National University Corporation Tokyo University

BIG-IP as a high-performance firewall to protect applications from the network Virtual appliances enable rapid response to diverse requirements

The University of Tokyo, the highest academic institution in Japan, has a bandwidth of 40 Gbps for off-campus connections and is exposed to online threats on a daily basis. The security requirements are as diverse as the applications, and it is impossible to operate the system under a uniform policy. The Information Infrastructure Center, which is responsible for network operations, has adopted security products such as BIG-IP AFM and BIG-IP ASM as virtual appliances. By providing security functions through virtual appliances that can be quickly deployed wherever they are needed, the center aims to provide network operations tailored to each application and requirement.

Business Challenge

The University of Tokyo's Information Infrastructure Center provides a variety of IT services to the university. The backbone network is an important part of the base. Mr. Yuji Sekiya of the University of Tokyo's Information Infrastructure Center explained the scope of his work as follows.

We provide inexpensive, easy-to-use, and flexible services for the network connections and accompanying functions required to link the systems necessary for classes and research. Recently, security functions such as firewalls and WAFs have emerged as a new requirement for mission-critical networks.

University networks are exposed to injection attacks and password brute force attacks on a daily basis. There is a growing demand for network security functions to be provided as part of the basic infrastructure, rather than as individual measures to be taken by users. At the same time, however, to ensure a degree of network freedom appropriate for a research institute, the company operates under a policy of not imposing uniform policies or security functions unilaterally. The need for a system in which security can be used easily and inexpensively as a basic infrastructure function is increasing every day, according to Sekiya.

As a backbone network, we need to be able to create a system that can be protected when needed. We decided that a virtual appliance would be the best solution because it could easily provide security functions to the necessary networks by simply adding licenses," says Sekiya.

Solutions

The University of Tokyo network required basic security functions such as firewalls and WAFs, which are necessary for many systems. However, the use of Web applications is increasing, so more advanced security functions were deemed necessary. Cross-site scripting and SQL injection attacks are actually occurring on a daily basis, and conventional firewall products are no longer able to meet the demands of users. In addition to network firewalls, we looked for a virtual appliance that could provide enhanced application security, but there were few products that satisfied our needs in terms of functionality," said Sekiya.

There were a lot of things that were available on the physical appliance that were not available on the virtual appliance," he says. Although each vendor had a lineup of both physical and virtual appliances, there were few products that actually offered the same functionality.

The most promising candidates were F5 Networks' BIG-IP ASM (ApplicationSecurityManager), which provides WAF functionality, and BIG-IP AFM (Advanced Firewall Manager), a virtual appliance that enhances network firewalling functionality. The combination of BIG-IP ASM (ApplicationSecurityManager) and BIG-IP AFM (Advanced Firewall Manager) virtual appliance products to enhance network firewall functions. Mr. Sekiya gave the following reasons for his selection: "It had the necessary functionality and performance.

The product we felt most strongly about was the one that provided the necessary functionality and performance, while also being cost-effective as a virtual appliance.

Results

BIG-IP was first introduced to the group of virtual servers managing the core systems overseen by the Information Base Center. This was done to evaluate its usage and future applications while using it in real situations. For example, access control settings that were previously managed on the web server can now be easily configured with BIG-IP, demonstrating its ease of use right from the start.

■ Functionality Supporting Flexible Configuration

Regarding the initial impressions of operating the system, Mr. Sekiya remarked, “For research purposes, we need a network that we can operate freely.” He elaborated:
“What I first noticed was the extensive functionality. BIG-IP allows for extremely detailed traffic control settings, which I feel offers a level of control far beyond traditional firewalls. I am optimistic about the additional granularity we can achieve.”

The basic functionality of a firewall is well established. Beyond this, there is a need for comprehensive traffic control features to address various demands related to networking and security. Given that BIG-IP has evolved with a strong focus on advanced traffic control, Mr. Sekiya is confident that it will meet those expectations.

"It is equipped with the rich functionality to both secure traffic where necessary and prioritize freedom in environments where security can take a backseat. This flexibility to address precise and complex requirements makes BIG-IP particularly appealing."

■ Easily Deployable Virtual Appliances

Universities conduct diverse research, and each area has different requirements for the network. Since some departments and laboratories even use networks or IT systems themselves as research subjects, it's difficult to impose uniform policies that restrict network functionality.

“One reason we focus on virtual appliances is their ability to respond to these individual requirements,” Mr. Sekiya explained. “Additionally, virtual appliances allow for flexible configurations and decentralized management, which is another appealing aspect.”

From a management perspective, it is more efficient to provide individual virtual appliances that users can manage independently, rather than housing specialized networks as part of a multi-tenant structure. Although this approach increases the number of devices to manage, Mr. Sekiya believes that using an integrated management tool like BIG-IQ can reduce the management burden. By centrally managing multiple firewalls, they can also avoid the risk of decreased security levels due to operational errors.

■ Rapidly Delivering Security Where Needed

“There are fields where a freely operable network is essential for research,” Mr. Sekiya said. "At the same time, there are fields where users want networks to be secure from the start, without the need for added management effort. University networks must meet both of these needs.”

Mr. Sekiya noted that unlike corporate networks, it isn’t appropriate to impose uniform network policies. To provide the resources necessary for education and research, his vision is to create a network where 'security = convenience' rather than 'security = inconvenience'. He believes BIG-IP virtual appliances align with this vision, ensuring both their mission to provide the right level of security where needed and to promote usability.

By deploying BIG-IP as security management touchpoints where necessary, the Information Base Center aims to strengthen network security further. In the future, they may also expand its application to areas like DNS protection and beyond.

“Few products are capable of addressing the diverse networking needs of a university, which are very different from those of businesses," Mr. Sekiya remarked. "Given its advanced functionality and ease of deployment, BIG-IP virtual appliances are the most promising solution to meet the expectations of the Information Base Center.”

Benefits
  • Achieve security with virtual appliances deployable on a per-network basis.
  • Full flexibility for users to utilize all BIG-IP functions through virtual appliances.
  • License scalability based on usage size allows for delivering the necessary performance at a low cost, precisely where needed.

Challenges
  • Ensuring security across networks with varying requirements depending on their specific use cases.
  • Providing networks that users can configure freely as needed.
  • Achieving the optimal balance between flexibility, performance, and cost.

Products