Next Generation Firewall Governance

To enhance the security of Penn’s networks, systems and data, ISC is selecting and installing a campus-wide next-generation firewall (NGFW).  A campus firewall will enable proactive and reactive blocking of network-based attacks.  In support of this initiative, ISC’s Emerging Solutions office is forming a working-group to help coordinate and design an ideal solution.  Specifically, this group will help:

  • Obtain feedback on functional requirements during the campus firewall RFI/RFP development processes
  • Recommend a sustainable firewall governance process that is in sync with broader Information Security governance efforts being established in FY’16.
  • Provide feedback and guidance on requirements during the campus firewall hardware selection process.
  • Define a short-term plan for rolling-out the firewall as well as a longer-term strategy for achieving the desired balance between security and network functionality, speed, and availability.


  • Jeff Balentine, Information Systems and Computing
  • Josh Beeman, Information Systems and Computing
  • Richard Cardona, Annenberg School for Communication
  • Brian Doherty, School of Arts & Sciences
  • Paul Dziomba, Division of Finance
  • Steve Groundwater, College Houses & Academic Services
  • Pat McTeague, Penn Medicine Academic Computing Services (PMACS)
  • Melissa Muth, Information Systems and Computing
  • John O'Brien, Information Systems and Computing
  • Warren Petrofsky, School of Arts & Sciences
  • Josh Poinsett, School of Nursing
  • Kristofor Varhus, School of Engineering & Applied Science
  • Barry Wilson, The Wharton School



  1. Recommendation on the long term strategic posture of the campus border firewall
  2. Contribute to requirements for hardware selection
  3. Recommendation on the timeline and intermediate steps to transition from the current model to the proposed state
  4. Recommendation on the governance and notification process for changes to the firewall's configuration

These recommendations can be viewed here by members of the Penn community.


Firewall Governance Initiative Integrated Timeline

Process Transparency

In keeping with our portfolio management methodology, this initiative is classified as follows:



Architecture Group Mission

Firewall Gov. Classification


How well understood is the technology?

Moderate [2] to Well [3]

Moderate [2]

Firewalls are generally well-understood, and Penn is working with vendors with which we have familiarity. Higher-level packet inspection, IDS, and distributed rulesets are less familiar to the campus community

How strategic/
impactful is the decision?

High [3]

Moderate [2]

Affects all PennNet users in a very general, coarse manner, particularly until the network is segmented to allow rules on a per-School/Center basis.  A degree of strategic vision is required to arrive at the initial set of blocking rules, but overall in the long term there is not a high degree of alignment required.

How urgent is the need?

Low [1] to Moderate [2]

Moderate [2]

18-month timeline for inline filtering component of IRC project.  Definition of the initial blocking rules and governance are required to ensure the success.

How broad is the interest/

High [3]

High [3]

Decisions have the potential to affect all users of PennNet, so there is keen interest in getting it right.  Schools/Centers already run firewalls at the borders of their own network(s) as well as at endpoints.  Layered defense, including at the PennNet Border, is an expected practice.

How ready is the community

Moderate [2] to High [3]


Despite the high level of interest, because of existing School/Center deployments, and staff and resource sunk costs, ceding management to a central authority requires robust negotiation and collaboration

Is ISC positioned in this space?

Unknown [2] to Yes [3]

Yes [3]

ISC will operate the firewall appliances as part of the PennNet service offering.