You are here:

Note: Network News is a semi-regular feature that highlights current events in UIT's Network Services group.

Network News: Protecting the university's cyberinfrastructure

Image courtesy of the University of Utah

Image courtesy of the University of Utah.

By Jesse Drake

Imagine you're a crossing guard where freeways converge, required to make split-second decisions about who to stop (hoping that they do) and who to let go.

Far less fraught with danger, that's a little like supervising traffic on a busy network.

Guarding the U's information superhighway, the internet border firewall stands between our internal network and the public internet, and networks maintained by partners like ARUP Laboratories. Firewalls control incoming and outbound network traffic, using predefined security rules to determine what to allow or block.

Showing no signs of slowing down, network traffic bombards the internet firewall and puts a major strain on resources like hardware and bandwidth. Compounding the issue is a finding from the U's Network Architecture Community of Practice (NACoP) that up to 75 percent of the U's total internet traffic is unwanted. The NACoP is a subcommittee that reports to the U's IT Architecture and New Technology Committee (ANTC) — see sidebar, at right.

Despite robust security measures to stop nefarious inbound internet traffic, the large footprint of university services and destination IP addresses accessible through the border firewall leaves the university vulnerable.

At the January 2018 ANTC meeting, Dr. Randy Arvay, the U's Chief Information Security Officer, proposed changing the firewall method at the U to an industry best practice default-deny model. ANTC members asked Arvay to take the recommendation to the NACoP as a working group effort.

Default-deny means whatever you don't specifically allow, you deny — at the firewall level, it involves defining permissible ports and protocols, and turning everything else off. The proposal was approved by the Strategic Information Technology Committee (SITC) and presented to ANTC as an information item in March 2018

Arvay and the NACoP proceeded to work on a strategic plan for a model called "protect by default," which maintains the U's current default-deny posture but emphasizes requirements needed to meet future demands — like timely changes and reporting rather than simply blocking only agreed upon services or endpoints.

"Right now, we block things we know are malicious, and we have some blocks on wide ranges of protocol or source addresses based upon either known behaviors or known vulnerabilities," said Andrew Reich, IT architect in the U's CTO organization. "This takes it a step further by anticipating what we will need as technologies, and as threats to the network continue to evolve."

Four options were developed — "business as usual," "minimum viable product," "moderate investment," and "full implementation." The main concern with business as usual, NACoP members reasoned, is it's not sustainable. Change practices and policies stay the same while attackers' tactics continue to mature.

Then-interim NACoP Chair Trevor Long returned to the ANTC in November 2018 and proposed moving forward with the option it deemed most viable — moderate investment.

"No change is not an option," said current NACoP Chair Rob White. "Minimum viable product would accomplish protection, but had no automation, and that would be a problem give the scale of the U's network. Addressing change would be possible but at the cost of more [work] hours and likely delayed implementations for changes. The moderate investment covers a good balance of implementing protection, providing automation, and expected bang for the buck. Option four would be the pie in the sky, but we perceived that to be too costly for the additional features." 

Highlights of the moderate investment option:

Summary

  • Evolves existing procedures and practices with some new automation and self-service
  • Presents minimal risk that pre-authorized IT Infrastructure Library (ITIL) standard changes will be processed due to automation and self-service
  • Major, minor, and emergency ITIL changes must still follow the full change management process

Expected outcomes

  • Reduces superfluous traffic, thereby decreasing the complexity for assessing traffic risks and hardware utilization
  • Promotes greater utilization of licensing agreements for security and logging tools
  • Aligns with an industry standard border perimeter endorsed by the Center for Internet Security, and reduces the attack surface at the border
  • Improves service delivery time and ease of submitting requests
  • Provides more flexibility in the change management procedure
  • Automates most standard firewall changes

The committee approved moving forward with the NACoP's recommended strategy.

Next steps involve UIT creating a project plan and identifying resource requirements like development time, financial implications for software and training. Ultimately, implementation of a protect by default standard will involve the network team, ServiceNow group, and UIT's Project Management Office (PMO), among others.

"Malicious people and entities continually evolve [and] IT at the U needs to further embrace continually evolving to protect our resources," White said. "Protect by default is a big move in that direction. But as evolution goes, this is just one step. ..."

"Being involved in processes that drive improvement like the Network Community of Practice really makes my job at the U exciting and something I look forward to doing!"


Network Architecture Community of Practice

Mission and scope

Formed in September 2016, the NACoP is charged with assessing the feasibility of whitelist network control efforts at the internet border.

"We meet once a month to address major topics that will improve the overall experience of the network for everyone at the University of Utah," said Network Services Business Data Analyst Rosalia Villegas.

Operating under the authority of the U's Chief Technology Officer organization, the NACoP makes recommendations to the U's IT Architecture & New Technology Committee (ANTC).

Primary sponsors

  • Mark Beekhuizen, IT director, Quinney College of Law, and ANTC Chair
  • Randy Arvay, Chief Information Security Officer

Membership

Chair: Rob White, IT director, Continuing Education & Community Engagement

Nelson Beebe Research professor, Department of Mathematics
Pieter Bowman Computer operations manager, Department of Mathematics
Joe Breen IT architect, UIT Center for High Performance Computing
Jeff Folsom IT supervisor, Eccles Health Sciences Library
Todd Green Associate IT director, School of Computing
Demian Hanks IT director, College of Social & Behavioral Science
Michael Lund IT architect, School of Medicine
Kevin Quire Network planning manager, KUEN/UETN
Andrew Reich IT enterprise architect, Chief Technology Officer organization
Corey Roach IT manager, Information Security Office
Dave Sageser Systems administrator, Marriott Library
Rosalia Villegas Business data analyst, UIT Network Services
Last Updated: 5/10/19