iWV provides Managed Firewall Services, which is a managed security service that provides firewall configuration, administration, monitoring and support on firewall solution supplied by iWV.
The firewall solution may consist of hardware appliance, virtual appliance, virtual partitioning of firewall appliance, software firewall program and related software – all these are collectively known as the Firewall System). The solution may consist of a single device or a pair of devices in active/passive mode.
iWV Managed Firewall Services provide CUSTOMER with a Firewall System configured to their requirements to provide a controlled and secured access to servers and networks.
The primary function of any Firewall System is to filter traffic coming into the network (perimeter or border protection) based on pre-determined criteria. No Firewall System can protect against all protocol or application weaknesses and new software vulnerabilities are discovered all the time.
iWV Managed Firewall Services include base Perimeter Firewall feature and optional add-on such as Intrusion Prevention System, Site-to-Site IPSEC VPN and Remote client SSL VPN (with or without two factor authentication).
Terms of Service
iWV Managed Firewall Services provide fully configurable firewall policy managed by iWV’s trained professionals and iWV will provide advice and guidance on effectiveness of implemented security on a best effort basis.
A. Perimeter Firewall service:
- 1. CUSTOMER is entitled to 2 change requests per month; each change request can have up to 3 policy changes
- 2. The following defines what is considered to be one policy change:
- a. Adding, deleting or modifying up to three individual Network Address Translations (NAT), including policy object creation
- b. Adding, deleting or modifying up to three access control list changes such as permit or deny changes, including policy object creation
- c. Adding, deleting or modifying up to three individual network routes within the firewall
- 3. Any request that is not specifically listed above may be completed by iWV on time and material basis. iWV reserves the right to determine, within its reasonable discretion, whether a change falls under the scope of service
- 4. All change request must be submitted by a valid authorized contact and iWV will do reasonable effort to validate change request as per iWV's operational procedure. iWV will contact CUSTOMER to clarify request as and when needed
- 5. Default firewall policy shall be based on the following principles unless customized as per CUSTOMER request.
- a. All outbound traffic is permitted
- b. All inbound traffic is denied
For Intrusion Prevention System service, iWV manages the policy on the Firewall System. Policies are updated regularly as updates are released by Firewall System vendor. iWV will ensure subscription for policy update is active and in working order.
B. Site-to-Site IPSEC VPN service:
- 1. iWV will work with CUSTOMER or CUSTOMER appointed vendor to setup site-to-site IPSEC VPN tunnel between two locations
- 2. One-time setup charge applies for such effort and iWV reserves the right to impose additional charges, within its reasonable discretion, when such setup has exceeded reasonable time and material effort associated with the one-time setup charge
- 3. iWV will manage and troubleshoot the VPN tunnel on device or system within its control in the event of an outage
- 4. iWV cannot guarantee the compatibility of site to site IPSEC VPN service with third party security devices from various vendors
C. Remote client SSL VPN service:
- 1. iWV will configure the associated settings on the Firewall System, create user logins and activating two factor authentication device as needed
- 2. iWV will advise and determine the appropriate SSL VPN mode to be used based on CUSTOMER's usage scenario
- 3. CUSTOMER agrees to co-operate with iWV on the installation of VPN client software on end user devices and such installation effort shall be CUSTOMER's own responsibility
- 4. iWV will provide documented configuration setting to CUSTOMER to configure VPN client software
- 5. iWV will provide reasonable remote troubleshooting assistance as needed. However, iWV reserves the right to charge for such troubleshooting, within its reasonable discretion
- 6. iWV cannot guarantee the compatibility of VPN client software on all end user devices
All change requests will be performed during business hour, Monday to Friday between 9am to 6pm. Performing change request outside business hours, if requested by CUSTOMER, will be at iWV's discretion.
iWV will monitor the firewall on a 24x7 basis for availability and critical device hardware events.
CUSTOMER agrees that it is not possible to create a secure system that guarantees absolute security with a Firewall System and such system cannot protect against all protocol or application weaknesses and software vulnerabilities.
iWV cannot be held responsible for network weakness resulting in poor firewall policy implementation requested by CUSTOMER by way of a change request. On best effort basis, iWV will offer good advice, provide feedback and recommendation for firewall policy change request.
iWV recommends that CUSTOMER, where necessary, make use of network security scanning solution to validate and test the effectiveness of the firewall solution.
Service Level Agreement (SLA)
Service outage for individual service component of Managed Firewall Services is defined as follow:
- a. Perimeter Firewall service - no data packet is able to pass through the firewall or its capacity to filter packet based on firewall policy is not available
- b. Intrusion Prevention System service - subscription for update is not active or the feature is not in working order as checked on such feature status on the Firewall System
- c. Site-to-Site IPSEC VPN service - VPN tunnel is down due to component failure on Firewall System under iWV's control, excluding configuration issue, network connectivity and other issue/s not under iWV's control
- d. Remote client SSL VPN service - end user unable to use SSL VPN service due to component failure on Firewall System under iWV's control, excluding configuration issue, network connectivity and other issues not under iWV's control
In the event of a Managed Firewall Service Outage that:
- a. Exceeds thirty (30) contiguous minutes AND
- b. Due to a cause within iWV Firewall System;
the Eligible Customer may request SLA credit equivalent to 5% of the monthly fee of the affected service component for every 30 contiguous minutes of outage, up to 100% of CUSTOMER’s monthly fee for the affected service component. Such SLA credit is limited to 1 per month.