Firewall strategy
The expansion of multiclient-capable firewalls in combination with a centrally administered VPN dial-in is a primary goal for network security. This sets high performance requirements for the components used and can only be implemented using specialized components due to the high total throughput in the Universität Hamburg backbone.
This should allow individual areas/institutions to prepare custom-made regulations to control access based on multiclient-capable firewalls. As a network provider, the RRZ can thus fulfill the needs of the institutes (individual rules, local administration) while also providing assistance in solving problems. At the same time, this will result in a range of synergy effects:
-
The RRZ can provide preconfigured clients with a minimum level of security to the institutes for individual customization.
-
The RRZ retains control over all clients (supervisor function) and can provide advice and support for individual configuration processes and rectify client configuration errors.
-
The RRZ can bundle multiple clients using virtual firewalls on highly specialized hardware. The dynamic distribution of total throughput (filter performance) between the clients may be distributed according to need and adapted to actual traffic at any time.
-
Separating the rules for access controls in independent clients reduces the severity of configuration errors in contrast to monolithic solutions (particularly given these configuration tasks can be delegated to local administrators): configuration errors in a client affect only the relevant subnetwork (institute) and not the University as a whole. This provides for a direct increase in availability, as configuration errors have occurred and cannot be ruled out in the future.