Background
Founded in 1871 as a land-grant institution, the University of Arkansas is consistently ranked among the nation's top public research universities and recognized for exceptional values. The Carnegie Foundation classifies the university as having "the highest possible level of research," placing it among the top 2 percent of colleges and universities nationwide. Widely known by its school mascot, the Razorback, U of A comprises 10 colleges and schools offering more than 210 academic programs for more than 27,000 students.
Story Summary
The University of Arkansas, a leading public research university and the pride of Arkansas, saw massive growth in its student population that choked its previous monolithic firewall solution, creating network instability. To improve reliability and flexibility in its network security infrastructure, U of A replaced its legacy firewall with Palo Alto Networks® Next-Generation Security Platform. This enabled the university to deploy multiple next-generation firewalls to separate its data center and campus traffic, strengthening security without adding complexity due to the platform's integrated, orchestrated security features.
Since adopting the platform, the U of A has gained more fine-tuned control over network traffic, with application-based policies that simplify deployment and strengthen enforcement. This has allowed the university to be more strategic in how it implements network security to ensure open, unrestricted access for students and faculty without putting critical assets or private information at risk. With a consolidated view of the entire network security landscape, U of A can now proactively identify and more quickly respond to potential threats, whether from inside or outside the university network.
Enabling Secure, Unrestricted Learning
Picture an iconic college campus with stately brick buildings, tree-lined walkways, a broad green quad dotted with students on break reading or talking – this is the University of Arkansas. But U of A has something else that's unique among U.S. universities: its Senior Walk consists of more than three miles of sidewalks crisscrossing the campus, engraved with the names of more than 175,000 graduates dating back nearly 140 years. The Walk is emblematic of the university's "students first" philosophy, which has made it one of the top-ranked institutions of higher learning in the nation.
Preserving its traditions in and out of the classroom means enabling students to connect with the educational resources they need while also enjoying vibrant social lives, whether they're hanging out at the student union or cheering on their beloved Razorbacks. This requires an extensive wired and wireless network students can jump on anywhere across campus, using practically any device at their fingertips.
Open network access is the cornerstone of an unrestricted learning environment, but it's also an entry point for bad actors intent on luring people to phishing sites, injecting malware or stealing private information. Preventing these kinds of cyberthreats from disrupting student and faculty life is of paramount importance. To address the problem, the U of A replaced its legacy firewall with Palo Alto Networks Next-Generation Security Platform.
Elon Turner, U of A's director of infrastructure, explains, "Our previous solution was a traditional firewall, kind of a black box with very limited visibility. With the explosive student growth we've experienced in recent years, the firewall was a choke point for all campus traffic and became unstable.
Application-Based Policies in a Virtual Network
Turner and his team also revamped their network security architecture. Instead of a single firewall for both campus and data center traffic, they deployed high availability pairs of next-generation firewalls in each of the university's two data centers, along with another high availability pair dedicated to campus traffic. All are configured with Threat Prevention, URL Filtering and cloud-based threat analysis services. This approach brought a new level of performance and reliability for students and faculty accessing the internet while keeping core data center operations – critical to the business of running the university – separate and secure.
To gain more agility in this new architecture, the infrastructure team also takes advantage of VMware® NSX® software-defined networking integrated with the Palo Alto Networks platform. Additionally, in a dynamic software-defined network where workloads can move fluidly from one virtual device to another, App-ID™ technology plays a crucial role in applying security policies.
"This has been a big leap for us," says Turner. "We now know the firewall policy will be the same no matter where the workload is in the virtual network. It allows us to categorize security more specifically to the function of an application rather than just opening up ports to allow access.
Improved Visibility With Fine-Tuned Control
With a generally open network, U of A is very selective in blocking traffic or filtering content and needed a system to prevent previously unknown threats from getting through and spare students from unwittingly downloading damaging files.
"Basically we are saving someone from themselves whether they realize it or not," Turner notes. "We now see the threats and bad traffic, and the types of files people try to download, inadvertently or otherwise, are shocking and oftentimes dangerous."
He points out that the visibility into network traffic is also greatly improved, transforming how security measures are applied.
"Now we can be more strategic about how we apply rules," Turner says. "Based on the visibility, we know what we need to control, and then we have a lot more tools and knobs we can turn to fine-tune the security."
The system's precision and reliability is key to stopping bad traffic as well as enabling the smooth flow of legitimate network activity. For example, U of A had numerous false positives with its previous solution, which caused hassles when people didn't know why they were being blocked from an application or website. Now, false positives are minimal, and both faculty and students can securely access, unimpeded, the applications and other network resources they need.
Democratizing Network Security
Organizations outside IT can also see the security policies applied to their servers and applications. The security team now has direct access to logs and a clearer view of threats, and other teams can create and apply their own security policies.
Turner remarks, "Previously, you had to be trained in the specific command line interface to get any visibility or reporting out of the box. It made IT a kind of walled garden where everyone else had to come to get security information. Now we're able to democratize how security is applied and managed on our network. It provides that extra visibility for other stakeholders, so they're more invested in the security of their applications. And it lets them secure their systems and applications the best way for their users without working through a long, complicated request process with IT. That helps us strengthen the overall security of our network."
Proactive Threat Response
With multiple next-generation firewalls to manage, U of A is now able to consolidate administration and simplify both reporting and incident response. The infrastructure team can ensure consistent policy deployment while dramatically reducing the number of rules from about 1,000 to just 100.
We don't need nearly as many rules, because we can cover multiple features and threat vectors in a single policy and apply it to an application independent of the physical infrastructure," Turner explains. "Because the policies are application-aware, we don't have to spend time manually constructing port and IP configurations, which improves consistency and reduces the chance of leaving gaps or making mistakes."
Another advantage is simplified and accelerated incident response because the infrastructure team has a single pane of glass to identify malicious or suspicious activity anywhere across the network and act upon it on the spot.
"We don't have to triangulate information from multiple systems to figure out where the problem is," says Turner. "We have one place to catch whatever bad behavior is going on, whether it's emanating from inside or outside the network, and regardless of what threat vector the bad actor is using. We can even determine if the same bad actor is using more than one method. This helps us be more proactive in identifying potential threats and to respond much faster if there is an incident."
Long-Range, Strategic Security Approach
As U of A continues to evolve its security posture, Turner says his team is considering adding Palo Alto Networks Traps™ advanced endpoint protection and GlobalProtect™ network security for endpoints to extend the next-generation security capabilities to the university's mobile users.
"We want to add more network security capabilities without the complexity you get with individual point solutions," Turner concludes. "That allows us to take a long-range, strategic approach to strengthen our security posture as new technologies emerge and the needs of students, faculty, and staff change."