November 20, 2003

A university campus network is likely to be one of most fertile and vibrant network environments that you will find. But a free-spirited network environment with easy accessibility for all, also means that a no-nonsense security framework is needed — one that is robust enough to tackle a variety of contingencies on a daily basis.

That is the security challenge faced by the Computer Centre of the National University of Singapore (NUS). Spanning 11 student faculties, 35,000 network points, 2,000 servers, 30,000 users of which about one-third also has concurrent wireless access, managing the NUS campus network is not for the faint of heart. Adding to the challenge is the highly complex and vibrant nature of student applications, as well as the need to segment the campus into numerous discrete zones, called virtual LANs (VLANs), for functional requirements.

Here, enforcing security requires even more dexterity than most commercial organisations, because network accessibility to many people at different times is a top requirement. "The campus network is different from a bank because it needs to facilitate research and connectivity above all else," explains Roland Yeo, network manager for the campus network. "The most important issue here is to balance security with openness."

As overall planner and manager of campus access, WLAN, Internet peering and international research network in NUS, Yeo found that the nature of connectivity of the campus is also very different from that of an enterprise. In NUS, new applications and protocols, arising from the multitudes of student projects, are a routine occurrence. As a result, he says, a security system needs to be both flexible and adaptable.

The solution

NUS' network security approach is a model of elegance. Its mainstay security devices are a fleet of 14 Cisco Firewall Services Module (FWSM), which are installed as plug-in modules within the Cisco Catalyst 6500 Series switches the university currently deploys. And the campus uses multiple tools, like CiscoWorks and other self-developed tools, to manage the network.

The obvious advantage of using FWSM is cost effectiveness. "The solution is very scalable as multiple FWSMs can be installed into the same chassis," says Yeo. And for NUS, the decision to go for FWSM was easy, since it already uses the Cisco Catalyst 6500 switches.

Performance was the other key consideration. In terms of technical specifications, the FWSM provides one of the fastest firewall data rates in the market today, at up to 5Gb throughput, 100,000 connections per second (CPS) and one million concurrent connections. Up to four modules can be installed in a single chassis.

But more important is actual field performance. In evaluation trials, Yeo found that the FWSM was the only firewall among several well-regarded brands to not only stop a very large amount of network attacks, it allows friendly traffic to pass through transparently. "Others simply could not scale up to the performance and reliability we were looking for when handling high bandwidth and DoS traffic," he says. This is important for the campus, because while it does not see transactional traffic volumes of say, a stock exchange network, the sheer complexity and extent of coverage of NUS' network means that quality of service is just as critical, he explains.

The need to protect across multiple network segments in a fuss-free manner was another consideration. "People used to think of firewalls as devices between internal and external networks, but today, internal networks must also be shielded from each other," he says. And sitting in a switch which controls the actual VLAN routing help make VLAN protection an easier prospect with the FWSM, in terms of firewall management, scaling out and re-configuration.

For the university, ease of use is paramount in a security system, given its highly complex network. For Yeo, an easy to administer system means that the university will not be bogged down when the going gets rough. After all, security is not just about stopping malicious packets, but letting in the friendly ones.