Securing data-intensive computing without degrading performance is one of the challenges at the University of Michigan, says Eric Boyd. 

Feb 11 2019

Intrusion Prevention Systems Prove Key to Campus Defense

Whether standalone or integrated into a next-gen firewall, IPS is a valuable part of network security for higher education.

Higher education remains a tempting target for hackers.

“Universities have some fairly unique features that tend to increase the scale of threats they face,” says Jesse Bowling, who chairs the Technical Advisory Group for the Research and Education Networking Information Sharing and Analysis Center. He’s also the security architect and program manager of the computer security incident response team at Duke University.

That security vulnerability arises, in part, because universities were early internet adopters and often have large IP address allocations. That’s a lot of real estate to protect, Bowling says. But he also points to the multiple networking functions that institutions must perform.

“Universities need to act as an ISP for their students, an open research network for their faculty, and a business network for staff and administration,” he says, in addition to running regulated networks such as Payment Card Industry processing.

It’s a complex situation with competing priorities. To help secure that environment, IT teams are increasingly making the intrusion prevention system part of their defense arsenals.

GET STARTED: Register for the EdTech Insider Program.

Campuses Construct Security Measures to Address Challenges of Scale

The University of Michigan pivoted to the use of a stand-alone IPS in 2013. At that time, it didn’t have a traditional border firewall, says Director of Networks Eric Boyd. Every unit at the university was generally responsible for its own network edge, with some units taking advantage of a centralized firewall implementation.

However, the firewall service didn’t scale well, says Dennis Neil, IT security design and engineering manager. The IPS, put in place in 2014, sits on the network border, with units able to opt in to using it.

Adam Ferrero
Our service quality reviews before and after the next-gen firewall implementation show a clear improvement in the stability of the platform."

Adam Ferrero Assistant Vice President for Network Services, Temple University

“We are currently supplementing our border security with an emerging approach to an intrusion detection system,” says Boyd. “Part of the challenge here is that we care really heavily about data-intensive science, and many security devices lag the equivalent network hardware by an order of magnitude.”

This means that, even with the IPS in place, the team at the University of Michigan is still looking for solutions that will scale with its border. But the IPS provides important protection as a piece of the network security portfolio.

“We’ve been able to incorporate threat intelligence that we gather,” says Neil. “The IPS allows us to evaluate traffic based on the content and the threat, and it allows us to permit or deny based on not only threat intelligence, but also reputation information. Leveraging the IPS in this way allows us to block 2 to 3 million potential threats and attacks on a daily basis.”

Next-Generation Platforms Provide All-in-One Solution

Temple University adopted the Next-Generation Security Platform from Palo Alto Networks, which includes intrusion prevention, in 2016. Previously, the university had taken a piecemeal approach, evaluating a host of solutions to meet various needs

“Operating Palo Alto Networks has proven more efficient for us opera­tionally,” says Adam Ferrero, assistant vice president for network services. “The performance of the purpose-built platform is also better than what we could have provided with multiple point solutions.”

bengfort second

Threat intelligence empowers IT to better control network traffic, says Dennis Neil of the University of Michigan. Photography by Nick Hagen.

Ferrero’s team chose the platform after an extensive review of performance goals. In particular, they wanted to know how packet processing behaved on each of the four platforms they considered. The integrated platform has been a success.

“Our service quality reviews before and after the next-gen firewall implementation show a clear improvement in the stability of the platform,” says Ferrero. “We were chasing problems related to the previous platform a couple times per month. The new platform is so trusted, I struggle to think of a problem it introduced all year.”

MORE FROM EDTECH: Network solutions help university leaders secure and simplify their networks.

Next Generation Firewall Is a Core Component for Network Security

Whether you’re choosing a stand-alone IPS or an integrated solution that includes intrusion prevention, it’s clear that this technology is becoming more of a requirement than an option

Says Bowling, “From my perspective, the use of an IPS — and, to a larger extent, a next-generation firewall — is a critical piece of any network security posture. In an environment where there is not enterprise control of all endpoints, the ability to do fine-grained traffic control is critical to securing networks overall.”

Bowling expects that, over time, integrated IPS solutions may become more common. Whichever model IT departments choose, however, the function will remain a critical one.

“The trend over time has been adoption of an IPS as a core network control mechanism,” says Bowling. “At this point, use of an IPS is nearly universal, at least in medium-sized and large institutions.”


Nick Hagen

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT