Thursday, 13 November 2014

Meet our new firewall: it's anything but traditional

By Mike Greenwood
Data Network Manager

On Tuesday 18th November, we'll be switching over to a new Next Generation Firewall (NGFW) for the University. The firewall controls the network communications between the University and the Internet. It helps to keep the University safe by  preventing unauthorised Internet users from gaining access to our IT systems. Moving to a Next Generation firewall will give us new and enhanced capabilities compared to what you might call a traditional firewall.

Traditional firewalls primarily base their forwarding and blocking decisions on protocol and port number characteristics. For example, TCP port 80 for web browsing and UDP port 53 for DNS. With the explosion of web applications and services, traditional firewalls see the vast majority of network traffic simply as web browsing. They are unable to differentiate any further. This lack of visibility into network traffic can be exploited by attackers, who tunnel malware communications over well-known, commonly permitted protocols.

At this point, a Next Generation Firewall comes into its own.  An NGFW performs Deep Packet Inspection, and makes decisions based on criteria such as URLs and web page content. It can spot the differences between large file downloads, video streaming and interactions with mission critical resources such as finance systems.

The new firewall will also give us greatly increased protection against attacks. Much like anti-virus, the NGFW receives updates for signatures of attack traffic. The updates are maintained  24/7 allowing quick response to threats. By knowing what normal web traffic looks like, and what malicious web traffic looks like it can keep us protected.

For the Go-Live date of 18/11/2014, we've worked closely with their suppliers to make the system as similar in operation to our current traditional firewall as possible. Over 2000 separate access rules have been migrated into the new system. The aim is to minimise the impact on the University at the point of switch over.  This does mean that some desirable “out of the box” security features are actually turned off for initial use. Once the new NGFW is up and running, we will then begin to enable the new security features over the following days and weeks.