SURFfirewall: a well-protected network without burdens

SURFfirewall takes care of the procurement, configuration and management of your firewall. For a fixed monthly fee you have a firewall that we manage and that is scalable in capacity and functionality. You don't have to worry about it anymore. You only manage the policies yourself, via our user-friendly portal. In this way you stay in control.


Firewalling is challenging

As an institution, you of course have a firewall installed in your network. When you buy one, you have to look 4 to 5 years ahead, because that's how long firewalls usually last. What should the firewall do, and what capacity and functionality do you need? This is difficult to estimate as future developments such as the amount of growth of your network traffic are uncertain. Also, it is difficult to predict which security mechanisms you will need in the future.

And once you have the firewall (after a long tendering process), you have to manage it. This requires specific knowledge, which you do not always have in-house.

In short: purchasing and managing a firewall comes with its own challenges.

From a physical firewall at your institution to SURFfirewall

At SURF we thought that there had to be another way, and in particular a better way. We asked the institutions and they were interested in our idea: a firewall that no longer runs physically in your institution's network but, managed by SURF, in the safe and trusted SURF network.

All your incoming traffic goes via the SURF network past the firewall configured specifically for your institution, which is also in that network and equipped with fully licensed Next-Generation/Unified Threat Management functionalities. And which is redundant.

After a successful pilot with a number of institutions, we further developed this concept into the SURFfirewall service.

SURFfirewall: a scalable firewall that you don't need to manage yourself

The advantages for your institution are considerable:

  • SURF will take the technical management of the firewall off your hands. This includes release management and dealing with malfunctions. You can therefore be sure that your firewall always meets the latest security requirements and is continuously monitored. 
  • Your firewall can be flexibly adjusted in capacity. So you no longer need to estimate your capacity requirements five years in advance: you can easily scale up or scale down the capacity.
  • You do not have to execute a procurement process. SURF will do that for you. You also don't need to arrange any licences yourself.
  • There is a good chance that you will save costs, because the capacity and functionality that you purchase will be more in line with what you actually use. Central purchasing also has a cost-saving effect.
  • SURFfirewall is integrated with SURFinternet. If there is an outage, we will troubleshoot and find out whether it's the firewall or the internet connection.

Van fysieke firewall bij je instelling naar SURFfirewall

Bij SURF vonden we dat dat anders, met name: beter, moest kunnen. We vroegen het aan de instellingen en die waren geïnteresseerd in ons idee: een firewall die niet meer fysiek in je instellingsnetwerk draait, maar, beheerd door SURF, in het  veilige en vertrouwde SURF-netwerk.

Al je inkomende verkeer gaat via het SURF-netwerk langs de specifiek voor jouw instelling geconfigureerde firewall die ook in dat netwerk staat en voorzien is van volledig gelicenseerde Next-Generation/Unified Threat Management-functionaliteiten. En die redundant uitgevoerd is.

Na een succesvolle pilot met een aantal instellingen hebben we dit concept verder ontwikkeld tot de dienst SURFfirewall.

SURFfirewall: een schaalbare firewall die je niet zelf hoeft te beheren

De voordelen voor je instelling zijn groot:

  • SURF neemt je het technisch beheer van de firewall uit handen. Denk aan releasemanagement en het afhandelen van storingen. Je weet zeker dus dat je firewall altijd voldoet aan de laatste eisen op securitygebied, en dat hij continu gemonitord wordt.
  • Je firewall is flexibel aan te passen in capaciteit. Je hoeft dus niet meer voor 5 jaar vooruit in te schatten wat je capaciteitsvraag zal zijn: je kunt de capaciteit gemakkelijk opschalen of afschalen.
  • Je hoeft zelf geen aanbesteding meer te doen. Dat regelt SURF voor je. Ook licenties hoef je niet zelf te regelen.
  • De kans is groot dat je kosten bespaart, doordat de capaciteit en functionaliteit die je afneemt, beter aansluit bij wat je daadwerkelijk gebruikt. Ook centrale inkoop werkt kostenbesparend.
  • SURFfirewall is geïntegreerd met SURFinternet. Als er een storing is, zoeken wij uit of het aan de firewall ligt of aan de internetaansluiting.

You stay in control of your firewall

We configure and manage your firewall, but you remain in control: after all, you prefer to determine the conditions under which traffic is allowed or blocked to your campus network. That's why you remain responsible for setting the policies on the firewall. And you can easily modify them yourself. You manage the policies via a very user-friendly portal.


You can purchase SURFfirewall if you pay the basic Infrastructure fee, which for example includes SURFinternet. You pay a separate charge for SURFfirewall. You can find the rates in the SURF Services and Rates brochure (PDF)


You expect your firewall to be able to process 2.75 Gbit/s. Then you will pay the 3 Gbit/s rate per month. Of course you can change this choice if necessary. We will gladly advise you.

Please note

You pay for the capacity that the firewall requires, not for the capacity of your SURFinternet connection. Suppose you have a SURFinternet connection of 10 Gbit/s, but the firewall only needs to process 3 Gbit/s, then you pay for 3 Gbit/s.

Further development 

We will continue to develop SURFfirewall. What's on our roadmap?

  • Integration with SURFsoc, which includes advice on your firewall policies to proactively protect your campus from security threats
  • Firewalls in the cloud
  • Access to all firewalls on physical campus and multi-cloud environments through a portal

We are also exploring the option of developing standard policies for the entire education and research sector. These standard policies will become more interesting as more institutions use SURFfirewall.

Apply directly 

You can request SURFfirewall from SURF Customer Support at

Interested? Any questions?

Contact Richa Malhotra, at