Contact Us

Network Security
security@uchicago.edu
773.702.CERT

Firewall Questions?

If you have questions about the firewall strategy, or to request consultation on local deployment of firewalls, please email the Network Security Center.

Home  > Firewalls > Group

Group Firewalls



Group firewalls are firewalls which protect services which have a specific set of criteria:
  • There are multiple machines in a clump which provide a single service to its users.
  • The single service is easily protected by a firewall.
  • Due to the nature of the communications between the machines in the clump, it is impossible to firewall each machine individually.
  • There is a clear and compelling reason for the clump of machines to be behind a firewall.
For example, a cluster of web servers acting in high availability mode providing sensitive data may qualify. In this example, all access to the service is via the web and is a single service. This meets the first criteria. Web sites are easy to firewall as all communication happens over one or two ports (tcp 80 and/or 443), so the second criteria is met. Many setups for high availability cause traffic to be difficult to firewall, often because the network traffic between machines is poorly defined or a proprietary protocol. This meets the third criteria. As there is sensitive data stored on the cluster, there is an important reason for the system to be behind a firewall.

Group firewalls must still abide by the general requirements for firewalls on the University's network. Group firewalls must be managed by someone certified to manage the firewall and must be maintained in accordance to NSIT's recommendations for firewalls. Details on the certification process have not yet been finalized.