ISC phases in University-wide firewall protection

Every year, computer attacks are increasing in both number and sophistication. These attacks target vulnerabilities in applications like Adobe Acrobat and Microsoft Office, or entice users in the form of phishing schemes. They also focus on networks like Penn’s.

To combat these threats, Penn’s Office of Information Systems & Computing (ISC) is phasing in a powerful “next generation” firewall, currently the most effective deterrent to network attacks. Firewalls are already in place at some schools and centers at the University, but this is the first centralized campus-wide firewall that offers protection to every device on a Penn network, including PennNet, AirPennNet, and AirPennNet Guest.

The University Firewall has the ability to block traffic that is “known bad,” which is traffic that is only used for attacking or compromising Penn systems and has no legitimate purpose on the University’s network, says University Information Security Officer Joshua Beeman, executive director of information security.

“This can include blocking connection attempts from external computers that we know are bad and used only for harmful activity, or preventing malicious software, so-called ‘malware’—things like spyware, Trojan horses, viruses, worms, etc.—from being transmitted and delivered to a computer,” Beeman explains. “The firewall can also identify and stop attempts to exploit a vulnerable computer or application by matching patterns in traffic against a database of known-bad activity.”

This ability is particularly important for what are called “zero-day vulnerabilities,” which are newly discovered and may not yet have a fix available. In these instances, systems remain at-risk until the manufacturer patches the software, which Beeman notes could take days, weeks, or even months.

While the number of attacks on Penn’s network varies from day to day, Beeman says recent estimates based on observed attempts by ISC’s Intrusion Detection System is tens of thousands per week, and hundreds of thousands per month.

Most attempts are unsuccessful, but the consequences of a successful attack could mean compromised systems and accounts, which could result in the loss or exposure of Penn data. This, in turn, could lead to anything from fines to the institution, identity theft for individuals, damage to Penn’s reputation, and the loss of constituents’ trust, Beeman says. 

He emphasizes that the average user won’t see any changes in his or her day-to-day usage because the firewall is focused on blocking only malicious or illegitimate traffic.

“Because we are rolling out the firewall gradually across individual schools and centers, we’ll have the opportunity to learn and adapt quickly if there are unforeseen issues,” Beeman notes. “We’re working closely with schools and centers to understand where there might be any lingering concerns or special use cases. Unsurprisingly, there is a small group of people at Penn that need this ‘bad’ traffic for their research and scholarship, and we want to make sure that they can continue to have access to it.” A governance board comprised of representatives from schools and centers across the University also helps ensure that the University firewall is consistent with Penn’s commitment to open expression and electronic privacy.

ISC has been testing and configuring the new service throughout September and will continue to do so into October. This phased-in approach allows them to ensure they are applying the right rules and won’t be interrupting legitimate traffic, Beeman says.

It’s an apt methodological choice for a complex and vast system: There are 50,000 to 60,000 devices connected to Penn’s network at any one time, says Beeman.

“Penn’s wired and wireless networks are remarkable for their speed and reliability, and play an integral part in supporting Penn’s mission. Equally notable is the complexity of Penn’s network, which in addition to supporting more traditional usage by faculty, staff, and students, also provides connectivity for an array of unique networked devices,” Beeman says. “It’s complex stuff to do at the scope and scale of a place like Penn, and the credit goes to ISC’s network engineers, as well as the members of Penn’s schools and centers, who have carefully identified an approach that will allow us to be successful.”

For more on ISC’s University firewall implementation, visit the FAQ section on their website.

Penn Firewall