Re: Distributed Firewalls

[Gary Dobbins <dobbins () ND EDU>]

We looked briefly at NetScreen's 5200 series, which seemed like a good
fit for most of the requirements below.  Very nice looking product.
Virtual FW's, VLAN respect, etc.  Didn't test it with video, though.
Nicest configuration interface of any we looked at - same interface
from the desktop device all the way to a unit scaled to be an
alternative to the core-switches.

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------


----- Original Message -----
From: "Jere Retzer" <retzerj () OHSU EDU>
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Friday, January 10, 2003 3:54 PM
Subject: Re: [SECURITY] Distributed Firewalls


I recommend you try out all the video applications you think you may
need across this target architecture. We've had some significant
challenges, particularly with load-balancing operations. The only way
we've been able to get reliable performance so far is to turn load
balancing off. The firewalls can also introduce a lot of problems ―
various blocked ports, latency. I think that each instance of the
firewall on a given hardware device will increase the load, and
potentially the latency introduced by that device so recommend you
approach that architecture with caution.

> > > grue () UMICH EDU 01/10/03 08:39AM >>>
We've also been looking into this.

Here's were we are:

After several discussions around the network engineering aspects and
meetings with several firewall vendors to explore product
capabilities, it
appears that it would be feasible to provide a firewall in the core of
our
network that would significantly improve security for campus.

Utilizing virtual firewalls (vwalls) with distributed management, it
would
be possible to:

1) run multiple vwalls (upto 100) on the same hardware
device/appliance,
permitting sharing of the hardware

2) have each vwall be distinct and separate from the others

3) permit a unit to administer its vwall and gather logs from it
without
interfering with or viewing the policy/logs of the other vwalls
administered
by other units

4) use highly available, load balanced vwalls for reliability and
performance

5) route vlan traffic through the vwall so that a geographically
disperse
unit would have one vwall to deal with, not one firewall per site

We're thinking that ITCom (our backbone provider) would house/support
the
hardware and vwall software, but would not manage the individual
vwalls
for units (schools/collegs).  Setting the policy of the vwall would be
left to the unit utilizing this service.

The advantages to this approach are:

1) the total cost of ownership of vwalls to the University would be
lower
compared to each unit purchasing, installing, and supporting its own
firewall, which is what we're doing now

2) lower training costs by purchasing in bulk for a single product

3) breadth and depth of expertise with a single product on campus
could be
leveraged by less knowledgeable units

4) flexibility in binding vwalls to vlans in support of a fluid
operational
infrastructure

6) avoiding interoperability of network protocol and service problems
between units by using vwalls from one vendor vs. different firewall
capabilities supplied by different vendors

We don't have the costs worked out yet, but we're looking for an
economical
way to accomplish this.  The goal for cost is to have the cost of
putting up
a vwall be less than if a unit decided to buy a turnkey firewall
product
that came with hardware/software.  But as we get further into this the
costs
will become clearer.

Best.

< paul

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.