IT managers at Stanford University were concerned. As security threats to colleges and universities increased, Stanford needed to keep private matters private—but at the same time, the university’s IT staff wanted to ensure that its wealth of information resources remained widely available to students, faculty, and researchers.
Yet, each academic department and school was responsible for its own network security measures, leaving this vital layer of protection an “incomplete patchwork,” school officials explained. The university needed an organization-wide firewall service that could accommodate a highly decentralized environment.
Stanford divides its campus network into eight operational zones, with each zone partitioned into multiple virtual firewall or security zones. Each security zone needed a unique set of security policies, virtual private network (VPN) access controls, and administrators.
To solve this challenge, Stanford deployed more than 20 Juniper Networks NetScreen-5000 Security Systems at the network perimeter and data center to protect the academic, administrative, and residential networks against malicious attacks and intrusions. Stanford now offers a baseline firewall service at no cost to all departments, and additional firewall services are available by request.
The Juniper Networks firewalls are deployed in redundant pairs to maximize resiliency and uptime. Full-mesh configurations allow for redundant physical paths, which also maximizes resiliency and helps the university protect its IT resources in the event of a campus emergency.
The firewalls reduced Stanford’s risk exposure and improved security compliance by offering a consistent level of firewall protection that meets the individual needs of its departments—and Stanford IT executives say the virtualized security service was deployed quickly and without disruption to IT operations.
Stanford integrated the NetScreen-5000 line of firewalls with its NetDB database, which offers a way of registering a unique name and IP address for each networked computer, to create a decentralized, self-service model in which firewall policies can be implemented hourly. The university also gained operational efficiencies by standardizing on Juniper Networks firewalls, as its IT staff no longer must manage and maintain firewalls from multiple vendors.
Northwestern University also constructs its security network in layers. “Juniper supplies our campus network border routers—the ones that connect us to the outside world, other research institutions and networks,” says Julian Y. Koh, Northwestern’s manager of network transport, telecommunications, and network services. “That’s the first place you want to start applying security filters.”
The university also uses Juniper security at the firewall layer. “We have dedicated firewall appliances in front of our data center to protect the data center and enterprise applications from attack, not just from the outside world but also from anyone on campus,” Koh says. His department gives schools within the university the option to contract with IT for their local firewall services. If a given department or school has a small number of machines to protect, IT might deploy a low-end firewall. If a school has greater demands, such as the need to protect a high-speed computing cluster or a larger number of machines, Koh can ramp up the capabilities to meet its needs.
In addition, Northwestern uses Juniper for secure remote access. The university deploys Juniper SSL VPN technology to provide secure access to sensitive data and restricted applications. With this technology in place, says Koh, it has been easy to define various roles and give users different levels of access depending on who they are.