Departmental Firewalls
Placing entire departments behind a firewall in a robust fashion unfortunately poses a significant challenge.
Firewalls need to be installed in front of a choke point on the network -- that is, all traffic destined for the machines behind the firewalls must travel through a single point. However, the University's network is designed without such choke points. Each router is configured in a high-availability setup to prevent a router failure from causing large-scale outages across the University's network.
Many departments share subnets with other departments and each router on campus handles multiple subnets. If a firewall were to be installed in front of a department's subnet the same hardware would be in front of another department's subnet as well. Therefore, the firewall would need to be managed by NSIT. However, for the firewall to meet departmental needs, the rules would need to be managed by the departments. Unfortunately, many firewalls do not allow this level of flexibility.
Redesigning the network to allow for these sorts of firewalls would be in excess of many departments entire budget. It is unclear from where these funds would be allocated.
As an alternative to departmental firewalls, NSIT will be giving departments access to centrally manageable personal firewalls and providing information on how to protect departmental servers with software or individual hardware firewalls. This should reduce the apparent need for large departmental firewalls.