Lower procurement costs and lighter operational burden due to the consolidation of network equipment
Enhanced security by encrypting all SSL communications and implementing defensive measures with WAF
Better positioned for future success for a cloud-based environment
Increase in operational cost and IT management burden
Workload applying BIND security patches
Inadequate security due to incomplete SSL encryption and functional constraints of WAF
Doshisha University, one of Japan’s oldest and leading private institutions, has approximately 30,000 students across multiple campuses in Kyoto Prefecture. As part of its tech refresh cycle, Doshisha University undertook a strategic development program to consolidate its IT infrastructure, including network equipment that provided core load balancing, and its web application firewall (WAF), to a single platform. The point solutions lacked automation, appropriate security and strong visibility, and were labor-intensive for the IT team to manage. With a decision to perform a system overhaul, the university chose F5’s BIG-IP platform to achieve its top priority of operational efficiency.
Doshisha University was in need of a tech refresh to decrease costs, improve operational efficiencies and enhance its security posture. Its existing IT infrastructure was labor-intensive and time-consuming to maintain. In addition, the institution identified security gaps at the web application level that needed to be addressed urgently.
“The previous network configuration was made up of numerous systems by multiple vendors including a major web application firewall (WAF) solution provider,” explains Eiji Yamakita, IT Support Office, Manager, Department of Information Planning, General Affairs Division, who manages the Information Network Section at Doshisha University.
The equipment took up considerable rack space and individual logins to each system were necessary to perform daily operations. “We also used BIND, an open source software for Domain Name System (DNS), hence applying security patches to a total of eight units several times a year is a time- and labor-intensive process,” he added.
Under the previous framework, Doshisha University was also not able to provide accurate detection coverage for websites encrypted with SSL, which meant some applications could be at risk. While traffic bound for the Data Management Zone (DMZ) was decrypted and checked using WAF, communications were not terminated due to the L2 configuration. This means when an encryption method is only updated on the Web server side, it is not reflected and tracked on the WAF’s end, making it difficult to ensure thorough security checks. On top of that, when multiple character codes were used in the Web content, Doshisha University’s IT team was not equipped with the capabilities to analyze the traffic, and in turn was unable to defend against certain threats.
Furthermore, the existing solution lacked visibility and effective threat analytics reporting, which made it hard for the IT team to execute changes swiftly and at scale. Compounding these challenges with advances in automated attacks also made threat detection even harder to manage.
“The threat landscape is evolving and becoming more sophisticated. Given the vulnerabilities within the existing system, I knew we needed to step up our defense and deploy a more robust security solution that would mitigate these risks. This was also a key driver for choosing F5,” says Yamakita.
The threat landscape is evolving and becoming more sophisticated. Given the vulnerabilities within the existing system, I knew we needed to step up our defense and deploy a more robust security solution that would mitigate these risks. This was also a key driver for choosing F5,
To address these challenges, Doshisha University replaced its multi-vendor solution with a suite of F5 products that can be easily stacked and scaled to meet its evolving needs.
“Our most important requirement in selecting network equipment was reliability,” says Yamakita, adding that cost reductions also played a big factor for the university’s choice of vendor.
“When assessing the solutions, we found that the BIG-IP solution was able to consolidate and simplify our network configuration, without compromising performance.”
During the 6 month-long deployment, Doshisha University worked with F5 to transform its IT infrastructure into an integrated and secure platform that was ready to scale. Through a multi-tenant feature where one BIG-IP platform was placed between the external network and internal core router, as well as between the core router and each internal system, the system was divided into three network segments on a per-operator basis, with operating privileges also divided accordingly.
The single BIG-IP platform encompasses BIG-IP Local Traffic Manager (LTM), BIG-IP Application Security Manager (ASM), BIG-IP Advanced Firewall Manager (AFM) and BIG-IP DNS. This is where functions such as load balancing of servers inside the DMZ, control of traffic destined for internal systems, security checks following SSL decryption and defensive measures against threats are implemented. The BIG-IP Geolocation feature is also utilized to enhance user authentication. For instance, ID and password-based authentication is employed for access from within Japan, while multi-factor authentication is applied to access from overseas.
With F5 BIG-IP LTM, the university can now control network traffic and select the right destination based on server performance – and all with multi-layered defenses and availability.
The IT team also worked closely with F5 to implement a variety of security measures, including BIG-IP ASM—a comprehensive WAF—to protect them against attacks at the application layer and deliver SSL visibility. BIG-IP AFM and BIG-IP DNS were implemented to safeguard data centers against incoming threats that enter the network on the most widely deployed protocols.
“Aside from achieving significant cost reductions by consolidating our network equipment under BIG-IP solution, our overall security posture has improved,” says Yamakita.
Aside from achieving significant cost reductions by consolidating our network equipment under BIG-IP solution, our overall security posture has improved.
The greatest benefits from the consolidation has been the optimization of IT infrastructure and costs reduction. “By consolidating our network equipment with BIG-IP, we achieved significant cost reductions,” says Yamakita.
At the same time, the system produces adequate performance, and even when all web server SSL encryption is offloaded to BIG-IP, no bottlenecks have formed, he added. “There is not a single instance of users complaining that the system is slow.”
The rack space taken up by the network equipment was also reduced by one rack in total. “We actually carried out work to reinforce the server room against earthquakes at the same time of our tech refresh, but since we no longer needed one rack, we were able to reduce the floor area that required reinforcement work,” says Shigeru Todo, a member of the Information Network Section at Doshisha University. “This also contributed significantly to cost reductions,” he added.
“The deployment reduced the operational burden on the Doshisha University IT team,” says Information Network Section member Ikufumi Takagi. F5 BIG-IP LTM helped simplify system management by consolidating security, acceleration, and availability in one easy-to-manage platform through a single login. With the previous system, all servers under the load balancer had to be shut down before each planned upgrade in the server room. Since F5 BIG-IP can be upgraded without any downtime, this eliminates the need for service shutdowns. “With the previous system, we had to apply BIND security patches 11 times over four years, but with DNS functions integrated into BIG-IP, we no longer have to perform those tasks.”
Following the deployment, Doshisha University was able to gain visibility into application processes as F5 ASM can decrypt and analyze SSL traffic, detect anomalous patterns and respond to attacks. As a result, malicious traffic is automatically blocked.
“When I first looked at the BIG-IP report, I was surprised by the broad scope of what was being analyzed. I didn’t realize it was performing such in-depth checks,” noted Information Network Section member, Yugo Fujie.
Fujie also cites the ability to defend against Layer 4 – Layer 7 Distributed Denial of Service (DDoS) attacks, which were previously difficult to repel, as well as the ability to deal with spoofing attacks, as major benefits of the new system. “There’s the assurance that our systems are being solidly protected automatically, which allows us to perform operational tasks with greater peace of mind than before.”
Fujie adds that the high-degree customizability available through iRules was another big draw of BIG-IP. The team uses the flexible iRules scripting language to customize the flow of traffic between users and the system, eliminating the additional task of performing server-side processing.
With the latest system upgrade, Doshisha University also pursued an initiative to move systems to the cloud, which included migrating email to Microsoft Office 365.
The institution is also considering to shift its server environment to a cloud-based system to improve availability and speed up deployment of new services.
“When outsourcing system-building work for cloud environments to multiple external contractors, it will be important for us to have a network environment in which we can entrust templated WAF setting operations to enable swift security implementation,” says Yamakita. “This needs to be done while maintaining our delivery of service and user experience, with the appropriate management of operating privileges for both Doshisha University and the contractors,” he adds. For this reason, the institution is also considering using BIG-IP Cloud Edition, which supports multi-cloud systems, and leveraging BIG-IQ for its administrative infrastructure.
With the adoption of BIG-IP, Doshisha University has not only reduced costs and enhanced security, but is also opening up new possibilities in terms of application delivery.