One IT colleagues,
This message is to inform you about a new network service requirement that was implemented at the end of March 2023. All new campus subnets need to be secured by either a bSecure Departmental firewall or the bSecure Shared Firewall service. In the past, selecting one of these services was optional when a new subnet was created.
Why is a firewall now required by default and how will it work?
We are making this change to improve security for campus users and to reduce risk to the institution. New networks not located in a data center will be added by default to the campus shared firewall service unless they are secured by a Departmental Firewall. The campus shared firewall offers a common set of rules and profiles that provide basic firewall coverage for user networks, including workstations and printers. It will block almost all inbound traffic except for printing and remote access (RDP, Apple Remote Desktop, and ssh) which are restricted to the campus network. Additionally, the firewall will block malicious activity and traffic to sites known to host phishing campaigns and malware. This means it does not support servers (web, file sharing, etc.) and IoT devices that require connections initiated from outside the Shared Firewall.
What changes do I need to make?
In the majority of situations, this change does not require that members of the IT community or their users take any action. This change does not affect existing campus subnets, it only affects new subnets implemented after the end of March 2023.
Departments with a bSecure firewall service should continue to request that any new subnets be secured by the appropriate firewall. In cases where a department does not have its own firewall, subnets will be secured by the bSecure shared campus firewall by default. This firewall service is managed by the Berkeley IT Information Security Office and provides a default level of security and connectivity that meets the needs of typical end-user computing. It is not designed to support servers or other custom connectivity needs. Users or departments with advanced network requirements should continue to contact the Berkeley IT network team for assistance.
Firewall Options & Assistance
-
Customized Firewall - Departments wishing to customize their firewall service may request a bSecure Departmental Firewall. This service is covered under the existing campus Data Network Recharge, so there are no additional costs for this service.
-
No Firewall - Departments or groups who do not want any firewall on their new subnet will need to be granted an exception to this service requirement by the Berkeley IT Information Security Office. If you believe you need an exception please discuss this with the Network Engineer who is provisioning your subnet.
For quick answers to your questions, please search our Knowledge Base where you will find information on many firewall topics including these: Departmental Firewall Services and Shared Firewall Services. Use the Telecom Catalog to place orders or contact us for further assistance.
Regards,
Isaac Orr
Senior Manager, Network Services
Berkeley IT | Campus IT Infrastructure