewalls use the combination of a valid range-starting IP address and a subnet mask to describe a segment of the network, all IP ranges used to define firewall groups must obey each of these rules.
For more assistance on determining what is a contiguous group of IP addresses matching the "Powers of Two" requirement, see Calculating Firewall Ranges.