Educause Security Discussion mailing list archives
Re: Distributed Firewalls
From: "Howell, Paul" <grue () UMICH EDU>
Date: Fri, 10 Jan 2003 11:39:17 -0500
We've also been looking into this. Here's were we are: After several discussions around the network engineering aspects and meetings with several firewall vendors to explore product capabilities, it appears that it would be feasible to provide a firewall in the core of our network that would significantly improve security for campus. Utilizing virtual firewalls (vwalls) with distributed management, it would be possible to: 1) run multiple vwalls (upto 100) on the same hardware device/appliance, permitting sharing of the hardware 2) have each vwall be distinct and separate from the others 3) permit a unit to administer its vwall and gather logs from it without interfering with or viewing the policy/logs of the other vwalls administered by other units 4) use highly available, load balanced vwalls for reliability and performance 5) route vlan traffic through the vwall so that a geographically disperse unit would have one vwall to deal with, not one firewall per site We're thinking that ITCom (our backbone provider) would house/support the hardware and vwall software, but would not manage the individual vwalls for units (schools/collegs). Setting the policy of the vwall would be left to the unit utilizing this service. The advantages to this approach are: 1) the total cost of ownership of vwalls to the University would be lower compared to each unit purchasing, installing, and supporting its own firewall, which is what we're doing now 2) lower training costs by purchasing in bulk for a single product 3) breadth and depth of expertise with a single product on campus could be leveraged by less knowledgeable units 4) flexibility in binding vwalls to vlans in support of a fluid operational infrastructure 6) avoiding interoperability of network protocol and service problems between units by using vwalls from one vendor vs. different firewall capabilities supplied by different vendors We don't have the costs worked out yet, but we're looking for an economical way to accomplish this. The goal for cost is to have the cost of putting up a vwall be less than if a unit decided to buy a turnkey firewall product that came with hardware/software. But as we get further into this the costs will become clearer. Best. < paul ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Distributed Firewalls Crawford, Charles D (Jan 09)
- <Possible follow-ups>
- Re: Distributed Firewalls H. Morrow Long (Jan 09)
- Re: Distributed Firewalls H. Morrow Long (Jan 09)
- Re: Distributed Firewalls Christopher Condie (Jan 10)
- Re: Distributed Firewalls Howell, Paul (Jan 10)
- Re: Distributed Firewalls Jere Retzer (Jan 10)
- Re: Distributed Firewalls Gary Dobbins (Jan 11)
- Re: Distributed Firewalls Herbert Baines III (Jan 13)