Cisco ASA Aids Security
As the Florida Institute of Technology expanded over the years to almost 8,000 students, the school's IT staff realized that it needed a more efficient way to manage the infrastructure in its data center.
In the past, says James Cooley, information security director for the Melbourne, Fla., tech school located near the Kennedy Space Center, all servers had to reside on the same subnet, which left open a single vulnerability point. And because of the slow routing speed, daily backups tended to bog down the network.
Cooley says the solution was to deploy a high-speed Cisco ASA 5580 firewall, which protects the data center and also operates as a 5-gigabit router.
“Now, with the routing at higher speeds, we can automatically run backups at night and not have the network slow down,” he says.
Another draw for Florida Tech was the 5580's virtual LAN (VLAN) support. The majority of the school's servers run as virtual machines over VMware, so it was important to find a product that could support a virtualized environment, Cooley says.
“We now have about 16 virtual LANs and can do things like segregate our mail servers from our web servers,” he explains. “It's just a more secure way to manage a network; if one server becomes compromised, the others are still protected by the firewall.”
Cooley says Florida Tech uses a SonicWall SSL VPN for remote access because it doesn't want the Cisco gear to be accessible to off-campus users. “We like to keep the VPN functionality separate,” he says.
However, Cooley says, the school is about to deploy a 300-megabit Cisco ASA 5510 for its e-commerce operation. He says the 5510 will be used as a firewall and router to secure traffic for students who pay tuition electronically and take online courses.
Gartner analyst Greg Young says Florida Tech's deployment of the 5580 is consistent with many large enterprises.
“We find that a lot of organizations want to use multigigabit firewalls to separate their data centers with the administrative network,” explains Young. “IT managers also like the VLAN support because they can separate the IP addresses and have a clear identification of what's on the network,” he adds.
Some colleges have opted to move away from the Cisco approach. One such school is Lamar University in Beaumont, Texas, which embraced Fortinet's Unified Threat Management (UTM) model to support 18,000 users at Lamar University, Lamar State College-Orange and Lamar Institute of Technology.
“The Fortinet gear provides an all-in-one, best-of-breed, third-generation solution for protecting our computer systems and managing the segmentation of our network to provide a multitiered, highly available security ecosystem for our e-learning environment,” says Dr. Michael Dobe, CIO at Lamar University.
At Lamar, Dobe says the school's efforts to expand its distance learning program were hampered when bugs in the old firewalls caused denial of service attacks.
“When the firewalls went down, it really hurt our distance learning students and our access to the Internet,” says Dobe.
The school then deployed two Fortinet FortiGate-620B firewalls on the network's perimeter and three Fortinet 5001 firewalls internally. The Fortinet firewalls offered greater throughput, supporting the school's 400 megabits per second Internet pipe while providing protection from malware and preventing intrusions.
Another plus was that the Fortinet gear supports hardware-based encryption, and an SSL VPN capability comes built-in.
“Additionally, Fortintet firewalls are active-active, i.e. all of our gear is in use all of the time,” says Dobe, adding that he views this as a superior approach “because we do not have gear sitting idle.”
Firewall Installation Tips
- Simplify. Having two different firewall platforms greatly increases configuration and management problems for most organizations. A single manufacturer relationship could yield greater discounts and lower contract administrative overhead.
- Configure carefully. More than 99 percent of firewall breaches are caused by firewall misconfigurations, not firewall flaws. Firewall vulnerabilities do occur, but they are quite rare and are usually reported to manufacturers and patched before the public is aware they exist.
- Understand debugging pitfalls. Debugging an error in firewall rules or a new application can be cumbersome and time-consuming. Confusion over which protocols are used by the application can cause the administrator to open the firewall and close down services until the application eventually breaks.
- Know the DMZ. The DMZ – a buffer zone between an organization's network and a public network such as the Internet – is increasing the complexity of firewall rule bases. This is another reason why a single platform makes the most sense. Having multiple teams manage separate firewall products in the same DMZ can breed confusion.