47 - March 2006
of Network Security Devices
new viruses, worms and software security vulnerabilities of
all types are discovered on the Internet. Network security
is becoming an ongoing network monitoring and management activity.
In response to these security hazards, the Computing Services
Centre (CSC) is continuously making use of the most advanced
technologies and security management devices to protect the
article depicts current technologies and security devices
that are deployed by the CSC. The objective of such effort
is to provide Internet Access to all campus users with the
and Stable Internet Environment
Access and Quick Application Response Time
in sharing Internet bandwidth
we are not only protecting the attacks originated from the
Internet. Our deployment also caters for the detection and
protection of attacks generated from internal users.
of Security Devices
to achieve the above objectives, a number of security devices
are deployed between the campus backbone and the Internet.
These devices can be divided into three categories:
Internet Router and Firewall
Router and Firewall enforce the network policy and permit
only allowed traffic/protocol with the correct IP address
range under the correct state to pass through. The policies
are rather static and the packet examination is performed
by some specific hardware. It provides a fast filtering
mechanism to reject all packets that violate the network
Protection System (IPS)
Even network packets that are allowed to pass through firewall
may contain virus. For example, all email traffic must be
allowed to pass through the firewall as indicated in our
firewall policy. In this regard, the IPS provides a second
level of network packet examination based on its knowledge
of attack signatures, normalized traffic pattern and behavior.
To put it simply, the IPS is like an "Anti-Virus"
software running in a network appliance to examine the network
packets at multi-gigabit level. For details about the IPS
deployment in CityU, please visit: http://www.cityu.edu.hk/csc/netcomp/sep2004-5.htm
With numerous network applications running across our campus
network at the same time, these applications all struggle
for the Internet Bandwidth. How can we allocate the Internet
bandwidth to satisfy the academic needs but in a fair and
shaping device helps us to make a fair allocation. Packet
shaping device can automatically learn and classify network
traffic flowing inline across it. In addition to blocking
and permitting network packets, traffic shaping device can
also increase, shape and provide guaranteed bandwidth for
some pre-defined applications. The following traffic parameters
are used to shape network traffic:
and Outgoing Bandwidth
of concurrent network connections allocated
the advance of traffic shaping technologies, the above shaping
policy can be applied to each application generated from a
specific IP address. This prevents one host from dominating
in certain application and using up all the provided bandwidth.
In addition, the real time alert and reports generated by
packet shaping device clearly show how the Internet bandwidth
and connections are being allocated/consumed. The figure below
demonstrates how the report provides such variable network
information to the administrator.
Figure 1 Real Time Traffic Statistics generated by Traffic
Besides just blocking or permitting certain IP addresses and
applications, network administrators can now have a better
understanding of the application characteristics; the bandwidth,
connection and time/latency requirements based on the above
live statistics. This enables us to derive a shaping policy
that can allocate appropriate bandwidth, connections to users
and applications and satisfy the actual and real time needs
of the University.
same time, some non-critical applications can still enjoy
the remaining network bandwidth that would otherwise be wasted.
This achieves the objective of providing a fast access and
quick response time in a prioritized, fair and scientific
Roles of Internet Security Devices
the deployment of the above security management devices, many
of the network attacks are blocked. The table below summarises
the functions and roles of the network security devices deployed
in the campus.
IPS, Packet Shaper
Force Login Attempt
Bandwidth, Connection Shaping
Table 1 Roles of Network Devices in Security Protection
of the above devices have been evaluated and tested carefully
before deployment. The following are the major criteria for
evaluation and deployment:
in traffic classification
of False Alarm/Positive
of the policy/configuration setting
of Real Time and Historical Statistics
and Response in the update of Attack Signature
Maturity and Development Status
a series of testing and fine-tuning of the network security
devices, we have now strengthened the protection against various
types of network attacks originated from both the Internet
and internal users. In addition, the real time and historical
reports clearly show how the Internet bandwidth is being used,
thus providing solid information as a source for attacks forensic
analysis and network policy refinement.
we have successfully blocked thousands of attacks to the University
every day. Besides blocking attacks, we can also differentiate
among many network applications, thus allowing us to provide
better network resource to some pre-defined applications.
with the adoption of network security devices in the Internet
Gateway of CityU, we can achieve our objectives of providing
a stable, safe, fast, responsive and fair Internet access
to all campus users.