BIG-IP ASM enables protection against DDoS attacks at the application level
Improved manageability of firewall by unifying the system that included two each of firewall and load balancing units into a single BIG-IP unit
Ability to use DNS proxy function to separate the resolver for accesses from outside
Improve firewall manageability
Acquire advanced protective measures against DoS and DDoS assaults
Shield DNS servers from direct attacks
The University of Tsukuba needed productive measures to counter DDoS attacks. Using F5, the institution gained an integrated, proactive approach that stopped its DNS infrastructure from becoming prey to targeted assaults.
The University of Tsukuba has roots dating back to 1872 when it was Japan’s first teachers’ school. Today the university is known as Japan’s premier higher-education institute, offering a wide range of degree programs, many taught entirely in English. In addition to graduating students with solid workforce readiness, Tsukuba uses its influence to promote applied researches with scientific and social values through collaboration among industry, academia, and government.
Current trends inform us that cybercrimes are on the rise and that they’re becoming more malicious and widespread. As a response, organizations are revving up security technologies so that their network and sensitive data are appropriately safeguarded. Seeing weaknesses within its existing system, Tsukuba sought to deploy more robust security solutions that would lower risks.
The first issue the university wanted to eliminate linked to its reliance on a legacy system. The present system contained multiple units of firewall equipment spanning two campuses. For each separate domain there was also a separate DNS server, and since Tsukuba’s DNS servers were outdated, they were easy prey.
As it stood, Tsukuba’s existing structure required that all academic divisions administer and manage its own network. In turn, this created the need for numerous network administrators, many who had assumed their new role due to their predecessors’ retirement. “Those with the responsibility may not have had sufficient knowledge in network administration. This could cause unexpected network failures or worse, create unsecure networks,” stated Professor Akira Sato, Associate Professor, Academic Computing and Communications Center for Information Infrastructure.
Another issue Tsukuba wanted to fix was their lack of a reliable security measure that would be especially effective protecting applications. And there was no question that Tsukuba needed the capacity for DNS servers to scale for heavy loads and gain the capacity to monitor and interpret any intrusive network activity.
We are seeing more DoS and DDoS attacks lately. To guard us against them, we’ll need a measure at the application level, such as the one F5 offers.
Since 2004 the University of Tsukuba has leased its network equipment and replaced it about every six years. “Centralization of management and security improvement were the big targets for the recent replacement and F5 had been on our radar for a while,” explained Dr. Sato. Therefore when the next network renewal was due, Tsukuba found it easy to finalize their decision and leverage F5 BIG-IP.
The first deployment consisted of installing BIG-IP 7200 into the access pathway that handled all accesses from outside Tsukuba campuses. This condensed multiple pieces of equipment used in the boundary firewalls for load sharing into a single unit. With all functions going through a unified system, manageability was instantly gained.
“We are seeing more DDoS attacks lately,” Dr. Sato stated. “To guard us against them, we need a measure at the application level.” While BIG-IP AFM provided a static measure at the IP address level, it was the Web Application Firewall (WAF) services within BIG-IP ASM that offered the security level and flexibility Tsukuba needed close to apps—DDoS attacks and other unknown vulnerabilities didn’t stand a chance.
By updating Tsukuba DNS servers the entire DNS infrastructure would be enhanced. “The DNS proxy feature makes guarding against DNS attacks easy,” commented Dr. Sato. The DNS proxy was a highly hoped for feature because it enables separating DNS resolvers for internal and external accesses, making it easy to guard against DNS assaults.
With these issues fixed, Tsukuba felt assured it had gained an integrated, proactive approach that would enable it to thwart DDoS attacks and other system assaults.
Centralization of management and security improvement were the big targets for the recent replacement.
“By taking advantage of the various BIG-IP security features, we have better protection for our network and we have fewer administrators involved,” commented Dr. Sato.
As a single unit, the installed BIG-IP 7200v handled the maximum throughput of 40 Gbps, providing a safe margin from the influx of external packets all while simultaneously load balancing server traffic.
Without worry of brand damage, revenue loss and the threat of defecting partners, students and strategic alliances, Tsukuba can focus on its organizational cause.
The combination of resilient architecture and functionality in a single appliance gives Tsukuba the flexibility to customize and scale the solution so that DNS servers support heavy loads and block massive attacks.