At a Glance
 
Central Software
CityVoD - CSC Forum Archive
Software List on CSC Student LAN
Online Tour of the CSC Student Terminal Area
Opening Hours of the CSC
Systems Maintenance Schedule
List of Blocked Network Cards / IP Addresses
List of CSC Representatives
List of Departmental Network Administrators
Staff Computer Courses
 
Newsbits
 
Down Stop Up Top


Service of NCS Opscan 8/50 Optical Mark Reader Ended in December 2009

Please be reminded that the multiple-choice scanning and survey data collection service of the NCS Opscan 8/50 will cease soon. Originally the service was planned to cease by the end of Semester B 2008-09, but it is now extended to December 2009 (i.e. at the end of Semester A, 2009-10) to allow more time for our users to look for other alternatives. For queries on other alternatives, please feel free to contact the CSC Help Desk.

How to Go Green: Double-sided Printing

Double-sided (or 2-sided or duplex) printing should be used whenever possible. Besides the benefits of saving trees, reducing carbon in the atmosphere, and holding a handier set of hardcopies, surprisingly it can save up your print quota. With immediate effect, whenever you use duplex printing to print on a piece of paper through the Quota Controlled Fast Print Queue, your print quota will be deducted by 1.5 instead of 2. This is really a big saver!

To use double-sided printing, when you print:

  1. Choose the printer Quota_FastPQ on CCSTUNG1
  2. Click Preferences and then Finishing on the Printing Preferences window
  3. Select 2-sided Printing and click OK

Using double-sided printing is a small change but can have a big impact. As going green is our common goal, act NOW to show your support!
 
CSC e-Forms
 
Submit CSC Work Req.
Req. for Printing
Req. for Dump / Restore
Teaching Studio Booking / Cancellation
Apply for a Computer Account
Email Alias Application
Apply for a New Domain Name
Remove an Existing Domain Name
Modify the Hosting of an Existing Domain Name
 
Past Articles by Topic
 
E-mail
Admin. Systems
Intranet/Internet
Central Systems
Network
Remote Access
Chinese Computing
PC Support
Security
General
 
Useful Links
 
網上中文網頁繁簡轉換
CityU Email Services
Computing Dictionary
High-Tech Dictionary
Webopedia
Web Glossary
What is?
 
Got any questions, comments or suggestions? Contact the editors at ccnetcom@cityu.edu.hk
 
Issue 47 - March 2006
Deployment of Network Security Devices
By Alex Lam

Overview

Everyday, new viruses, worms and software security vulnerabilities of all types are discovered on the Internet. Network security is becoming an ongoing network monitoring and management activity. In response to these security hazards, the Computing Services Centre (CSC) is continuously making use of the most advanced technologies and security management devices to protect the campus network.

This article depicts current technologies and security devices that are deployed by the CSC. The objective of such effort is to provide Internet Access to all campus users with the following benefits:

  • Safe and Stable Internet Environment
  • Fast Access and Quick Application Response Time
  • Fairness in sharing Internet bandwidth

In addition, we are not only protecting the attacks originated from the Internet. Our deployment also caters for the detection and protection of attacks generated from internal users.

Types of Security Devices

In order to achieve the above objectives, a number of security devices are deployed between the campus backbone and the Internet. These devices can be divided into three categories:

  • Internet Router and Firewall

    Internet Router and Firewall enforce the network policy and permit only allowed traffic/protocol with the correct IP address range under the correct state to pass through. The policies are rather static and the packet examination is performed by some specific hardware. It provides a fast filtering mechanism to reject all packets that violate the network policy.

  • Intrusion Protection System (IPS)

    Even network packets that are allowed to pass through firewall may contain virus. For example, all email traffic must be allowed to pass through the firewall as indicated in our firewall policy. In this regard, the IPS provides a second level of network packet examination based on its knowledge of attack signatures, normalized traffic pattern and behavior. To put it simply, the IPS is like an "Anti-Virus" software running in a network appliance to examine the network packets at multi-gigabit level. For details about the IPS deployment in CityU, please visit: http://www.cityu.edu.hk/csc/netcomp/sep2004-5.htm

  • Traffic Shaping Device

    With numerous network applications running across our campus network at the same time, these applications all struggle for the Internet Bandwidth. How can we allocate the Internet bandwidth to satisfy the academic needs but in a fair and appropriate way?

Traffic shaping device helps us to make a fair allocation. Packet shaping device can automatically learn and classify network traffic flowing inline across it. In addition to blocking and permitting network packets, traffic shaping device can also increase, shape and provide guaranteed bandwidth for some pre-defined applications. The following traffic parameters are used to shape network traffic:

  • Packet Priority
  • Incoming and Outgoing Bandwidth
  • Number of concurrent network connections allocated

With the advance of traffic shaping technologies, the above shaping policy can be applied to each application generated from a specific IP address. This prevents one host from dominating in certain application and using up all the provided bandwidth. In addition, the real time alert and reports generated by packet shaping device clearly show how the Internet bandwidth and connections are being allocated/consumed. The figure below demonstrates how the report provides such variable network information to the administrator.


Figure 1 Real Time Traffic Statistics generated by Traffic Shaper Device


Besides just blocking or permitting certain IP addresses and applications, network administrators can now have a better understanding of the application characteristics; the bandwidth, connection and time/latency requirements based on the above live statistics. This enables us to derive a shaping policy that can allocate appropriate bandwidth, connections to users and applications and satisfy the actual and real time needs of the University.

At the same time, some non-critical applications can still enjoy the remaining network bandwidth that would otherwise be wasted. This achieves the objective of providing a fast access and quick response time in a prioritized, fair and scientific manner.

Roles of Internet Security Devices

With the deployment of the above security management devices, many of the network attacks are blocked. The table below summarises the functions and roles of the network security devices deployed in the campus.

Attacks Category
Protected by
IP address spoofing Router, Firewall
Port Scanning Firewall, IPS
Protocol Anomaly Firewall, IPS, Packet Shaper
Message Spamming IPS
Brute Force Login Attempt IPS
BackDoor/IRC Bot Attacks IPS, Packet Shaper
P2P Software IPS, Packet Shaper
Vulnerability Attack IPS
Application Server Attacks/Injection IPS
Email Virus/Worm IPS
DOS/DDOS Attacks IPS, Packet Shaper
Priority, Bandwidth, Connection Shaping Packet Shaper

Table 1 Roles of Network Devices in Security Protection

All of the above devices have been evaluated and tested carefully before deployment. The following are the major criteria for evaluation and deployment:

  • Stability and reliability
  • Processing power
  • Accuracy in traffic classification
  • Latency
  • Number of False Alarm/Positive
  • Granularity of the policy/configuration setting
  • Provision of Real Time and Historical Statistics
  • Frequency and Response in the update of Attack Signature
  • Product Maturity and Development Status
Conclusion

After a series of testing and fine-tuning of the network security devices, we have now strengthened the protection against various types of network attacks originated from both the Internet and internal users. In addition, the real time and historical reports clearly show how the Internet bandwidth is being used, thus providing solid information as a source for attacks forensic analysis and network policy refinement.

Currently, we have successfully blocked thousands of attacks to the University every day. Besides blocking attacks, we can also differentiate among many network applications, thus allowing us to provide better network resource to some pre-defined applications.

Furthermore, with the adoption of network security devices in the Internet Gateway of CityU, we can achieve our objectives of providing a stable, safe, fast, responsive and fair Internet access to all campus users.

Also in this issue...
Software Audit with Software Asset Management System
Help Desk Software Upgraded to Set Up the Framework for IT Service Management
High Resolution Videos Available in CityVoD
Opening Hours of Mobile Computer Services Extended
Maximum Email Size Increased for Staff, Students and Alumni
Air-conditioning Renovation in CSC Student Terminal Area


 
Current & Back Issues
 
Search Articles
 
FAQs
 
Microsoft Windows Vista
Microsoft Office 2007
中文支援常見問題
Anti-spyware
Internet Explorer 7
General Email Services
Wireless LAN
CityU-Net for Alumni
Virtual Private Network (VPN)
Cascading Style Sheets (CSS)
 
Tips & Tricks
 
Titles, META Tags, LINK tags, and Search Engine Robots
How do I ... use the Windows XP Installer Clean Up Utility to remove apps?
Create a watermark using a Clip Art Gallery image
Create hybrid graphical/CSS buttons
Three timesaving Ctrl-key tricks in Excel
PowerPoint won't save your presentation to CD: Now what?
Validators vs. Linters: What's The Difference?
 
Technical Guides
 
Guideline to Back Up your Computer and Important Files
VPN Connection Setup Guide for Windows XP
VPN Connection Setup Guide for Windows 2000
Network Connection Management System - User Guide
Student Residence Network Connection Guide
CityLink Plus User Guide
Webmail User 2.0 Guide
 
Freebies
 
FCleaner - an all-in-one Windows cleaning and optimization tool
TweakNow PowerPack - a fully-integrated suite of utilities that let you fine-tune every aspect of your computer's OS and Web browser
virtualStudio - a stand-alone photo editor that is able to run most Photoshop plug-in filters
PDF Split and Merge - a free open source tool to split and merge pdf documents
SpaceSniffer - a portable tool application that lets you understand how folders and files are structured on your disks
 
Home
 
CityU e-Portal
CityU Home
Personal Web
CSC Home
 

Copyright© Computing Services Centre, City University of Hong Kong. Best viewed in 1024x768 with IE. Javascript enabled. Last modified on Thursday, 20-Aug-09 16:51:03 .