down arrowMenu

Information Technology

Firewall and VPN Services SLA

Service Level Agreement (SLA)

Firewall and VPN Services

 

Overview:

This service level agreement (SLA) is between ITS-NS, and any unit at the University of Northern Iowa that makes use of the University’s Firewall and VPN Services. Under this SLA, ITS-NS agrees to provide access to the services outlined in this document, and the unit agrees to abide by the responsibilities and other requirements of the SLA.

This SLA documents agreed-upon systems and services, covers performance and reliability, targets objectives, outlines escalation processes, and serves as an invoice for financial transactions between parties.

Definition of Scope:

The hardware used to provide firewall and VPN services at the University of Northern Iowa is covered by this standing agreement. This includes core switching, routing, firewall, and VPN equipment. Building infrastructure and power systems not located in approved ITS-NS managed datacenters are not covered by this service level agreement.

Additional specific information regarding infrastructure and dependencies is available upon written request.

Implementation:

Network Services will coordinate the deployment of firewall and VPN services either as highly available virtual firewall services or using standalone devices, depending on the customer requirements. Currently a pair of highly available firewalls located in separate data centers is the primary platform. Building and core networking will also be handled by ITS-NS and may include billable time and materials in order to provide connectivity to the firewall and VPN systems.

Purpose:

In support of the academic mission and administrative functions of the University of Northern Iowa, Network Services will provide a managed firewall solution where the network engineering group within ITS-NS is solely responsible for the administration, management, and monitoring of the firewall platform’s configuration, security policy, and rule-set in accordance to this Service Level Agreement (SLA). ITS-NS has dedicated staff that will work with authorized departmental security contacts to review, validate, implement, and audit firewall and VPN requests/changes as needed.

Updates to Agreement:

This standing agreement covers all virtual firewalls running on the ITS centralized firewall and VPN hardware, as well as dedicated standalone deployments. Any modification to this agreement will be posted to the ITS website at the following URL: https://www.uni.edu/its/its-service-level-agreements-sla

Maintenance Practices:

ITS-NS – Firewall, VPN and network infrastructure maintenance will occur as announced between 3am-7am on weekday mornings, Emergency maintenance will occur as required with as much advanced notification as possible.

 

Typical work performed during systems maintenance periods:

  • Network upgrades or changes

  • Software upgrades on network hardware

  • Testing failover and other resiliency systems

  • Changing or modifying firewall configuration (not including rule changes or normal non-service interrupting changes)

Every effort is made to limit the impact of maintenance periods on service availability of production instances; however during the duration of maintenance periods, services running on hardware covered in this document may be unavailable. While the hardware described in this document may still be operational during these time-periods, firewall or VPN service may be interrupted by unrelated network maintenance.

Notification of maintenance events will be sent according to ITS communication procedure https://www.uni.edu/its/policies/communication-plan-guidelines-system-changes-and-outages-proposal in advance via it-announce@uni.edu or via direct email to the affected customer(s).

Duties:

 

Roles and Responsibilities:

ITS-NS manages all firewall and network hardware infrastructure related to firewall and VPN offerings, this includes but is not limited to:

Service deployment:

  • Installation, maintenance, and configuration of new and existing hardware, software, and license codes

  • Integration of firewall services into monitoring and alerting systems

  • Provisioning of new firewalls and related network infrastructure

  • Point-to-point VPN connections

  • End-user VPN connections

Monitoring:

  • Core and edge device availability monitoring

  • Performance monitoring of firewall and network hardware with timely communication to unit about performance problems or concerns with suggested resolution paths

  • Log monitoring, analysis and archival

Maintenance and Operations:

  • Managing and processing renewal of all support agreements covering hardware and software related to the firewall and network hardware and related systems

  • Rule-set validation, verification, tuning, and optimization

  • Review of firewall policy and firewall security posture assessments

  • Software upgrades, patch management and device configuration maintenance

  • Device configuration change management and auditing

  • Maintain backups of device configurations

  • Comprehensive reporting upon written request

Emergency response and disaster recovery:

  • After-hours response to system outages by ITS-NS on-call staff

  • Incident response related to disruptions of service from network or other related failures

  • Network and firewall fault analysis and timely problem resolution

Customer Responsibilities:

  • Reporting errors and connectivity or performance problems between systems with traffic traversing the firewall, including performance issues detected at the application level.

  • Notifying ITS-NS of changes in requirement needs with sufficient time to allow for adequate planning. For example, 24 hours for change requests and 90 days for system design and capacity changes.

  • Timely notification to ITS-NS of changes to network infrastructure or protected systems behind the firewall, when these are not managed by ITS-NS.  For example, change in workload,  large data transfers, or backup changes which affect firewall performance.

  • Provide and maintain a list of contacts allowed to submit or approve changes for your firewall services. This list should be provided to the Networking Group at network@uni.edu to be kept on record.

  • Administration and troubleshooting of systems located behind the firewall

  • Timely payment of any and all fees associated with administration or support related directly to the support of the unit needs and outlined within this document.

Change Requests:

Initial point of contact for all configuration changes will be via a work ticket in the ITS-NS Helpdesk queue at network@uni.edu. All changes to firewall configuration must be tracked in a work ticket. Changes will be made during normal business hours (8-5 Monday through Friday) unless prior arrangements have been made with members of the ITS-NS Network Engineering team, 24 hours in advance. ITS-NS will make every effort to meet or exceed the following times for changes once all required information has been submitted through a work ticket.

 

Change

Completion Time

Access List (ACL) change

Within 1 business day

Provision new VPN profile

Within 1 business week

Add or modify firewall context

Within 2 business weeks

Log analysis for application layer related issues

Within 2 business days

ITS-NS reserves the right to refuse the implementation of a change if they determine that the change broadens the scope of service, or if they determine that it adversely affects other aspects of service availability.

Incident Reporting and Escalation:

Tier 1: ITS CCC Hotline via 1-319-273-5555 or network ticket email address at network@uni.edu

Tier 2: Corey Eichelberger– Network Engineering Corey.Eichelberger@uni.edu or (319) 273-5924

Tier 3: Aaron Howard - Director Network Services  Aaron.Howard@uni.edu or 319-273-5813

Tier 4: Marty Mark - CIO (Marty.Mark@uni.edu or 319-273-3050)


Service Expectations:

Users can expect approximately 99.9% service availability (Approximately 8.7 hours per year of unplanned outage time) for hardware and services covered by this SLA. This downtime is measured over the time period of a year, excluding anticipated outages and downtime performed during maintenance periods.

Service availability will be measured using Icinga service monitoring and records will be retained for one year. ITS-NS will monitor the firewall and VPN physical devices as well as the availability of the individual virtual firewalls.

Overall system performance statistics will be monitored and graphed for a period of one year using SNMP. Anonymized service availability information can also be provided during briefings to the UNI  community at departmental computing meetings, or to a target audiences.

Deviation from Agreement:

No penalty for missing this availability expectation will be enforced at this time. This service expectation should be used for planning purposes only.