Keio University’s Information Technology Center (ITC), located in Mita, operates and manages both its local network and the backbone for the entire university’s core network. Keio’s network VPN solution provided the flexibility needed but created serious security concerns. Keio recently introduced F5 application delivery services to complement its existing load balancing system. This VPN overhaul closed security gaps and made it easy to introduce SSL in the educational/research system, reducing network operational burden. Keio also has plans to utilize F5’s web application firewall solution to enhance the protection from cyber-attacks.
Maintaining security is an important issue in university systems. Because these networks generally contain not just office systems for the staff but also student websites and research team servers, implementing the right security level can be a complicated task.
Keio University’s network places a core switch in each of its campuses, all of which are connected by the primary network. Though each campus has its own ITC to manage the intra-campus network, the ITC headquarters is responsible for both the Mita campus network and the system as a whole. Within Mita, two networks with different characteristics, namely the educational/research network for students and the office network for staff and outside vendors, coexist using BIG-IP appliances
“We did use BIG-IP as a load balancer, but the VPN appliance for accessing the office system was provided from another vendor, and the VPN connection was realized with L2TP and IPSec,” recalls Mizuki Otsuka, who manages the operation of the office system. However, the VPN appliance was configured to allow authenticated users access to all of the networks under the VPN appliance. “Because the office system is accessed not just by the university staff but also by outside service providers, the system was by no means sufficiently secure, which had been pointed out for some time. In addition, the hash function used was SHA-1 and it had to be replaced with SHA-2.”
The university also had to address increasing demands on the web server and the certificate management process. “Because of the large number of appliances we had, not all of them could be installed in the server room equipped with uninterruptible power supply. BIG-IP had to be placed in a different server room that had to experience planned outages, which further increased our operational burden. Since we already had BIG-IP, we wanted to take better advantage of its features to combine different appliances,” said Otsuka.
Keio University replaced its existing BIG-IP instance with the latest model and BIG-IP Local Traffic Manager (LTM) in August of 2015. Due to the approaching expiration of leasing contracts for their network appliances, Keio also introduced BIG-IP Access Policy Manager (APM) in September of that year. BIG-IP APM eliminated the need for the university’s VPN appliance from the other vendor, so it became possible to install the new BIG-IP system in the server room equipped with uninterruptible power supply.
All routes from the main system to the BIG-IP instance go to two different global IP addresses (GIPs): one for the educational/research system and another for the office system. Accesses to the educational/research system are load-balanced at the LTM before continuing to the web servers. Accesses to the office system run through BIG-IP APM for VPN credential verification before going to the office server. The Secure NAT function of the BIG-IP appliance automatically assigns return routes to either of the GIPs.
“The VPN access with BIG-IP uses SSL VPN that authenticates users with their user ID-password pairs along with the access control mechanism based on the IP and MAC addresses from that the accesses are made,” Otsuka explained. The access privilege defines which areas each user is allowed to access. Upgrading from the hash function used for VPN to SHA-2 also contributes to the enhanced security.
Using SSL for the educational/research system is also easier, particularly because the SSL accelerator function of BIG-IP LTM mitigates the burden on the web servers while the certificates are centrally managed.
Consolidating network appliances eases the operational burden on Keio’s ITC headquarters. With the previous system, all servers under the load balancer had to be shut down before each planned outage in the server room. Reduction of the maintenance cost is another benefit of the new system, according to Otsuka.
Otsuka says Keio is planning to migrate three staff mail servers to BIG-IP appliances shortly. This will make it easier to use SSL for e-mails, further enhancing the communication security.
Keio is also evaluating the introduction of BIG-IP Application Security Manager (ASM) and the WAF. “Lately, we have encountered fraudulent accesses from overseas to our educational/research system. Since universities often become targets of cyber-attacks, we expect BIG-IP to be helpful in protecting ourselves, ” says Otsuka.