May 14 2013

Next-Generation Firewalls Simplify Security for Colleges

Institutions report enhanced functionality and greater visibility from the latest crop of devices.

San Jose State University aims to transfer higher education from a lecture-based model to a collaborative approach where technology plays a central role. Students will work in groups using their own devices over an infrastructure that offers unified communications and anytime, anywhere access. For the plan to work, the IT staff must keep the environment secure.

That’s where next-generation firewalls come in, says Terry Vahey, associate vice president for IT and deputy CIO. San Jose State recently replaced 25 firewalls with two Cisco Systems ASA 5585-X Adaptive Security Appliance models. The redundant devices provide multiple capabilities: firewall, web filter, virtual private network, policy enforcement, network access control, identity-based reporting and intrusion protection.

Vahey says the overall cost savings and additional security features are well worth the purchase price. The university no longer has to replace firewalls every three to five years and enjoys reduced maintenance costs. The institution can also provide enhanced access to applications and secure them with granular rules for users or groups of users.

77%The percentage of security professionals who believe that staff access to social networking sites increases the likelihood of an advanced persistent threat or other sophisticated malware attack on the organization

SOURCE: “A Prudent Approach to Next-Generation Firewalls” (Enterprise Strategy Group, January 2013)

San Jose State University’s local departments can manage their applications and set rules, but the central IT staff handles the back-end security management. If a department needs an extra firewall, the IT group can use the 5585x appliance to provision a virtual one. “Many of the IT people in the departments are looking forward to the new functionality, and they are excited to learn new job skills,” Vahey says.

John Grady, a research manager for IDC’s security products group, says IT managers such as Vahey opt for multifunction devices because they support the kind of infrastructures universities need to meet their educational goals today.

“I see this as the gradual evolution of the UTM,” Grady says. “The latest devices offer better integration between technologies, as well as application control and the ability for systems administrators to set very granular policies for the organization’s users.”

Longtime Users

The College of Arts and Sciences at the Ohio State University has been using next-generation firewalls for several years.

Tim Smith, director of infrastructure, operations and application development, says the Sophos UTM serves as a firewall, web URL filter, intrusion protection system and antivirus engine. The last UTM the college deployed includes dual-scanning engines for added protection against viruses.

“On a typical day, the firewall stops 60 viruses from ever getting through the network,” Smith says, adding that it also stops at least 3,500 attempted malware infections. On a daily basis, the firewall handles about 1.1 terabytes of traffic, 22 million connections and 3.9 million web requests.

3 Elements of a Next-Gen Security Architecture

Jon Oltsik, a senior principal analyst for the Enterprise Strategy Group, advises organizations to adopt a broad, next-generation security architecture of tightly integrated network services that can be applied throughout the network.

Next-generation network security includes these elements:

  • Central management. A major aspect of next-generation security is the ability to centrally manage security policies, service orchestration/provisioning, monitoring and reporting.
  • Distributed policy enforcement. This capability expedites network security service provisioning throughout the network. For example, a systems administrator can deploy a firewall service at the network perimeter, in the data center, at remote offices or within a physical server hosting multiple virtual servers.
  • Any network security service in any form factor. Next-generation network security can be applied in any type of device or set of services, including fixed-function, multifunction or virtual appliances, or cloud-based managed services.