Distributed firewall system at the University of Debrecen
Gál,
Zoltán, zgal@cis.unideb.hu
Karsai,
Andrea, kandrea@cis.unideb.hu
Service
Center for Informatics, University of Debrecen
The
bandwidth of the HBONE/Internet connection of the university has grown to 2.5
Gbps in the last year. Since the traffic between the university’s campuses has
grown greatly, it became necessary to improve the university network from
100/155 Mbps to the range of Gbps.
The
raised bandwidth, the viruses and the attacks recognised in the latest times
made it necessary to set up a firewall that protects the whole university
network. The firewall between the router HBONE and the university MAN is an IBM
Firewall software that runs on an IBM RS/6000 server. Although it has gigabit
interfaces, because of the amount of CPU usage and the complex rules, we
experienced that the speed of the Internet connection of the institution is
getting worse and worse.
The
traffic of the inner backbone is ensured by the Cisco Catalyst 6506 router placed
in the centre, the Cisco Catalyst 3550 routers placed in the campuses and the
gigabit interfaced L3 switches. The connections between the campuses are
handled by more than a dozen relay having capability of L4 filtering. The load
of these tools is low — according to our experiences — in spite of the grown
traffic. It made it possible to place the defence system needed by the firewall
closer to the destination networks that is the filtering is done by the
switches ensuring the connection of the campuses. This way the firewall
protects the UDNet network against the attacks from the Internet not only at
one point, but also in a distributed way at each campus.
This
mechanism significantly reduced the load of the former singular firewall since
it protects only the equipment of the backbone of the institution. So the
throughput of the server improves a lot and lets the regional router HBONE
accessed with almost 1 Gbps. Furthermore the distributed firewall system
ensures a greater security for the campuses, since it filters not only attacks
from the Internet, but the attacks may coming from other campuses.
The
lecture will cover the practical experiences gained from the firewall system
consisting of more than a dozen Gbps capacity Cisco L3 switches. Moreover, we
will talk about the expansion philosophy, and the technical details of the
institution’s Gigabit backbone protected by a firewall system. The shown
experiences make other institutions capable to handle the critical defence
problems relating the unavoidable expansion of the backbone equipment in an
efficient way.