Campus Firewalling Dearbhla O’Reilly Network Manager Dublin Institute of Technology.
-
Upload
asher-green -
Category
Documents
-
view
215 -
download
1
Transcript of Campus Firewalling Dearbhla O’Reilly Network Manager Dublin Institute of Technology.
Campus FirewallingCampus Firewalling
Dearbhla O’ReillyDearbhla O’Reilly
Network ManagerNetwork Manager
Dublin Institute of TechnologyDublin Institute of Technology
OverviewOverview
Context of Firewall for DITContext of Firewall for DIT Firewall ExperiencesFirewall Experiences Mobile Network with FirewallMobile Network with Firewall Where we are now ? Where we are now ?
Background to DIT FirewallBackground to DIT Firewall
Presentation in 2000 to IT Group Presentation in 2000 to IT Group on Firewall role inon Firewall role in - - Security Security - Bandwidth - Bandwidth - Content (web)- Content (web)
Issues Issues SecuritySecurity - - Educational institutions are Educational institutions are
prime targets - CPU power, bandwidth, disk prime targets - CPU power, bandwidth, disk space. Attacks - web page, spam, port space. Attacks - web page, spam, port scans, logon attemptsscans, logon attempts
BandwidthBandwidth - - Competition for traffic Competition for traffic prioritisation and network utilisationprioritisation and network utilisation
ContentContent - - Viewing inappropriate web Viewing inappropriate web content, serving content from DITcontent, serving content from DIT
Firewall SolutionsFirewall Solutions Security Security
- Assist in protecting users, - Assist in protecting users, information, operation and reputationinformation, operation and reputation
Bandwidth Bandwidth - Allow core services run efficiently- Allow core services run efficiently
ContentContent – Designated Web Servers – Designated Web Servers
http://sysinfo.dit.ie/
Perimeter FirewallPerimeter Firewall
D.I.T.D.I.T. HEAnetHEAnet
ImplementationImplementation Deny all and allow approved servicesDeny all and allow approved services
Standard set of services - desktopStandard set of services - desktop
Procedure - Internet Service Server Procedure - Internet Service Server Registration FormRegistration Formbased on now based on now ArchivedArchived JISC Project – Use JISC Project – Use of Firewalls in Academic Environment.of Firewalls in Academic Environment.
Firewall Use & Firewall Use & MaintenanceMaintenance
Form - List of Ports to/from and Why ? Form - List of Ports to/from and Why ?
Server Administrator – Security, Server Administrator – Security, Patching, Responsibility.Patching, Responsibility.
Head of School/Section – Approves and Head of School/Section – Approves and complies with DIT & HEAnet Policiescomplies with DIT & HEAnet Policies
Registration Conditions Registration Conditions Any service may be blocked without notice
if network & systems staff suspect a security breach
All services are provided for the server specified and should not operate as a proxy
All approvals are subject to review by ISSC Firewall rule-sets for servers/services will
be audited on a regular basis
ExperiencesExperiences Paper Forms - by UserPaper Forms - by User Firewall Rules are – by ServiceFirewall Rules are – by Service ~200 Firewall Rules ~200 Firewall Rules Requirement for Rule Management Requirement for Rule Management
SoftwareSoftware Firewall Rule MaintenanceFirewall Rule Maintenance
Maintenance ExperienceMaintenance Experience
Logs Logs - mainly used for real-time support- mainly used for real-time support
Firewall Maintenance - Firewall Maintenance - Backup/Recovery, Log Rotation, Backup/Recovery, Log Rotation, Patches, Upgrades etc.Patches, Upgrades etc.
Mobile Network Mobile Network Requirements Requirements
Wired & Wireless Connectivity for Wired & Wireless Connectivity for Student LaptopsStudent Laptops
Separate Projects starting to Separate Projects starting to address Identity for Staff & Studentsaddress Identity for Staff & Students
Service needed to be providedService needed to be provided
D.I.T.D.I.T. HEAnetHEAnet
MobileMobile
Perimeter FirewallPerimeter Firewall
Mobile Network & Firewall Mobile Network & Firewall Traffic from mobile network in all sites Traffic from mobile network in all sites
passes through Bluesocket authentication passes through Bluesocket authentication gatewaygateway
Traffic from DIT mobile network into DIT Traffic from DIT mobile network into DIT fixed network is filtered through the same fixed network is filtered through the same ruleset as applies to all external traffic ruleset as applies to all external traffic
Traffic from DIT mobile network for external Traffic from DIT mobile network for external destinations is filtered through the same destinations is filtered through the same ruleset as standard outgoing DIT trafficruleset as standard outgoing DIT traffic
Mobile Network Access with Mobile Network Access with Timed Firewall RuleTimed Firewall Rule
MRTG - Mobile Network Access MRTG - Mobile Network Access
Limitations/New Limitations/New Requirements Requirements
Gigabit Ethernet Gigabit Ethernet
IPv6 SupportIPv6 Support
PerformancePerformance
Reporting/LoggingReporting/Logging
Procurement Process Procurement Process
Request for QuotesRequest for Quotes
Based on RequirementsBased on Requirements
Award Criteria – Quality and Award Criteria – Quality and Functional Characteristics, Functional Characteristics, Technology, Cost, Supplier – Technology, Cost, Supplier – Support, Maintenance, Experience.Support, Maintenance, Experience.
RequirementsRequirements Functionality & Use of existing systemFunctionality & Use of existing system
Technology Updates Technology Updates
- IDS - IDS - IPS - IPS - Deep-packet inspection- Deep-packet inspection
Service Availability OptionsService Availability Options
Thank YouThank You
&&
Questions?Questions?