Admin Firewall Deployment

by Cyril Ha


Information System Security has been a key concern over the past many years as more and more business processes rely on Information Technology to operate.  Alike many other organizations, the usual first line of defense would be Internet protection with security devices such as a perimeter firewall.  However, this type of protection cannot address the challenges posed to network security for universities.  Security enhancement at universities is even more challenging as security control and academic freedom, at certain extent, conflict with each other, and there are just too many devices connecting to the network with different purposes and usages.

To address these challenges, the Computing Services Centre (CSC) has been implementing internal admin firewalls to better segregate departmental networks and to guard undesirable internal traffic within the campus network.

These internal firewalls are Next Gen​eration Firewalls (NGFWs).  NGFW provides additional protection comparing to the traditional ones which monitors traffic from Open Systems Interconnection (OSI) layer 2 (Data Link Layer) through layer 7 (Application Layer).  Policies can be defined based on user and application, rather than low-level network ports and addressing.  For example, NGFW includes integrated intrusion detection systems (IDS) and intrusion protection systems (IPS) that detect attacks based on traffic patterns, user behaviour, threat signatures, etc.  These functionalities perform deeper inspection and improve packet-content filtering of network traffic up to the application layer. 


Current Situation

As shown in figure 1 below, the existing departmental networks are interconnected via the CityU campus Core network.  Traffic can flow freely between the departmental networks; hence, if a workstation has been infected by virus / ransomware, workstations in another department may also get infected.

 Figure 1:  High Level Network Diagram of Current Departmental Network Setup


Admin Firewall Deployment Approach

A pair of admin firewalls are deployed to mitigate similar threats and they will act as barriers between each departmental network and the CityU Core network.

Upon completion, firewall policies would be deployed to control the traffic flow amongst departmental networks.  In principle, traffic will be allowed on a need basis, and the firewalls will block all unknown and unregistered inter-departmental traffic.

Diagram below shows the high-level design and the traffic flow after implementing the admin firewalls.

 Figure 2:  High Level Network Diagram with Admin Firewall added


Migration Steps

The migration of each departmental network under the Admin Firewall protection will be done in several phases as listed in the table below:







Traffic re-route

30 minutes

Re-route departmental traffic to pass through the Admin Firewall

Departmental traffic need to go through the Admin Firewall for inspection, classification, control and protection



Two weeks after migration

Firewall will monitor but not block the traffic

Learn the traffic pattern as the input to define firewall rulesets


Firewall ruleset testing and fine-tuning

At least four weeks after monitoring phase


Firewall rulesets will be implemented and allow all traffic by default unless controlled by rulesets

Test and fine-tune the firewall rulesets



After ruleset testing phase

Firewall will protect the department and deny all traffic by default if the traffic is not allowed by the rulesets

Protect the department with firewall rulesets


Implementation Plan

The migration process will be conducted in sequence initially for administrative departments.  The Central IT will be amongst the first to migrate to the firewall protected networks.  After the Central IT migration, Internet of Things (IoT) networks such as the Car Park System and the EV Charger Systems will subsequently be migrated.  Other administrative departments will follow.