Managed Firewall Services – Terms of Service
ICONZ-Webvisions provides Managed Firewall Services, which is a managed security service that provides firewall configuration, administration, monitoring and support on firewall solution supplied by ICONZ-Webvisions.
The firewall solution may consist of hardware appliance, virtual appliance, virtual partitioning of firewall appliance, software firewall program and related software – all these are collectively known as the Firewall System). The solution may consist of a single device or a pair of devices in active/passive mode.
ICONZ-Webvisions Managed Firewall Services provide CUSTOMER with a Firewall System configured to their requirements to provide a controlled and secured access to servers and networks.
The primary function of any Firewall System is to filter traffic coming into the network (perimeter or border protection) based on pre-determined criteria. No Firewall System can protect against all protocol or application weaknesses and new software vulnerabilities are discovered all the time.
ICONZ-Webvisions Managed Firewall Services include base Perimeter Firewall feature and optional add-on such as Intrusion Prevention System, Site-to-Site IPSEC VPN and Remote client SSL VPN (with or without two factor authentication).
Terms of Service
ICONZ-Webvisions Managed Firewall Services provide fully configurable firewall policy managed by ICONZ-Webvisions’s trained professionals and ICONZ-Webvisions will provide advice and guidance on effectiveness of implemented security on a best effort basis.
1. Perimeter Firewall service:
a. Customer is entitled to 2 change requests per month; each change request can have up to 3 policy changes
b. The following defines what is considered to be one policy change:
i. Adding, deleting or modifying up to three individual Network Address Translations (NAT), including policy object creation
ii. Adding, deleting or modifying up to three access control list changes such as permit or deny changes, including policy object creation
iii. Adding, deleting or modifying up to three individual network routes within the firewall
c. Any request that is not specifically listed above may be completed by ICONZ-Webvisions on time and material basis. ICONZ-Webvisions reserves the right to determine, within its reasonable discretion, whether a change falls under the scope of service
d. All change request must be submitted by a valid authorized contact and ICONZ-Webvisions will do reasonable effort to validate change request as per ICONZ-Webvisions’s operational procedure. ICONZ-Webvisions will contact CUSTOMER to clarify request as and when needed
e. Default firewall policy shall be based on the following principles unless customized as per CUSTOMER request.
i. All outbound traffic is permitted
ii. All inbound traffic is denied
For Intrusion Prevention System service, ICONZ-Webvisions manages the policy on the Firewall System. Policies are updated regularly as updates are released by Firewall System vendor. ICONZ-Webvisions will ensure subscription for policy update is active and in working order.
2. Site-to-Site IPSEC VPN service:
a. ICONZ-Webvisions will work with customer or customer appointed vendor to setup site-to-site IPSEC VPN tunnel between two locations
b. One-time setup charge applies for such effort and ICONZ-Webvisions reserves the right to impose additional charges, within its reasonable discretion, when such setup has exceeded reasonable time and material effort associated with the one-time setup charge
c. ICONZ-Webvisions will manage and troubleshoot the VPN tunnel on device or system within its control in the event of an outage
d. ICONZ-Webvisions cannot guarantee the compatibility of site to site IPSEC VPN service with third party security devices from various vendors
3. Remote client SSL VPN service:
a. ICONZ-Webvisions will configure the associated settings on the Firewall System, create user logins and activating two factor authentication device as needed
b. ICONZ-Webvisions will advise and determine the appropriate SSL VPN mode to be used based on CUSTOMER’s usage scenario
c. Customer agrees to co-operate with ICONZ-Webvisions on the installation of VPN client software on end user devices and such installation effort shall be customer’s own responsibility
d. ICONZ-Webvisions will provide documented configuration setting to customer to configure VPN client software
e. ICONZ-Webvisions will provide reasonable remote troubleshooting assistance as needed. However, ICONZ-Webvisions reserves the right to charge for such troubleshooting, within its reasonable discretion
f. ICONZ-Webvisions cannot guarantee the compatibility of VPN client software on all end user devices
All change requests will be performed during business hour, Monday to Friday between 9am to 6pm. Performing change request outside business hours, if requested by customer, will be at ICONZ-Webvisions’s discretion.
ICONZ-Webvisions will monitor the firewall on a 24×7 basis for availability and critical device hardware events.
Customer agrees that it is not possible to create a secure system that guarantees absolute security with a Firewall System and such system cannot protect against all protocol or application weaknesses and software vulnerabilities.
ICONZ-Webvisions cannot be held responsible for network weakness resulting in poor firewall policy implementation requested by customer by way of a change request. On best effort basis, ICONZ-Webvisions will offer good advice, provide feedback and recommendation for firewall policy change request.
ICONZ-Webvisions recommends that customer, where necessary, make use of network security scanning solution to validate and test the effectiveness of the firewall solution.
Service Level Agreement (SLA)
Service outage for individual service component of Managed Firewall Services is defined as follow:
a. Perimeter Firewall service – no data packet is able to pass through the firewall or its capacity to filter packet based on firewall policy is not available
b. Intrusion Prevention System service – subscription for update is not active or the feature is not in working order as checked on such feature status on the Firewall System
c. Site-to-Site IPSEC VPN service – VPN tunnel is down due to component failure on Firewall System under ICONZ-Webvisions’s control, excluding configuration issue, network connectivity and other issue/s not under ICONZ-Webvisions’s control
d. Remote client SSL VPN service – end user unable to use SSL VPN service due to component failure on Firewall System under ICONZ-Webvisions’s control, excluding configuration issue, network connectivity and other issues not under ICONZ-Webvisions’s control
In the event of a Managed Firewall Service Outage that:
a. Exceeds thirty (30) contiguous minutes and
b. Due to a cause within ICONZ-Webvisions Firewall System;
The Eligible Customer may request SLA credit equivalent to 5% of the monthly fee of the affected service component for every 30 contiguous minutes of outage, up to 100% of customer’s monthly fee for the affected service component. Such SLA credit is limited to 1 per month.