Elosztott tűzfal rendszer a Debrceni Egyetemen

Distributed firewall system at the University of Debrecen

Gál, Zoltán, zgal@cis.unideb.hu

Karsai, Andrea, kandrea@cis.unideb.hu

Service Center for Informatics, University of Debrecen

The bandwidth of the HBONE/Internet connection of the university has grown to 2.5 Gbps in the last year. Since the traffic between the university's campuses has grown greatly, it became necessary to improve the university network from 100/155 Mbps to the range of Gbps.

The raised bandwidth, the viruses and the attacks recognised in the latest times made it necessary to set up a firewall that protects the whole university network. The firewall between the router HBONE and the university MAN is an IBM Firewall software that runs on an IBM RS/6000 server. Although it has gigabit interfaces, because of the amount of CPU usage and the complex rules, we experienced that the speed of the Internet connection of the institution is getting worse and worse.

The traffic of the inner backbone is ensured by the Cisco Catalyst 6506 router placed in the centre, the Cisco Catalyst 3550 routers placed in the campuses and the gigabit interfaced L3 switches. The connections between the campuses are handled by more than a dozen relay having capability of L4 filtering. The load of these tools is low - according to our experiences - in spite of the grown traffic. It made it possible to place the defence system needed by the firewall closer to the destination networks that is the filtering is done by the switches ensuring the connection of the campuses. This way the firewall protects the UDNet network against the attacks from the Internet not only at one point, but also in a distributed way at each campus.

This mechanism significantly reduced the load of the former singular firewall since it protects only the equipment of the backbone of the institution. So the throughput of the server improves a lot and lets the regional router HBONE accessed with almost 1 Gbps. Furthermore the distributed firewall system ensures a greater security for the campuses, since it filters not only attacks from the Internet, but the attacks may coming from other campuses.

The lecture will cover the practical experiences gained from the firewall system consisting of more than a dozen Gbps capacity Cisco L3 switches. Moreover, we will talk about the expansion philosophy, and the technical details of the institution's Gigabit backbone protected by a firewall system. The shown experiences make other institutions capable to handle the critical defence problems relating the unavoidable expansion of the backbone equipment in an efficient way.