Re: Distributed Firewalls

["Howell, Paul" <grue () UMICH EDU>]

We've also been looking into this.

Here's were we are:

After several discussions around the network engineering aspects and
meetings with several firewall vendors to explore product capabilities, it
appears that it would be feasible to provide a firewall in the core of our
network that would significantly improve security for campus.

Utilizing virtual firewalls (vwalls) with distributed management, it would
be possible to:

1) run multiple vwalls (upto 100) on the same hardware device/appliance,
permitting sharing of the hardware

2) have each vwall be distinct and separate from the others

3) permit a unit to administer its vwall and gather logs from it without
interfering with or viewing the policy/logs of the other vwalls administered
by other units

4) use highly available, load balanced vwalls for reliability and
performance

5) route vlan traffic through the vwall so that a geographically disperse
unit would have one vwall to deal with, not one firewall per site

We're thinking that ITCom (our backbone provider) would house/support the
hardware and vwall software, but would not manage the individual vwalls
for units (schools/collegs).  Setting the policy of the vwall would be
left to the unit utilizing this service.

The advantages to this approach are:

1) the total cost of ownership of vwalls to the University would be lower
compared to each unit purchasing, installing, and supporting its own
firewall, which is what we're doing now

2) lower training costs by purchasing in bulk for a single product

3) breadth and depth of expertise with a single product on campus could be
leveraged by less knowledgeable units

4) flexibility in binding vwalls to vlans in support of a fluid operational
infrastructure

6) avoiding interoperability of network protocol and service problems
between units by using vwalls from one vendor vs. different firewall
capabilities supplied by different vendors

We don't have the costs worked out yet, but we're looking for an economical
way to accomplish this.  The goal for cost is to have the cost of putting up
a vwall be less than if a unit decided to buy a turnkey firewall product
that came with hardware/software.  But as we get further into this the costs
will become clearer.

Best.

< paul

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.