The National Institute of Informatics (NII) is part of Japan’s Research Organization of Information and Systems (ROIS). NII performs research and development in informatics and provides information services to Japan’s entire academic community. Its engineers chose F5 technology to establish a critical application gateway with robust, centralized security independent of cloud security services.
These information services are critical to Japan’s research and higher education infrastructure. But, as NII Special Technical Expert Tatsuya Miura says, “Our systems for providing them used to have a number of shortcomings.” Services were provided using a private cloud located within NII that was costly to run, had weak disaster recovery capabilities, and had to be shut down for a day or two a year for electrical-system maintenance and inspection work.
In 2014, NII began exploring the possibility of migrating its services to the cloud to address these problems. After shifting some systems as a prelude to the total transition, several new issues came to light. “Having our services in the cloud means that sometimes we’ll have to change cloud vendors to satisfy procurement needs, which could entail changes in the quality or uniformity of security,” says Miura. “And even though using the cloud will help us recover quickly from disasters, there would always be the worry that inconsistencies could arise in DNS propagation immediately after any switchover to new equipment. This brings problems associated with permanent DNS caching in Java, too—something that could take hundreds of person-hours to address if we had to provide support to users whose client software wasn’t updating properly.”
Miura also points out that combatting distributed denial-of-service (DDoS) attacks was a further sticking point. Although the purpose of the migration project was to provide several cloud-based services and deploy them from multiple data centers, acquiring the resources for addressing DDoS attacks for each would have entailed prohibitively massive costs.
NII decided to deploy an application security gateway to resolve all these issues at once. It envisioned one that would serve as a single entry point for accepting user requests—analyzing them and passing them on to the appropriate service or services. NII’s engineers knew from experience that this approach was the right one because they had already built a gateway of this kind to provide some of the organization’s services. To extend the concept to all services, they decided to pursue a hybrid configuration that would ensure security with a gateway capable of accommodating services sourced from multiple clouds.
NII specified four major conditions: The gateway had to be able to perform L7 protocol analysis and forwarding. It needed a web application firewall (WAF) and security features such as DDoS protection. The gateway also had to span several data centers and perform well enough to fully exploit SINET5’s 100 Gbps full-mesh architecture.
NII opened the project for bidding in October 2015 and built a gateway with redundancy across four data centers that went live in April 2016. The F5 BIG-IP platform played a critical role.
By deploying F5 BIG-IP solutions, NII is able to ensure system availability, protect against a wide variety of threats and attacks, and achieve total security independence.
BIG-IP solutions were deployed at four data centers around the country—with a combination of BIG-IP DNS and the BIG-IP Advanced Routing Module to provide IP Anycast addressing. This means that all four centers are now active and using the same global IP address, and end users are connected to the one in closest network proximity. If that site goes down, the BIG-IP products at the remaining centers automatically take over, guaranteeing system availability as long as at least one data center is online. (All four centers have to go down for functionality to be lost.) Deployment of F5 BIG-IQ Centralized Management makes integrated operation and central management of BIG-IP products at the data centers possible. NII is now looking into ways to leverage the system even further by building it into a platform for delivering a diversity of content services.
BIG-IP Local Traffic Manager (LTM) isolates rogue traffic associated with cyberattacks, and security in the gateway deals with it before it can make its way any further inside. BIG-IP LTM fights off DDoS attacks and has been judged to have enough processing power to deal with even massive attacks, while BIG-IP Application Security Manager (ASM), a WAF, fends off attacks targeting applications.
“Building one ourselves taught us that adopting a product with equal or better functionality—and a track record—was the way to get an application security gateway we could rely on,” says Miura. “That brings one-of-a-kind peace of mind.” He says NII was able build a gateway reliable enough for keeping its services safe and secure even when sourced from multiple cloud vendors. “Right now, the gateway is premised on the use of mainly web-based services, but since the BIG-IP platform can accommodate all kinds of applications, we’re looking into using it with non-HTTP protocols as well. Given its full set of logging features, we want to use it for analyzing and dealing with traffic.” Miura says that his team will be connecting all the services NII offers to the gateway during fiscal 2017.