BACKGROUND
The University of Adelaide is one of Australia’s Group of Eight research-intensive universities and is consistently ranked among the top one percent of universities in the world. Established in 1874, the University of Adelaide is Australia’s third oldest university and an iconic Adelaide institution.
The University of Adelaide offers a broad range of undergraduate and postgraduate programs underpinned by world-class research. It has more than 25,000 students; 30 percent are international students from more than 90 countries.
Business & context
The University of Adelaide comprises four campuses (North Terrace, Waite, Thebarton and Roseworthy), with the main campus on North Terrace in the city of Adelaide. The University is also closely linked to a range of facilities across South Australia, including the main teaching hospitals and satellite health centres in urban, regional and rural locations.
Apart from providing a leading learning and teaching environment, the University prides itself on quality research across a number of disciplines, including medical and health sciences, nursing, performing arts and creative writing, and other fields. To facilitate this research, the University boasts two ‘super computers’ at its North Terrace Campus, supported by an MPLS (multiprotocol label switching) network core and VPN (virtual private network). The VPN also provides staff and students access to University resources when they are offsite. There is also a large wireless network on the main campus, supported by 1,000 wireless access points and a radius server system.
The five academic Faculties, multiple Schools, Institutes and research centres rely heavily on IT staff to provide them and their students with high speed, always on, and highly secure access to network facilities. Students also use social media, peer-to-peer and other systems to access a wide range of information over the network.
With some exceptions, blocking applications is not considered in the interests of students or staff as the University recognises that people may attempt to still access applications regardless, and that can produce greater security challenges.
The problem
In mid-2012, the University’s IT department realised it needed to evolve its network security approach to manage massive and increasing amounts of data flowing across more than 8,000 devices and locations in the University, while ensuring its policy of ‘open access’ to applications did not compromise security. At the same time, it was considered vital that any change or upgrade to the security policy did not slow down the performance of the network, particularly around research.
The University’s existing network security system was cumbersome and could not scale to let IT staff know which users were accessing which applications.
It made it almost impossible to securely grant students and staff access to
applications they needed.
There was a need for a more sophisticated, end-user based approach to information network security to ensure network performance and improve security based on innovative User-ID management and applications awareness.
Peter Hughes, Team Leader of Networks Services at the University of Adelaide, says, “Managing security across the network is a critically important part of the success of the University. The IT team has to proactively manage threats and potential threats associated with applications in research as well as threats which could emerge on the wireless network. With thousands of people accessing the network, daily network performance is paramount.”
THE DECISION
In December 2012, The University deployed two Palo Alto Networks® PA-5000 series next-generation firewalls (NGFWs) in the data centre of the main campus at North Terrace. This enabled management across all campuses and all points where users touched the network, including offsite. The proof of concept trial lasted one month.
The PA-5000 Series provides granular visibility of threats and better control of Internet applications, with capabilities to isolate and protect data through security policies that are based on the user or group identity from within Active Directory. The user and group identity is then tied directly to a specific application, and the application can be inspected for threats and unauthorised data transfer.
This level of granular control is unmatched by any firewall solution on the market. Palo Alto Networks next-generation firewalls are unique in their ability to identify and filter network traffic by user, instead of just by computer IP address. The PA-5000 Series enables businesses to accurately identify and control applications by user, scan content to stop threats, and prevent data leakage—all with a single network device.
During the cut-over period, the IT team worked closely with the key stakeholders in the University to ensure a smooth transition from the superseded technology.
Hughes says, “Since the cut-over we have had no issues reported from the various departments. We tested all applications with the faculties and commercial affiliates post implementation, and they understood what we were trying to achieve. It has been one of the easiest migrations we have ever completed.”
The PA-5000 Series integrated seamlessly into the existing networks, including the Radius server access model which the University uses to allow wireless access to staff and students.
Because many users access the network dynamically over the wireless network or via a VPN, often off-campus, the security team needs to be able to tell who is accessing it. The old way of static security meant that was impossible. With the Palo Alto Networks NGFWs the network knows who is accessing applications, regardless of where that person or user is. That improves the experience for the user, improves security and reduces administration time.
Hughes says, “Security with the Palo Alto Networks NGFWs works because it allows the security team to map user-id based behaviour against policy. The network remains highly secure despite thousands of devices accessing the network across many VLANs across several campuses. The wireless network covers 8,000 simultaneous device interactions across the network at any given time.”
BENEFITS
The University has experienced clear benefits for improved performance, application awareness and User-ID based policy creation following the deployment of the Palo Alto Networks NGFWs.
Hughes says, “The biggest benefit is that the user name can be identified by the network, which means we can control access if necessary. That makes it easier for our administrators but also better for the users because we can have more applications.”
“The Palo Alto Networks NGFW knows which users are doing what. In the pre-Palo Alto Networks days the University could only identify activity by IP address. Now we can identify and control traffic based on user-id and groups and potentially rate limit specific application traffic. The Palo Alto Networks management interface is very easy to use. It also allows the firewall support team to react more quickly to threats.”
From the users’ perspective, the situation has improved too because the security team no longer has to turn off key security features to ensure the network remains fast, which is a key factor in balancing security enablement with network performance.
Hughes says, “We are seeing an almost exponential growth in the wireless network. But the Palo Alto Networks NGFW lets us maintain performance across the network. It really raises the bar. The security element of the network used to be a choke point.”
The University’s research focus means it is a highly customised application environment, which often involves researchers writing their own code and protocols. The security team now works proactively with the research teams and builds a policy which the NGFW enforces.
There are hundreds of applications like this and it is vital that the NGFW is able to dynamically manage them and alert the team if there is an issue or a zero-day threat.
The applications awareness of the Palo Alto Networks solution also supports the growth of applications and bring-your-own-device (BYOD) by the students and non-research staff.
The University facilitates and manages more than 900 applications on the network and that is growing as more and more people use BYOD. For instance, the Science Faculty provides its first year students with iPads and has been doing that for three years.
Hughes says “We have an enabling policy around these applications—some apps we do block, such as bit torrent, but most we allow as they increase productivity and students and staff demand them. The really good thing about the dynamic way the NGFW operates is that it automatically knows when the applications change their signatures.”
Conclusion
The University of Adelaide’s investment in the Palo Alto Networks NGFW will enable it to adapt to an ever changing and evolving information security landscape. Working with Palo Alto Networks and its partner SecureWare ensures that the University of Adelaide is able to take advantage of next generation thinking and security policy.
