By Jesse Drake
Imagine you're a crossing guard where freeways converge, required to make split-second decisions about who to stop (hoping that they do) and who to let go.
Far less fraught with danger, that's a little like supervising traffic on a busy network.
Guarding the U's information superhighway, the internet border firewall stands between our internal network and the public internet, and networks maintained by partners like ARUP Laboratories. Firewalls control incoming and outbound network traffic, using predefined security rules to determine what to allow or block.
Showing no signs of slowing down, network traffic bombards the internet firewall and puts a major strain on resources like hardware and bandwidth. Compounding the issue is a finding from the U's Network Architecture Community of Practice (NACoP) that up to 75 percent of the U's total internet traffic is unwanted. The NACoP is a subcommittee that reports to the U's IT Architecture and New Technology Committee (ANTC) — see sidebar, at right.
Despite robust security measures to stop nefarious inbound internet traffic, the large footprint of university services and destination IP addresses accessible through the border firewall leaves the university vulnerable.
At the January 2018 ANTC meeting, Dr. Randy Arvay, the U's Chief Information Security Officer, proposed changing the firewall method at the U to an industry best practice default-deny model. ANTC members asked Arvay to take the recommendation to the NACoP as a working group effort.
Default-deny means whatever you don't specifically allow, you deny — at the firewall level, it involves defining permissible ports and protocols, and turning everything else off. The proposal was approved by the Strategic Information Technology Committee (SITC) and presented to ANTC as an information item in March 2018.
Arvay and the NACoP proceeded to work on a strategic plan for a model called "protect by default," which maintains the U's current default-deny posture but emphasizes requirements needed to meet future demands — like timely changes and reporting rather than simply blocking only agreed upon services or endpoints.
"Right now, we block things we know are malicious, and we have some blocks on wide ranges of protocol or source addresses based upon either known behaviors or known vulnerabilities," said Andrew Reich, IT architect in the U's CTO organization. "This takes it a step further by anticipating what we will need as technologies, and as threats to the network continue to evolve."
Four options were developed — "business as usual," "minimum viable product," "moderate investment," and "full implementation." The main concern with business as usual, NACoP members reasoned, is it's not sustainable. Change practices and policies stay the same while attackers' tactics continue to mature.
Then-interim NACoP Chair Trevor Long returned to the ANTC in November 2018 and proposed moving forward with the option it deemed most viable — moderate investment.
"No change is not an option," said current NACoP Chair Rob White. "Minimum viable product would accomplish protection, but had no automation, and that would be a problem give the scale of the U's network. Addressing change would be possible but at the cost of more [work] hours and likely delayed implementations for changes. The moderate investment covers a good balance of implementing protection, providing automation, and expected bang for the buck. Option four would be the pie in the sky, but we perceived that to be too costly for the additional features."
Highlights of the moderate investment option:
- Evolves existing procedures and practices with some new automation and self-service
- Presents minimal risk that pre-authorized IT Infrastructure Library (ITIL) standard changes will be processed due to automation and self-service
- Major, minor, and emergency ITIL changes must still follow the full change management process
Reduces superfluous traffic, thereby decreasing the complexity for assessing traffic risks and hardware utilization
Promotes greater utilization of licensing agreements for security and logging tools
Aligns with an industry standard border perimeter endorsed by the Center for Internet Security, and reduces the attack surface at the border
Improves service delivery time and ease of submitting requests
Provides more flexibility in the change management procedure
Automates most standard firewall changes
The committee approved moving forward with the NACoP's recommended strategy.
Next steps involve UIT creating a project plan and identifying resource requirements like development time, financial implications for software and training. Ultimately, implementation of a protect by default standard will involve the network team, ServiceNow group, and UIT's Project Management Office (PMO), among others.
"Malicious people and entities continually evolve [and] IT at the U needs to further embrace continually evolving to protect our resources," White said. "Protect by default is a big move in that direction. But as evolution goes, this is just one step. ..."
"Being involved in processes that drive improvement like the Network Community of Practice really makes my job at the U exciting and something I look forward to doing!"