Airloom redefines UTS’ network with F5 deployment

Malcolm Salameh (Airloom) and Chris Hagios (Airloom)

Universities consist of some of the most complex IT environments where the users need to have fast, reliable and secure access to information while at the same time be able to protect sensitive data.

The University of Technology Sydney (UTS) is no exception.

The head of IT at UTS knew it was time to modernise the university network and, by working with a partner, the team saw the replacement of network firewalls as an opportunity to make improvements on the existing infrastructure.

As a part of the process, the company engaged Airloom, a partner which specialises in mobility, cloud and cyber security. Airloom is an F5 Networks partner, and leverages the vendor's application delivery controller (ADC) portfolio to help meet end client's application delivery needs.

Airloom chief revenue officer, Malcolm Salameh, told ARN that rather than offer the uni a simple upgrade from its existing F5 firewalls, the company was able to work with the team at UTS to determine what other services the uni could use.

For example, the university serves a large number of international students, which means the network receives a large amount of internet traffic from these countries.

In order to minimise the possibility of cyber attack, Airloom and the UTS team set up the system which included a web application firewall (WAF) so the network would only accept traffic from countries where students originate, all other traffic was blocked.

This rules-based approach allowed the UTS team to eliminate blocks of traffic which had no place being on the network. This reduced the surface attack area of the university considerably.

More than just a cyber security play

UTS IT technical services manager, Steve McEwan, explained that the university previously had two data centres, a production facility (run by Macquarie Telecom in North Ryde) and a disaster recovery site (on campus).

Credit: UTS

“We didn’t have any contingency so if we lost the DR site we would lose our F5 connectivity,” he explained.

As a result, the uni took the opportunity to re-architect its network to bring in more capability.

“At that time, we didn’t have a lot of the features around cyber security and those were the things we wanted to implement," McEwan said.

“We were running different boxes for different services as well. For example, we had a Juniper box for remote VPN access, so we have now brought that into the F5, which is great because it is one less box to manage, one less contract to manage, one less account manager to deal with.

“The beauty of the F5 for us is that we have been able to do some consolidation of infrastructure. One of the things we really wanted to drive was the cyber security capability. For us, the data is paramount and we needed to secure that, we were just not doing that very well," he said.

McEwan added that the project was about trying to be proactive and employ all the capabilities that could provide the best level of protection.

“It is all about reputation. We don’t produce a product, the product is basically the teaching,” he said.

Keeping it simple in a complex environment

Due to the nature of the organisation, the university holds large amounts of sensitive data on students and staff including student transcripts, student accommodation information and other proprietary information.

The UTS IT team is made up of 35 people, but the organisation doesn’t have a dedicated F5 engineer. There are people who maintain and manage the F5 infrastructure but their roles require them to perform other functions as well. This meant the new system needed to be deployed in such a way which would require minimal input from UTS once it went live.

Page Break

In addition, the UTS network has to handle between 30,000 and 40,000 full or part time students accessing the network. On an average day the campus wireless will handle 30,000 connections.

This means the network must be robust and handle scale such as at exam time or during enrolments. Similarly, the IT team could not afford the downtime required to manually configure the firewalls each time an application was patched or rolled out.

Salameh explained that before addressing the problem at a macro level, the two parties worked on a single web-facing application on which the university had sensitive information.

“It was an application which we thought would potentially be the first target off an exploit,” he said.

Airloom and UTS then spent time working through the application itself and then developed the design on how the company would build security around the application. This design then became a repeatable set of templates that could be used for other applications.

In addition, UTS chose to add a threat intelligence subscription service to the F5 capability, which gives the university IT team access to additional information on potential threats.

“Steve Identified an area where they had a product capability that wasn’t leveraged. It is about leveraging what they have bought to get a much better return on investment from the assets they have purchased,” Salameh said.

“In the new world of breach notification, the first question the government is going to ask is what steps have you taken to make sure your data is as secure as possible,” he said.

For McEwan and his team, the most important part of the project was trying to find a balance between securing the environment and maintaining usability. So, when an update or patch is required, it does not shut down the application.

“You need to find a balance between protection of data and allowing developers to make changes as they need to,” he said.

“It is almost like it is set, and the policy will now do its thing but we don’t have to make changes everyday. That is why we brought in Airloom because they have that expertise, whereas my guys might have been trying to work it out and would have deployed something that requires everyday to make a little change here or there.”

For Salameh, the F5 technology is often misunderstood by customers and partners alike.

“It is complex technology and because it is complex, it can be configured in a way that is extremely complex,” he explained. “If you are a large tier 1 financial services provider and you have a team of people dedicated to this, its fantastic.

“For the rest of us, that level of change intensity is not sustainable, you can’t keep reconfiguring this thing every five minutes. It becomes costly, things break, the user experience is poor and it is just not a great position to be in. Unless you have dedicated 24/7 people, it is not workable.”

“Where we came at it from an Airloom perspective was, we could do that, but we don’t recommend it,” he said.

From a risk perspective, McEwan said the department feels safer because it added as much capability as the team felt was reasonable without impacting the ability of the organisation to roll out new projects.

“From a reputation point of view, that’s a big thing, if we have a breach students may decide to go to another university,” he said. “We feel more confident having done this project and one of the other benefits is that we have been able to up skill our internal pool of people.

“The great ting was that Airloom has come in and said let’s work together and share the knowledge rather than coming in and taking over,” he added.