ARCHIVED: Indiana University Data Center Firewall
Note: As of April 2014, this legacy system is no longer in production. See Using Firewall Manager.
Indiana University has two enterprise-class Data Centers: one in Bloomington and one at the ICTC building in Indianapolis. By default, all new network connections are placed behind the firewalls of the Data Centers, which block incoming traffic and allow outbound traffic. To provide necessary access to your host, or to view, change, or delete a firewall policy, visit the UITS Firewall Request Page.
Note: At the beginning of the fall and spring semesters, UITS observes a "change freeze" for approximately two weeks, during which only absolutely necessary changes are made with upper management approval. Keep this in mind when making firewall policy change requests.
On this page:
- Ensuring you're a member of a Firewall Group
- Adding, changing, and deleting a firewall policy
- Examples of common firewall requests
Ensuring you're a member of a Firewall Group
Note: If your group already has a Policy ID for the firewall, proceed to Adding, changing, and deleting a firewall policy.
Before submitting a firewall policy request or using the Policy Viewer, you need to be a member of a valid ADS group account. If you do not already have one, ask your IT Pro to create the account and add users.
When accessing the UITS Firewall Request Page, if you are not a member of a Firewall Group, you will see a page titled "Welcome to the UITS Firewall Request Page". Fill out the page and submit the form, completing the following fields:
Group name: Typically a three-letter name (e.g.,
Friendly name: Full name used to describe your
group (e.g., Storage and Virtualization)
ADS group: The ADS group account of which you are
- Manager's IU Network ID username: The manager of your group or department will have the ability to add members to the Firewall Group account.
After receiving a confirmation email from Campus Network Engineering stating that the Firewall Group account has been created, you can proceed.
Note: Once your Firewall Group account is created, you will not have to repeat the steps above.
Adding, changing, and deleting a firewall policy
Note: You can belong to multiple Firewall Groups, but only one host per request is permitted.
Before making your firewall policy request, have the following information ready:
- Source IP address
- Destination IP address: Your new host
- Service: Protocol (UDP, TCP or ICMP) and ports (name or number) to which to allow access on the destination host IP
To add, change, or delete a firewall policy:
- Go to the UITS Firewall
Request Page. You can also access the Policy Viewer on this
PCI-DSS(for IU merchants only).
If you choose
Add, you will then have to specify if the request requires a new piece of physical equipment, data cabling, or an inventory entry. Click
- On the resulting page, fill out the fields using the "Formatting
Help" box as a guide.
Note: Restrict access as much as possible. For example, entering "IU Statewide" as the source will allow IU affiliates from all IU campuses to access the site or service.
Firewall policy requests are routed to your group manager for approval. You will receive email from Campus Network Engineering when your firewall policy request has been completed.
Following are resources you may need on your new host:
NETSTAT: A tool accessed from the command line if
you don't know which ports and protocols are being used
- TCPVIEW: A Windows GUI utility for mapping services to ports
Note: At the beginning of the fall and spring semesters, UITS observes a "change freeze" for approximately two weeks. During change freeze, only changes that are crucial and accompanied by director-level approval are made. Keep this in mind when making firewall policy change requests.
Examples of common firewall requests
A common request for access to ports
tcp 80 and
tcp 443) from
an "All IU statewide" host might look like the following:
All IU statewide
The "Destination" will usually contain a single host address, but could be a subnet range or group in the Data Center.
The "Source" can be as broad as the entire Internet or as narrow as a single IP address, and may be defined as single, groups, or networks.
Groups used as destinations must be placed behind the firewall. Some common group ranges are:
- All IU statewide
- All IUPUI networks
- All IUB networks
Networks can also define a source or destination. Networks used as destinations must also be behind the firewall. Common network hosts are:
- A single host
Service ports will be
both. Some service ports can be defined with special timeouts. Common
service names may be used, but be sure to include the type and port
http tcp 80
https tcp 443
ssh tcp 22
Last modified on April 16, 2014.