DRAFT - UK Firewall Change Processes

Cyber Security UK / GNED / IP Security

UK

C2 General
 Introduction and Context
• This slide deck will outline the process to follow in order to get firewall changes implemented across
different areas of the estate in the UK, including when GDC (Group Datacentres – Dublin, Ratingen
and Milan DCs) flows are required

• The complexity of the Vodafone network leads to a complexity of the process, which means for each
use-case might be different teams involved and different portals to raise the request

• The aim of this guide is to provide enough information for the requestors to identify under which
use-case does their request fall.

• If after going through this guide, it is still unclear to understand your use-case, please raise a request
for a Consultancy in the GNED Portal.

2 Tuesday, June 15, 2021

C2 General
 Introduction and Context
Decision tree (process diagram) for the customers to identify their use-case

3 Tuesday, June 15, 2021

C2 General
Use-case 1 – UK Fixed Line
 Use-case 1 – UK Fixed Line/Legacy
Concept Solution Design Implementation Test & Troubleshooting

Need a
Firewall Raise a WOW request in Testing YES
Confirm Closure of
change Engage Cyber Security Send email for Implementation Connectivity successful? WOW request
GNED Portal using OfficeIT UK
to Hosting Team
UK providing: Fixed Line product
as advised from GNED IPLAN Design
Requestor  Project HLD Attaching: Attach completed Comms Matrix
 Comms Matrix with IPs  Comms Matrix NO
and UK Security approval
 UK Security approval
Request Troubleshooting
from the Hosting change
team
if thereǯs issue on Fixed Line flows

1. Obtain Cyber Security UK pre-approval for connectivity flows (Ref CSR-XXXXXXX)

• If part of a project that has existing engagement with Cyber Security UK, simply liaise with the assigned security consultant to your
project
• If part of a new project OR deemed ‘BAU’ activity, you will need to raise a new security engagement request to cover the approval –
this can be done following information here
• You will need to provide the connectivity flows in the form of a UK Comms Matrix (template here) and High Level Design (HLD) –
as a minimum the Comms Matrix must include: Source/Destination IPs and Hostnames, Ports and Protocols

5 Tuesday, June 15, 2021

C2 General
 Use-case 1 – UK Fixed Line/Legacy
2. Engage GNED/IPLAN for network design and feasibility (Ref WO XXXXXX)
• When approved, you will receive an approval email from the security consultant containing a URL link to a secure SharePoint where
the Comms Matrix has been stored (you will not have access to this)
• You now need to engage GNED IPLAN Design through a request on the GNED Portal. This can be requested via a standard
product (which means will be managed directly from the vertical Design team bypassing Demand Manager) by navigating the
GNED Portal here under Local IP Services > Office IT Network Connectivity Fixed Line.
• You will need to include the Comms Matrix and the security approval email (with Comms Matrix attachment and secure URL link),
as well as the name of the security consultant

3. Email Hosting Change Management to raise change in Fixed Line Remedy (Ref
CHG000000XXXXXX)
• Once the GNED/IPLAN engagement has concluded – you will be provided with an updated Comms Matrix/RFC (Request for
Change)
• You will need to send the designed Comms Matrix and security approval email to the Hosting Change Management Team
change-request@vodafone.com mailbox, who will then facilitate raising a Fixed Line Remedy change for implementation

4. Testing and troubleshooting

• Test internally and notify the IPLAN engineer providing the WOW (WO 45xxxx) reference number, if the implementation was
6 Tuesday, June 15, 2021
C2 General completed successfully
Use-case 2 – UK Mobile
 Use-case 2 – UK Managed (Mobile FW)

1. Obtain Cyber Security UK pre-approval for connectivity flows (Ref CSR-XXXXXXX)

• If part of a project that has existing engagement with Cyber Security UK, simply liaise with the assigned security consultant to
your project
• If part of a new project OR deemed ‘BAU’ activity, you will need to raise a new security engagement request to cover the approval
– this can be done following information here
• You will need to provide the connectivity flows in the form of a UK Comms Matrix (template here) and High Level Design (HLD)
– as a minimum the Comms Matrix must include: Source/Destination IPs and Hostnames, Ports and Protocols

2. Engage GNED/IPLAN for network design and feasibility (Ref WO XXXXXX)

• When approved, you will receive an approval email from the security consultant containing a URL link to a secure SharePoint where
the Comms Matrix has been stored (you will not have access to this)
8 Tuesday, June 15, 2021
C2 General
 Use-case 2 – UK Mobile
• You now need to engage GNED/IPLAN through a request on the GNED Portal. This can be requested via a non-standard product
via the GNED Portal here under Local IP Services > Office IT Network Connectivity > OfficeIT UK Firewall Design. For the
non-standard product a Demand Manager will be assigned to the WOW demand.
• You will need to include the Comms Matrix and the security approval email (with Comms Matrix attachment and secure URL link),
as well as the name of the security consultant

3. Raise a Tufin SecureChange ticket for implementation (Ref #XXXXX)

3. Once the GNED/IPLAN engagement has concluded – you will be provided with an updated Comms Matrix
4. You will need to raise a ticket in Tufin SecureChange for implementation via the portal here – including the designed Comms
Matrix and the security approval email
5. More details on how to raise a change in Tufin can be found here (NOTE: Group employees do not have default access, see here)

4. Testing and troubleshooting

• Test internally and notify GNED Delivery Manager who was managing the WOW demand, if the implementation was completed successfully
• If the connectivity is not working, to troubleshoot the connectivity fill out the TSHOOT request form http://fw-tshoot.internal.vodafone.co.uk
providing the Tufin reference number.
• Supply as much information relevant to troubleshoot the issue, what testing has been done, what are the source/destination addresses and ports.
• TechOps Firewall team will allocate someone to check the designed Comms Matrix has been configured correctly and will advise the requester
accordingly whether the design should be revisited from GNED IPLAN or further troubleshooting is needed from TechOps Firewall team.
9 Tuesday, June 15, 2021
C2 General
Use-case 3 – UK Fixed line
and Mobile
 Use-case 3 – UK Mixed (Fixed line and Mobile
FWs)
FW Change for UK FL flows
Concept Solution Design Implementation Test & Troubleshooting

Send email for Implementation to

Hosting Team Confirm Closure of
Raise a W OW request in as advised from GNED IPLAN Design
Testing YES
WOW request
Engage Cyber Security UK GNED Portal using OfficeIT Attach completed Comms Matrix and UK Connectivity successful?
Need a
providing: UK Firewall Design product Security approval
Firewall
 Project HLD Attaching:
change  Comms Matrix with IPs  Comms Matrix
 UK Security approval
Requestor Raise a Tufin request Raise a TSHOOT request
as advised from GNED IPLAN Design contacting their mailbox
Attach completed Comms Matrix and UK if thereǯs issue on the Mobile flows
Security approval

Request Troubleshooting
from the Hosting change
team
if thereǯs issue on Fixed Line flows

1. Obtain Cyber Security UK pre-approval for connectivity flows (Ref CSR-XXXXXXX)

• If part of a project that has existing engagement with Cyber Security UK, simply liaise with the assigned security consultant to
your project
• If part of a new project OR deemed ‘BAU’ activity, you will need to raise a new security engagement request to cover the approval
– this can be done following information here
• You will need to provide the connectivity flows in the form of a UK Comms Matrix (template here) and High Level Design (HLD)
– as a minimum the Comms Matrix must include: Source/Destination IPs and Hostnames, Ports and Protocols
11 Tuesday, June 15, 2021
C2 General
 Use-case 3 – UK Mixed (Fixed line and Mobile
FWs)
2. Engage GNED/IPLAN for network design and feasibility (Ref WO XXXXXX)
• When approved, you will receive an approval email from the security consultant containing a URL link to a secure SharePoint
where the Comms Matrix has been stored (you will not have access to this)
• You now need to engage GNED/IPLAN through a request on the GNED Portal. This can be requested via the standard product in
the GNED Portal here under Local IP Services > Office IT Network Connectivity > OfficeIT UK Firewall Design
• You will need to include the Comms Matrix and the security approval email (with Comms Matrix attachment and secure URL
link), as well as the name of the security consultant
3. Email Hosting Change Management to raise change in Fixed Line Remedy (Ref
CHG000000XXXXXX) Same as in use-case 1
4. Raise a Tufin SecureChange ticket for implementation (Ref #XXXXX)
Same as in use-case 2
5. Testing and troubleshooting
• Test internally and notify GNED Delivery Manager who was managing the WOW demand, if the implementation was completed
successfully
• If the testing is not successful contact the Hosting Change Management team providing the CHG reference number to troubleshoot the
connectivity for the Fixed Line flows and/or fill out the TSHOOT request form http://fw-tshoot.internal.vodafone.co.uk providing the
Tufin ref number.
• Supply as much information relevant to troubleshoot the issue, what testing has been done, what are the source/destination addresses and
ports.
• TechOps Firewall team will allocate someone to check the designed12
Comms Matrix has beenTuesday, June 15, 2021
configured correctly and will advise the
C2 General
Use-case 4 – Group and
UK Managed
 Use-case 4 – Group and UK Managed
Concept Solution Design Implementation Test & Troubleshooting

Need a Engage Cyber Security UK

providing:
Firewall
 Project HLD Testing Confirm Closure of
change YES
 Comms Matrix with IPs Raise a Connectivity Raise request for Implementation WOW request
Connectivity successful?
Request in TO Portal (emailing Hosting team or via Tufin) as
Requestor Attaching Comms Matrix advised from GNED Design
and UK Security approval Attach Comms Matrix and UK Security
email approval
NO
Check Group Security
Compliance in CCP
Request Troubleshooting
Attach Comms Matrix
from the Implementation
team

1. Obtain Cyber Security UK pre-approval for connectivity flows (Ref CSR-XXXXXXX)

Same as in previous use-cases

2. Check Group compliance for Security and Routing in Connectivity Compliance Portal (CCP)
• If Group IPs are involved in the flows, then raise Comms Matrix (either directly in tool here, by Group Comms Matrix Template or
by unhiding the ‘FW Matrix’ tab in the UK Comms Template) into CCP Tool
• If non-compliant from Security perspective, raise a Security Exemption via CCP here and provide evidence of Cyber Security UK
approval for Comms Matrix (if exemption requires UK involvement)
14 Tuesday, June 15, 2021
C2 General
 Use-case 4 – Group and UK Managed
3. Raise request into TO Portal for GDC network design and implementation (Ref
RLMXXXXXX/RITMXXXX)
• Once Comms Matrix is verified in CCP, to initiate an implementation request you need to go to the TADO Portal and search for
End-to-end IP Connectivity Analysis and Implementation product in the Search field (or copy this link to your browser
https://servicecatalogue.vodafone.com/catalogue?id=sc_cat_item&sys_id=c3d4c9d34fb51a0047abc9318110c71a .)
• You will need to include the CCP Comms Matrix url and attach the Cyber Security UK Approval Mail.
• From this engagement, GDC will complete their design and will engage GNED IPLAN via a WOW demand on customer’s behalf, for
any work required on the UK side.

4. Raise a request for the implementation of the UK flows

• Once the GNED/IPLAN engagement has concluded – you will be provided with an updated Comms Matrix/RFC (Request for Change)
• After the UK design is also completed, you will be advised from an IPLAN engineer, to raise the demand for implementation as in use-
cases 1, 2 or 3. So sending an email to Hosting Change Management if the Comms Matrix contains UK Fixed Line flows, raising a
Tufin request if UK Mobile flows, or both.

5. Testing and troubleshooting

• Test internally and notify GNED Delivery Manager who was managing the WOW demand, if the implementation was completed
successfully
15
• If the testing is not successful contact the Hosting Change Management
C2 General
team providing theTuesday,
CHGJune 15, 2021
reference number to troubleshoot the
Use-case 5 – Group
Managed Only
 Use-case 5 – Group Managed only
Concept Solution Design & Implementation Test & Troubleshooting

Need a
Firewall
change Testing Confirm Closure of
Engage Cyber Security UK Raise a Connectivity Request in YES
Connectivity successful? RLM request
providing: TO Portal
 Project HLD Attaching the url of CCP of
 Comms Matrix with IPs Comms Matrix and Cyber
Requestor
Security UK approval email NO

Check Group Security Request Troubleshooting

Compliance in CCP from the GDC Delivery team
Attach Comms Matrix using the RLM reference

Note: The Firewalls that are Group Managed only, might still need Cyber Security UK approval even though the are no UK IPs at all. Some of the UK
applications are hosted in the Group Datacentres

Obtain Cyber Security UK pre-approval for connectivity flows (Ref CSR-XXXXXCX)

Same as in previous use-cases
1. Check Group compliance for Security and Routing in Connectivity Compliance Portal (CCP)
Same as in use-case 4

2. Raise request into TO Portal for GDC network design and implementation (Ref RLMXXXXXX/RITMXXXX)
Same as in use-case 4

3. Testing and troubleshooting When the design is completed and the flows are
implemented, test internally and notify the GDC Delivery Manager who picked up the RLM request to close the ticket if the testing is
17 Tuesday, June 15, 2021
successful or request a troubleshooting using the same RLM reference
C2 General
 Support Contacts
• Cyber Security UK
– Demand – Jonathon.davies@vodafon.com martyn.pritchard@vodafone.com or terry.coffey@vodafone.com
– Escalations – tauqeer.hassan@vodafone.com or gary.bradshaw@vodafone.com
– General Tufin queries – DL-OSS-ToolFactory-Operations-Tufin@vodafone.com
• CCP Contacts
– GTS-FA - DL for Group Security Approval - gts-fa@vodafone.com
– Manager of GTS-FA - Neelkanth.Dwibedi@vodafone.com
– CCP Support - zlatina.dimitrova@vodafone.com
• Group Network Engineering and Delivery (Demand Delivery and IPLAN Design)
– Demand – olsi.korkuti01@vodafone.com, elena.Dobrin@vodafone.com or mihai.sandu@vodafone.com
– Demand Escalations – luciano.gandini@vodafone.com
– Design – taher.ali@vodafone.com or anca.maracineanu@vodafone.com
– Design Escalations - pedro.gomes@vodafone.com
• Group Data Centre (GDC) Delivery and Design
– Delivery support – Pawan.Kaul@Vodafone.com, Sadanand.Humane1@Vodafone.com or Pramod.Singh5@Vodafone.com
– Delivery Escalations – andre.kossmann@vodafone.com
– Design Escalations – ana.sousa@vodafone.com
• Hosting Change Management
– Demand – change-request@vodafone.com
– Escalations – zubair.hussain@Vodafone.com or jeffrey.jarvis@vodafone.com
• UK Tech Ops IP Security
– Demand – DL-IPSecurityTeam@internal.vodafone.com
– Escalations – https://ipsecurity-rfe.internal.vodafone.co.uk 18 Tuesday, June 15, 2021
C2 General
 Tooling Access
• Cyber Security UK Engagement
– Global Cyber Security Demand Portal – accessible to all Vodafone employees, must use Internet Explorer
• Group Network Engineering Delivery (GNED) Consultancy, Design and Feasibility
– GNED Portal – accessible to all Vodafone employees
• Implementation Requests (Firewall Change Process)
– Tufin SecureChange (Mobile) – application accessible using AD credentials, support and guidance found here,
UK workflows restricted to UK employees only (i.e. not Group) unless granted ‘SecureChange Requester’ role via
following UAM process (copy url in your browser
https://workspace2.vodafone.com/Group/TDO-UAM/Access%20Request%20Forms/Access_Request-Tufin.xls )
– Fixed Line Remedy (for approvals only) – accessible to those with WID and Fixed Line Remedy accounts for
approvals only – changes are raised on behalf of requestor by change-request@vodafone.com
– Connectivity Compliance Portal (Group) – support and guidance can be found here

19 Tuesday, June 15, 2021

C2 General