Education has, at its core, a belief that information is meant to be shared and learned. And this is exactly the predicament that many university network managers find themselves in. They are often faced with the conflict between the need to protect information because of the increased need to secure the safety of their constituents and the institution [on the one hand] and a fundamental principle…of sharing information to the benefit of all.
This probably reflects a big change in attitudes and actions about network security in academia. Universities are increasingly aware of their vulnerabilities and the costs associated with successful attacks. Just how seriously universities now take network security can be seen in the case of the American University of Beirut. The AUB network (AUBnet) caters to around 12,000 users at its campus and adjoining medical centre, and has around 7000 odd active Ethernet nodes, along with a wireless networking armed with 900 plus access points. At the core of the University’s wired network is 10 Gigabit Ethernet, in mesh topology, with around 450 switched distributed over 180 wiring closers with single or dual 1 Gigabit Ethernet links.
The wireless network is managed centrally, with an ever increasing number of users more than 6,000. Select university services are also accessible remotely over a performance optimised Internet either directly or over secure VPN links.
The AUBnet architecture is optimised for services distribution and is agile enough to cope with changes in traffic flow demands. It features resilient nets and is layered to provision of security enforcement where needed. The security infrastructure is fortified with firewalls, intrusion prevention systems, web access firewalls, malware and virus controls, spam filters, and role-based authentication.
The campus hosts three main data centres and nine faculty and departmental server rooms. The main application running on AUBnet includes Student Information System, e-learning platforms, digital video repositories, hospital information systems, imaging and video services, financial information system, online library systems in addition to e-mail, Internet and lively portal systems.
Dangerous gaps
With the increasing demand for accessing services remotely by students and faculty coupled with the change in the type of content and patters of use, the University’s Computing and Networking Services (CNS) department was forced to re-architect its Internet connectivity design. “First, we had to optimise application performance over bandwidth-challenged Internet links offered in Lebanon and then we had to simplify multi-ISP connectivity and DMZ partitioning to be more agile and ready for change, without compromising on security policies and perimeter defense,” says Rabih Itani, Assistant Director for Operations at AUBnet’s CNS.
The burgeoning wireless network posed another problem for Itani. Thanks to an exponential increase in the number of users and devices connecting to the network, he was compelled to upgrade existing firewalls and IPS to higher speeds. The task was cut out- 802.11g based wireless infrastructure, while it offered high speed access to users, warranted a high performance firewall capable to throttling traffic-based attacks and capable of high catch rates even with deep and probing traffic analysis.
Another problem was the new types of security threats from the Web and insiders. This spurred AUBnet’s CNS to craft a security master plan and opt for an in-depth defense strategy to deal with vulnerabilities and breaches. The new security strategy mandated the integration of high-speed firewalls and IPS appliances at the data centres, thus adding another layer of defense and enabling the IT services to be more intrusion intolerant.
Erecting barriers
Part of AUB’s in-depth defense strategy is focused on policing and sanitizing specific traffic flows at multiple perimeter check points. AUB was looking for high performance firewalls and in-line IPS to work in conjunction and complement each other to provision this specific security defense line. In addition to cost effectiveness, AUB selection criteria hinged on different factors. “We were looking for a solution that provided IPS signature quality in terms of accuracy, coverage and breadth. We also looked at the ability to thwart network-based attacks in addition to extent of event analysis,” says Itani. After evaluating many solutions available on the market, AUB zeroed in on Fortinet.
The vendor’s Fortigate-3016B and FortiGate-310B integrated multi-threat security appliances were up to the performance level required by the University and plugged into its network without any configuration glitches. Also, AUB easily extended Fortinet’s FortiAnalyzer-1000B appliance’s duties from security events logging and reporting to turn it into an event and audit log server collecting information for all network devices deployed at AUBnet.
The roll out went smooth, says Itani. “The Fortinet appliances were able to blend well when they were tossed into the complex Internet connectivity setup and continued to respond well during the planned revamp of the network design to a simpler and more agile one. The new model opened up the bottlenecks at the wireless defense perimeter and continued to fortify it.”
Itani was in for a couple of pleasant surprises during the implementation.
The non disruptive High Availability (HA) active-passive failover capability of the Fortigate model has increased the availability time of such in-line devices beyond AUB’s expectations. Another one was the extent of the Fortigate built-in SSL VPN feature sets. These feature sets took care of most of AUB’s SSL VPN requirements, which meant the University didn’t have to spend on a stand-alone solution, and in the process rolled out SSL VPN services to users well ahead of schedule
.
According to Itani, AUB also realized immediate operations benefits thanks to Fortinet’s FortiManager appliance which provides a single and simple management interface and FortiAnalyzer which enables a reporting rich security layer. Also, simpler and more agile DMZ design at the AUB Internet gateways, has allowed for smoother and quick changes in addition to faster incident and problem resolutions. In the end, the above benefits have worked well in favour of reducing TCO.
On top of its existing in-depth defense strategy, AUB plans to continue to invest in traffic policing and traffic sanitization systems at other defense lines in addition to other security implementations in an attempt to complete its holistic approach in facing the security challenge.