Virtualizing UBC
With the decentralization of IT in the late 1990’s, firewalls were deployed based on a distributed support model following IT’s organizational boundaries. This decentralized security infrastructure is not in line with our current UBC IT strategy.
UBC IT provides virtual firewalls as a campus cloud service. The departments consolidate multiple physical firewalls into a single virtual firewall which they can self-manage.
After Virtualization
Current State Management of the virtual firewalls has become complex. In fact, it is less secure because it is very hard to manage, audit, scan, patch. A sustainable solution is needed as more departments on board and to better support BYOC.
New network security framework The new security framework includes a new security policy model, identity-
based firewall solution, security log/event correlation and IDS/IPS. The new
security policy model combined with identity-based firewall will consolidate
firewall rules and simplify policies.
The Future
New network security framework
Why a new security policy model?
• Ensure compliance with UBC security policy
• Align with the current IT strategy
• Sustainability of policy administration reducing application troubleshooting and rollout time
• Improved security such as facilitating regular security scans
• Better support and integration with Systems security services and tools; e.g., server patching, vCloud, vOps, SCOM
• More efficient use of resources and economies of scale
• Enable centralized monitoring
Why security log/events correlation system and IDS/IPS
• Security alerts for any illegitimate traffic
• Detect intrusion from different sources
• Prevent unauthorized network access
• Log security events
• Event correlation from various internal sources
• Better reporting and auditing
• Enable proactive security
Deploy a new security framework
How do we approach this?
DMZ
Normal
High
Build up security infrastructure to the new model
What we are doing now….
Developing a new security framework based on UBC IT security policy
guidelines
Building new environments based on this model (ENTS & Student Email)
Consolidating and simplifying security policies (VDI)
Evaluating identity-based firewall technologies (Palo Alto, Cisco)
Continue investigating and building security log/event correlation
systems (ARCsight) and IDS/IPS
Challenges
• Paradigm shift among stakeholders
• Deconstructing firewall rules for consolidation
• Downtime to migrate applications to new security model
• Co-ordination
• Resources and budget
Timeline
Build ENTS environment COMPLETED
Consolidate and simplify security policies ONGOING
Migrate existing environments ONGOING
Evaluating identity-based firewall technologies Dec 2012
Further develop security log/events correlation system ?
Approval for IDS/IPS ?