Campus FirewallingCampus Firewalling

Dearbhla O’ReillyDearbhla O’Reilly

Network ManagerNetwork Manager

Dublin Institute of TechnologyDublin Institute of Technology

OverviewOverview

Context of Firewall for DITContext of Firewall for DIT Firewall ExperiencesFirewall Experiences Mobile Network with FirewallMobile Network with Firewall Where we are now ? Where we are now ?

Background to DIT FirewallBackground to DIT Firewall

Presentation in 2000 to IT Group Presentation in 2000 to IT Group on Firewall role inon Firewall role in - - Security Security - Bandwidth - Bandwidth - Content (web)- Content (web)

Issues Issues SecuritySecurity - - Educational institutions are Educational institutions are

prime targets - CPU power, bandwidth, disk prime targets - CPU power, bandwidth, disk space. Attacks - web page, spam, port space. Attacks - web page, spam, port scans, logon attemptsscans, logon attempts

BandwidthBandwidth - - Competition for traffic Competition for traffic prioritisation and network utilisationprioritisation and network utilisation

ContentContent - - Viewing inappropriate web Viewing inappropriate web content, serving content from DITcontent, serving content from DIT

Firewall SolutionsFirewall Solutions Security Security

- Assist in protecting users, - Assist in protecting users, information, operation and reputationinformation, operation and reputation

Bandwidth Bandwidth - Allow core services run efficiently- Allow core services run efficiently

ContentContent – Designated Web Servers – Designated Web Servers

http://sysinfo.dit.ie/

Perimeter FirewallPerimeter Firewall

D.I.T.D.I.T. HEAnetHEAnet

ImplementationImplementation Deny all and allow approved servicesDeny all and allow approved services

Standard set of services - desktopStandard set of services - desktop

Procedure - Internet Service Server Procedure - Internet Service Server Registration FormRegistration Formbased on now based on now ArchivedArchived JISC Project – Use JISC Project – Use of Firewalls in Academic Environment.of Firewalls in Academic Environment.

Firewall Use & Firewall Use & MaintenanceMaintenance

Form - List of Ports to/from and Why ? Form - List of Ports to/from and Why ?

Server Administrator – Security, Server Administrator – Security, Patching, Responsibility.Patching, Responsibility.

Head of School/Section – Approves and Head of School/Section – Approves and complies with DIT & HEAnet Policiescomplies with DIT & HEAnet Policies

Registration Conditions Registration Conditions Any service may be blocked without notice

if network & systems staff suspect a security breach

All services are provided for the server specified and should not operate as a proxy

All approvals are subject to review by ISSC Firewall rule-sets for servers/services will

be audited on a regular basis

ExperiencesExperiences Paper Forms - by UserPaper Forms - by User Firewall Rules are – by ServiceFirewall Rules are – by Service ~200 Firewall Rules ~200 Firewall Rules Requirement for Rule Management Requirement for Rule Management

SoftwareSoftware Firewall Rule MaintenanceFirewall Rule Maintenance

Maintenance ExperienceMaintenance Experience

Logs Logs - mainly used for real-time support- mainly used for real-time support

Firewall Maintenance - Firewall Maintenance - Backup/Recovery, Log Rotation, Backup/Recovery, Log Rotation, Patches, Upgrades etc.Patches, Upgrades etc.

Mobile Network Mobile Network Requirements Requirements

Wired & Wireless Connectivity for Wired & Wireless Connectivity for Student LaptopsStudent Laptops

Separate Projects starting to Separate Projects starting to address Identity for Staff & Studentsaddress Identity for Staff & Students

Service needed to be providedService needed to be provided

D.I.T.D.I.T. HEAnetHEAnet

MobileMobile

Perimeter FirewallPerimeter Firewall

Mobile Network & Firewall Mobile Network & Firewall Traffic from mobile network in all sites Traffic from mobile network in all sites

passes through Bluesocket authentication passes through Bluesocket authentication gatewaygateway

Traffic from DIT mobile network into DIT Traffic from DIT mobile network into DIT fixed network is filtered through the same fixed network is filtered through the same ruleset as applies to all external traffic ruleset as applies to all external traffic

Traffic from DIT mobile network for external Traffic from DIT mobile network for external destinations is filtered through the same destinations is filtered through the same ruleset as standard outgoing DIT trafficruleset as standard outgoing DIT traffic

Mobile Network Access with Mobile Network Access with Timed Firewall RuleTimed Firewall Rule

MRTG - Mobile Network Access MRTG - Mobile Network Access

Limitations/New Limitations/New Requirements Requirements

Gigabit Ethernet Gigabit Ethernet

IPv6 SupportIPv6 Support

PerformancePerformance

Reporting/LoggingReporting/Logging

Procurement Process Procurement Process

Request for QuotesRequest for Quotes

Based on RequirementsBased on Requirements

Award Criteria – Quality and Award Criteria – Quality and Functional Characteristics, Functional Characteristics, Technology, Cost, Supplier – Technology, Cost, Supplier – Support, Maintenance, Experience.Support, Maintenance, Experience.

RequirementsRequirements Functionality & Use of existing systemFunctionality & Use of existing system

Technology Updates Technology Updates

- IDS - IDS - IPS - IPS - Deep-packet inspection- Deep-packet inspection

Service Availability OptionsService Availability Options

Thank YouThank You

&&

Questions?Questions?