Note: This column is part of a new semi-regular feature that highlights current events in UIT's network operations group.
By Rosalia Villegas, Business Data Analyst
Current University of Utah WAN firewalls reached the end of their lifecycle after running Juniper since 2010. With an ever-growing student population, a huge increase in mobile devices, and an increase in medical devices on the network, it's critical that the University is equipped to meet current and future growth. The primary purpose of this WAN firewall is to offer a stable and secure campus network, which helps maintain confidentiality and prevent potentially disruptive security threats.
Last year, key members of UIT’s network team collaborated with a broader UIT-ITS working group to gather requirements and document concerns of selected University stakeholders to select a firewall vendor that would best fulfill the needs of the University and Hospital. The internal working group included UIT and ITS staff members from network, architecture, project management, and information security.
Those requirements included:
- 10-40 Gpbs of throughput with security features enabled
- Performance scalability to 100Gbps in the future
- High availability
- Central management
- Increased efficiency and flexibility of firewall management tools
- Threat prevention and web-filtering features
- Logging flexibility
The final three vendors were Cisco Systems (Firepower), Checkpoint Systems (61000), and Palo Alto Networks (7050). To make a final selection, the following criteria were used to test the equipment: a 10G span port of production internet traffic redirected to each firewall, a deep dive into the central management and threat prevention capability of the firewall, and the throughput testing of up to 40Gbps. Once testing was completed, results were compared.
The contract was awarded to Palo Alto – a market leader in enterprise firewalls – which was lauded for ease of use, local support, and longer lifecycle. The main goal of the implementation was to build a powerful prevention-focused architecture that allows full visibility into all traffic. Greater visibility leads to better security.
Senior Engineer Ken Kizer led the implementation team to complete the project. Emails were sent to the campus community to alert users about the firewall maintenance. Thanks to the Palo Alto service and network engineers involved, both campus and clinical environments were accessible through the majority of the upgrade. With more than two hours to spare, the team successfully implemented the new firewall on December 18, 2016.
Internet Firewall Replacement Timeline
- Design phase, RFP and Governance approval: 2015
- Build and test new firewall equipment at DDC staging area: January-May 2016
- Verify firewalls against production traffic with threat prevention: May 2016
- Recommend firewall vendor: June 2016
- Start purchasing process: July 2016
- Receive equipment, set up in lab: August-November 2016
- Install equipment in final locations (EBC and Park): November 2016
- Migrate to new firewalls: December 2016
- Migrate UGuest wireless to secured DMZ off firewall: December 2016
- Enable threat prevention and URL filtering for UGuest wireless: December 2016