UW Madison Campus Network Security Strategy Campus Firewall Service

1
UW Madison Campus Network Security
StrategyCampus Firewall Service

• Rick Keir
• DoIT Network Services
• keir_at_doit.wisc.edu

2
UW Madison Campus Firewall Project Outline

• Project history
• Design
• Service Virtualization
• Security Domains
• Deployment and Integration
• Support Models
• Design highlights/caveats
• Next steps

3
Project History

• RD effort started on enterprise scale security
  systems
• Campus-wide firewall technology identified as
  needing major attention
• Analysis of solutions came up largely empty
• Departments needed to purchase and run their own
  firewall infrastructure

4
Project History (cont)

• Vendors now scaling products to multi-gigabit
  speeds
• DoIT Network Engineers surveyed market, met and
  argued with various vendors
• Cisco FWSM product ripened in 2004
• Evaluation, testing, and more testing
• FWSM software passed DoIT evaluation process last
  month
• Results discussed with campus IT groups

5
Service Virtualization

• Virtualization allows multiple separate instances
  to exist in the same chassis
• We use virtualization today for VLANs
• With the FWSM, we can have multiple firewall
  instances on the same physical hardware

6
Design

• Security Domains
• Ability to separate chunks of department
  networks into domains.
• Server DMZs, Client Networks, etc. can be
  defined by building, or more generically by VLAN
• Through VLAN magic, hosts can optionally be in
  different security domains, but on the same Level
  3 segment.

7
Security Domains (department example)

• A firewall instance per security domain
• Security domains can be placed in collaborative
  and centralized XXI buildings.

8
Support Models

• Collaborative Administration
• Targeted at collaborative customers
• Tools for easier administration
• Supported through the NOC.
• Centralized Administration
• Targeted at collaborative and centralized
  customers
• Pick from a security menu of options, such as
  client network, server DMZ, etc.
• Supported through the NOC for AAs, primary TPs
• Supported through the Helpdesk / Desktop Support
  if there is no department admin

9
Deployment and Integration

• Does campus want Opt-In or Opt-Out?
• Integration into AANTS
• Active/Passive HA model
• Customer provisioning
• Deployment scenarios engineered to meet
  individual customer network needs
• Consultation with Network Engineers
• In many cases, D-Day style deployment can be
  avoided

10
Design Highlights Caveats

• Demand can be met
• Campus security posture will improve, even for
  those without network admins
• Security Domains
• Scalable deployment
• Manageable network support
• Routed Core more resilient

• Deployment wont happen overnight
• Security Domains may mean renumbering for some
• Multiple fws to admin may mean more work
• Support for legacy protocols ends
• Support for cross-campus L2 networks largely ends

11
Next Steps

• Pilot Program
• More discussion and feedback from campus
• Campus buy-in and go ahead
• Development of tools, support procedures, SLAs,
  training program, hardware deployment, etc.
• Policies must be created

12
Questions?Rick Keirkeir_at_doit.wisc.edu
UW Madison Campus Network Security Strategy --
Campus Firewall Project