Main Navigation:

• Information Security Office »

• Security Awareness

• Training
• Are you being hacked?
• Top Ten Viruses
• How to protect your computer
• Request a security scan
• Login Banners
• Policies & Best Practices

• Identity Theft

• Unauthorized Access FAQ

• Sanitization

• Sanitization of Electronic Media

• Report...

• Abuse
• Security Incident

• Security Tools

• What is a security assessment?
• ITC Security Workshop

• Other

• How can we help you?
• Security-Related Links & Info
• Download Anti-Virus, SSH, VPN, & more
• Server Firewall Change Management
• SSL VPN Change Management
• 
  Search the ISO Site
• 
  University of Tennessee System Home

This page allows you to request changes to or information about servers you administer or connect to that are protected by the centrally-managed firewall.

From this page, you can do one of the following:

• Firewall a Server
• Un-Firewall a Server
• Change Access or Ports on a Host
• Request Firewall or Policy Troubleshooting
• Review a Ruleset

When requesting to firewall a new server, or to change access or ports on a host, you will need to know the following information:

• The system's IP Address
• The system's Switch & Port, or Circuit information
• All hosts that will need to connect TO a server
• All hosts that will receive connections FROM a server
• Services or Ports that communication will occur on (SSH or 22/tcp for example)
• The system's Information and Computer System Classification (Policy No.: IT0115)

Please Note: Before a new server can be placed behind the central firewall, it will be scanned to ensure it is secure.

When changing access or ports on a host, or if you are having trouble connecting to a system protected by the firewall, it is often helpful to request a ruleset review. To view the rules relating to the systems you are interested in, simply provide some details about the problem (if any) as well as the source and destination hosts. The ISO will then export the ruleset along with a guide that will define any objects referenced in the ruleset and send it to you via email.

Important IP Address Information

All systems requiring specific rules within the firewall will need to have static IP addresses. As each system is assigned an address object within the firewall itself, dynamic addressing is not supported. If you do not have the appropriate access in NetReg to request a static IP in the correct IP space, you can send email to ipmgr@utk.edu to have one assigned for you. Once you have a static IP address in the correct IP space, you will also need to ensure that the network port the server is connected to is in the correct VLAN by sending email to nsadmin@utk.edu. You will need to provide them either the switch and port number (if known) or the MAC address of the server.

Important information about services and ports

You must be specific about what services and ports you need access to/from. The ISO will not approve a rule allowing anyone to connect to a server on any port. If this type of access is required, there is no need to place the system behind the centrally-managed firewall. If you are not sure what ports your application uses, the Internet Assigned Numbers Authority (IANA) has the official association list available online here. It is important to double-check within the application as most applications will allow you to change the default port for additional security. As port associations can be changed, it is not good practice to request a new system be given "the same access someserver.utk.edu has." That system might be running the same software or performing the same function but its configuration may be unique to that particular installation.