York University Boosts Network Security and Performance with Next-Generation Firewall Upgrade
By Luke GagliardiOctober 3, 2024
UIT is excited to share that we’ve successfully implemented a next-generation firewall system. This project, which has been in development for over a year, marks a major milestone for our network infrastructure and revolutionizes our security, performance and reliability.
What is a firewall?
A firewall is like a security guard for a network. It monitors and controls the flow of data entering and leaving the network, deciding what’s safe and what might be harmful. Like a bouncer checks IDs and okays people at the door, a firewall examines data traffic—like emails, websites, and files—and blocks anything suspicious to keep the network secure.
Just like any bouncer left too long at their post, our old firewall was aging and getting tired—becoming slow and easier to trick. It was becoming not only a risk, but a performance bottleneck.
We needed something cutting-edge that could tackle emerging technologies and evolving threats. Something robust enough to remain futureproof and agile enough to adapt to the rapid changes in the global IT ecosystem. It turned out we didn’t just need a firewall; we needed two. The dual-firewall approach was a groundbreaking innovation that involved a complete reimagining of our infrastructural security.
Our Approach
Protect the Core
The first new firewall was deployed at our data center. It oversees our internal server-to-server communications, preventing unauthorized access between systems and eliminating any lateral movement by malicious actors within our core.
The core firewall not only enhances our security but also simplifies policy management. Our previous firewall rules were tied to specific devices, meaning we needed to manage separate rules for each device authorized on our network. If someone already approved to access the firewall switched their device, their access would be blocked. This was an inflexible system held together by layers of individual rules that added complexity that compounded over time. The new core firewall employs user-based rules, allowing access based on the individual rather than their device. With role-based access, our environment is easier to manage with higher consistency and significantly less operational waste.
Safeguard the Perimeter
Our perimeter firewall monitors and controls all incoming and outgoing traffic to filter out unauthorized access attempts and prevent malicious redirections. The firewall’s Automated Threat Detection and Intrusion Prevention System (IPS) systems continuously scan the network, searching for vulnerabilities and flagging suspicious activity while identifying and responding to potential threats before they can cause harm.
Remarkable Performance
One of the project's most impressive outcome is the dramatic improvement in network performance. The new firewall system has increased the average throughput from 12 megabytes per second to an astounding 528 megabytes per second, dropping latency from 81 milliseconds to just 1.8 milliseconds. This represents a 4205% improvement in performance, an outstanding figure that shouts this project’s success.
“These performance gains are a game-changer for our infrastructure,” ICT Infrastructure Director Steve Ojwang noted. “Tasks that used to take hours can now be completed in minutes, but most importantly, we achieved these gains while improving our security posture."
Advanced Security Capabilities
The new firewall technology enables us to be on the cutting edge of network security by giving us more granular control over how we provide and protect our services. Some of the new tools in our belt include:
- DNS Protection: A new feature introduced to protect against domain-based attacks. DNS protection is a security measure that safeguards the process of translating domain names (like "example.ca") into IP addresses used to locate and connect to websites. If bad actors try to trick you into visiting a fake site to steal your info, DNS protection will keep you safe.
- WildFire: This global security feature shares threat knowledge with other networks and helps us work together. WildFire watches for any suspicious activity or files; when it finds something malicious, it compares it to what other networks around the world have seen to help stop it. If a threat is found in one place, WildFire alerts all connected systems to block it, protecting everyone from new dangers. This helps us know about and safeguard against threats before they even have a chance to harm us.
- URL Filtering: This allows the university to block access to specific websites, including malicious, adult, gambling, social media, streaming, and piracy sites.
Kudos
This project was a major milestone for UIT and York University. Beyond strengthening our security, we've boosted our capacity to deliver high-performance service. This achievement was the result of immense effort, collaboration, and expertise from our dedicated team, who deserve all our praise.
Kudos first goes to Linda Slater, our Senior Network Designer, whose creativity revolutionized the original design and whose vast knowledge of the existing network infrastructure led to a successful implementation. Her leadership over the past several years has been crucial to the network’s transformation and we couldn't have done it without her.
A project as complex as this involves so many people, but there are a few more we want to shine the spotlight on. Our CIO, Brad Strom, had the following to say about the team:
"I wish to extend special recognition to the following exceptional staff: Steve Ojwang, Mansoor Khan, Revital Gorsht, Linda Slater, Andy Ho, Luis Carlo, Tim Gao, Mohammed Adam, Jonas Baguioro, Jean Chan Kong, Karandeep Singh, Viquar Syed, Peter Marques, and Rob Jefferson, along with all the devoted team members who contributed to this remarkable achievement. Your meticulous planning, effective execution, and collaborative spirit exceeded our highest expectations. Your unwavering dedication to excellence and commitment to our shared objectives are truly praiseworthy."
This project addressed significant challenges, and only through the collaboration of these incredible people did we achieve success. The upgraded technology allows us to scale operations and handle tasks previously out of reach and enables new opportunities for us to grow as an institution.
Looking Ahead
With our new firewalls watching our backs, we're ready to look forward. Our network team will continue to expand our firewall features to further enchance our security. We'll be rolling out more advanced filtering capabilities and continuing to optimize the network for even greater performance.
“This is just the beginning,” Steve Ojwang remarks. “As we continue to unlock the full potential of this new system, we’re confident that it will provide even greater benefits to the university.”