A proposal to the CSU UTFAB Steve Lovaas
A proposal to the CSU UTFAB Steve Lovaas, ACNS January 31, 2012 A Future-Proof Firewall: Juniper SRX 5800
Presentation overview �Split costs with ACNS for the purchase of a pair of 10 -gig capable firewalls for the University datacenter The risks Current protections The speed problem The solution: Juniper SRX 5800 Support, sustainability Costs
Current state of risk (1) �Symantec annual threat report, 2011 Over 3 billion malware attacks in 2010 Targeted attacks evolving (not just via spam) Increased use of attack toolkits (automation, quicker) Mobile threats increase (harder to lock down than desktops) http: //msisac. cisecurity. org/resources/reports/doc uments/Symantec. Internet. Security. Threat. Report 2 010. pdf
Current state of risk (2) �FBI report, 2011 “There a variety of people and organizations within and outside the United States who may seek to improperly or illegally obtain information from US institutions of higher education: foreign and domestic businesses, individual entrepreneurs, competing academics, terrorist organizations, and foreign intelligence services. ” http: //www. fbi. gov/aboutus/investigate/counterintelligence/highereducation-and-national-security
Student data at risk �Most central applications that students use are in the datacenter in Engineering E 7 Ram. Web, Aries. Web, Banner student information system, library SSNs, bank account numbers, grades, student information
Our current defenses �Several Juniper SSG-series firewalls IS servers, Active. Directory/DNS �ACNS web servers not firewalled Server defenses instead (iptables, web server) �IDS (Snort), log monitoring (Qradar) �Vulnerability scanning (Nessus, App. Scan) �Client security (Symantec, Safe*Connect)
The problem? Speed! � 10 gigabits per second Moore’s Law: individual servers getting faster Virtualization: multiple 1 -gig servers on one host CSU core network routers, switches support it Firewall market slower to respond (and expensive) Our current firewalls can’t (and won’t) do it � 100 gigabits per second Already shipping to the ISP router market Won’t be far off for CSU
Solution: a “future-proof” firewall �Familiar interface, company, support � 10 -gig interfaces now �Backplane support for 100 -gig when it comes �Intrusion Prevention available �High-availability cluster for uptime
The Juniper SRX 5800 �Meets all criteria (speed/features/support) �Uses Jun. OS code (like our border routers) �SRX series in use at CU, DU, UW �Juniper engineering staff will assist with all configs, upgrades
Support & sustainability �High-availability pair for ensuring uptime � 3 years of next-day support �Helpdesk, NOC 24 x 7 on-call, ACNS security team �Config backups, uptime monitoring �“Future-proof” platform �Juniper engineering support for configs/upgrades
The finances �Hardware: $177, 469. 50 Chassis, power supplies, service & line cards �Support: $92, 644 ($30, 888/yr) 3 -yr next-day support for all hardware �No additional staffing or professional services �ACNS 50% cost-sharing offer �UTFAB request: $135, 066. 75
Questions? Steve Lovaas, IT Security Manager, ACNS Steven. Lovaas@Colo. State. edu, 970 -297 -3707
- Slides: 12