Issue 47 - March 2006
Everyday, new viruses, worms and software security vulnerabilities of all types are discovered on the Internet. Network security is becoming an ongoing network monitoring and management activity. In response to these security hazards, the Computing Services Centre (CSC) is continuously making use of the most advanced technologies and security management devices to protect the campus network.
This article depicts current technologies and security devices that are deployed by the CSC. The objective of such effort is to provide Internet Access to all campus users with the following benefits:
In addition, we are not only protecting the attacks originated from the Internet. Our deployment also caters for the detection and protection of attacks generated from internal users.
Types of Security Devices
In order to achieve the above objectives, a number of security devices are deployed between the campus backbone and the Internet. These devices can be divided into three categories:
With the advance of traffic shaping technologies, the above shaping policy can be applied to each application generated from a specific IP address. This prevents one host from dominating in certain application and using up all the provided bandwidth. In addition, the real time alert and reports generated by packet shaping device clearly show how the Internet bandwidth and connections are being allocated/consumed. The figure below demonstrates how the report provides such variable network information to the administrator.
the same time, some non-critical applications
can still enjoy the remaining network bandwidth
that would otherwise be wasted. This achieves
the objective of providing a fast access
and quick response time in a prioritized,
fair and scientific manner.
the deployment of the above security management
devices, many of the network attacks are
blocked. The table below summarises the
functions and roles of the network security
devices deployed in the campus.
All of the above devices have been evaluated and tested carefully before deployment. The following are the major criteria for evaluation and deployment:
After a series of testing and fine-tuning of the network security devices, we have now strengthened the protection against various types of network attacks originated from both the Internet and internal users. In addition, the real time and historical reports clearly show how the Internet bandwidth is being used, thus providing solid information as a source for attacks forensic analysis and network policy refinement.
Currently, we have successfully blocked thousands of attacks to the University every day. Besides blocking attacks, we can also differentiate among many network applications, thus allowing us to provide better network resource to some pre-defined applications.
Furthermore, with the adoption of network security devices in the Internet Gateway of CityU, we can achieve our objectives of providing a stable, safe, fast, responsive and fair Internet access to all campus users.