When cyber criminals up their game
Glasgow must protect itself against the rise in IT security threats, but with 30,000 users it was faced with a huge problem of scale
Founded in 1451, the University of Glasgow is the fourth oldest university in the English-speaking world. Today it is a broad-based, research led institution with campuses in Glasgow and its suburbs, as well as in several Glasgow teaching hospitals. The university has more than 20,000 students and 6,000 members of staff.
As one of the UK’s leading research centres and a member of the prestigious Russell Group on UK research universities, it contributes to research programmes with a global impact, in fields that range from the rapid detection of malaria to the biggest particle physics experiment in the world – the Large Hadron Collider.
The increasing cyber threat
Like all large institutions, the University of Glasgow must protect itself against the ever-increasing rise in IT security threats. The university uses and Intrusion Detection System (IDS) to alert it to potential threats, but with 30,000 users it was faced with a huge problem of scale.
Chris Edwards, information security coordinator at the university, said: “The cyber criminals will keep upping their game and it’s up to us to keep pace with them. Using IDS to monitor our network traffic is similar in many ways to using an antivirus programme on a PC, but we have to able to do this concurrently for 30,000 users. This means we have to monitor huge volumes of internet traffic.”
The university had been using a mirrored port on one of its internet gateway routers, which fed its IDS, but it was limited to 1Gb of traffic. As internet traffic grew to tens of gigabits per second, this port was only able to monitor a fraction of the overall capacity and it became less and less probably that the system would identify malware or cyber attacks.
The problem couldn’t be resolved by simply adding multiple mirrored router ports because the algorithms within the routers only allow allows traffic to be mirrored to a single port, rather than spread across several ports. That meant the only way to scale the existing IDS would be to mirror all the traffic to a single port running faster than 10Gb. Even if this had been viable, by putting in expensive new gateway routes, for example, the IDC servers could only support 1Gb interfaces, so they couldn’t have received information at this higher rate.
Edwards continued, “We needed a technically viable and cost-effective way of upgrading our IDS so it could alert us to hacking attempts and identify PCs infected with malware – and do all of this at speeds of multiple tens of gigabits per second.”
Finding the answer
The University of Glasgow looked at a wide range of possible solutions before being introduced to Gigamon’s technology by systems integrator Synetix Solutions. The university was impressed by the Gigamon solution’s 10Gb capability which also allowed plenty of headroom for future growth. It was also drawn to the granularity of Gigamon’s hardware based filtering as it would allow it to select only the traffic it needed to send to the IDS – as well as the fact that it was cost-effective and included platforms at the right scale.
Using Gigamon’s G-TAP optical traffic splitters, all external internet traffic is mirrored through its ability to duplicate traffic passing over the 10Gb links. The system then uses Gigamon’s hardware-based, patented Flow Mapping technology to isolate the traffic that needs to be sent to the IDS.
“We could send all our traffic to the IDS servers, but the Gigamon system allows us to be much more efficient and isolate only the traffic that we’re really interested in,” said Edwards.
“For example, we might be sending some massive date files from the Large Hadron Collider project – which we know we can trust and might be too large for our IDS servers to analyse. We can use the Gigamon systems to filter this traffic out based on source and destination addresses, and significantly reduce the load on the IDS servers. When new sources come online, it’s an easy process to exclude the ones we aren’t interested in.”
The Gigamon platform also performs a load balancing function to share the traffic across multiple 1Gb ports on the IDS servers, using IP addressing to share the load evenly. This means the university can spread the IDS function across multiple cost-effective Linux servers, rather than having to invest in new, high-end, higher bandwidth hardware.
Increased visibility, for increased protection
The university can now monitor all of the traffic coming across its 10Gb internet links. Edwards said: “The Gigamon technology has solved our scale issues. Now we can detect compromised PCs before damage is done in a way we couldn’t do earlier – helping identify users with a virus and taking remedial action. It enables us to split the traffic load across multiple monitor ports, minimising packet loss, so we can operate a cluster of multiple IDS boxes, comprised of cheap commodity hardware, each of which ‘watches over’ a portion of our campus.”
As the system is fed from an optical splitter, the original mirror port on the router has been freed up for other purposes. And because the Gigamon systems can pre-filter the traffic that the existing tools are exposed to, it has been possible to reuse existing network monitoring and measuring equipment.
Chris Edwards was positive about his experience of working with Gigamon. He said: “We had direct contact with Gigamon from the outset. They lent us a trial system and provided engineering support. Once they’d explained how the system worked, we had a good understanding and could configure it ourselves – saving us a lot of time. We tend to use the CLI rather than the web GUI, which is nice and simple and we can’t fault it.”
Where to next?
The university initially deployed a GigaVUE-212 Visibility Fabric node to, but is now in the process of upgrading to a GigaVUE-HB1, which offers even more ports and allows it to expand the solution further.
The university’s network continues to grow, and now has 40Gb speeds running in its core. Like many educational establishments it is also seeing a surge in demand for Bring Your Own Device (BYOD), increasing the potential exposure to malware even further.
Despite this, the university believes the Gigamon solution will perform well into the foreseeable future.
Chris Edwards concluded: “The network traffic continues to grow, but now we can detect malware and attacks even better than we did before. I’d advise anyone in a similar position to talk to other similar organisations to see how they’ve resolved this problem. We’ll certainly be sharing our experiences around other UK universities.”