Network Security Framework

UBC IT - NMC

Virtualizing UBC

With the decentralization of IT in the late 1990’s, firewalls were deployed based on a distributed support model following IT’s organizational boundaries. This decentralized security infrastructure is not in line with our current UBC IT strategy.

Before Virtualization

UBC IT provides virtual firewalls as a campus cloud service. The departments consolidate multiple physical firewalls into a single virtual firewall which they can self-manage.

After Virtualization

Current State Management of the virtual firewalls has become complex. In fact, it is less secure because it is very hard to manage, audit, scan, patch. A sustainable solution is needed as more departments on board and to better support BYOC.

New network security framework The new security framework includes a new security policy model, identity-

based firewall solution, security log/event correlation and IDS/IPS. The new

security policy model combined with identity-based firewall will consolidate

firewall rules and simplify policies.

The Future

New network security framework

Why a new security policy model?

• Ensure compliance with UBC security policy

• Align with the current IT strategy

• Sustainability of policy administration reducing application troubleshooting and rollout time

• Improved security such as facilitating regular security scans

• Better support and integration with Systems security services and tools; e.g., server patching, vCloud, vOps, SCOM

• More efficient use of resources and economies of scale

• Enable centralized monitoring

New network security framework

Why Identity-based Firewalls?

Why security log/events correlation system and IDS/IPS

• Security alerts for any illegitimate traffic

• Detect intrusion from different sources

• Prevent unauthorized network access

• Log security events

• Event correlation from various internal sources

• Better reporting and auditing

• Enable proactive security

Deploy a new security framework

How do we approach this?

DMZ

Normal

High

Build up security infrastructure to the new model

Security Framework

What we are doing now….

Developing a new security framework based on UBC IT security policy

guidelines

Building new environments based on this model (ENTS & Student Email)

Consolidating and simplifying security policies (VDI)

Evaluating identity-based firewall technologies (Palo Alto, Cisco)

Continue investigating and building security log/event correlation

systems (ARCsight) and IDS/IPS

Challenges

• Paradigm shift among stakeholders

• Deconstructing firewall rules for consolidation

• Downtime to migrate applications to new security model

• Co-ordination

• Resources and budget

Timeline

Build ENTS environment COMPLETED

Consolidate and simplify security policies ONGOING

Migrate existing environments ONGOING

Evaluating identity-based firewall technologies Dec 2012

Further develop security log/events correlation system ?

Approval for IDS/IPS ?