Four years ago, the Information Security Office kicked off a major firewall migration project. The migration, which moved about 200 unprotected VLANs (virtual local area networks) to campus enterprise firewalls, will help prevent attacks and limit the scope of attacks across the University. This summer, the work is wrapping up.
Network firewalls block unwanted network traffic so that it doesn’t affect computers or resources. With a firewall, traffic from outside your network is blocked by default, and only trusted traffic is allowed in. Our campus firewalls apply very specific and complex logic to the traffic they inspect so that the web server is reachable, and the user’s computer is not.
UNC’s network firewalls block hundreds of millions of unwanted network connections each day. In any given month, our firewalls block 45% to 50% of the traffic sent to hosts they protect.
Before this project, there were computers and devices in networks at UNC-Chapel Hill that were not behind firewalls and were therefore open to the internet. Anyone in the world could knock and see what answered — migrating unprotected VLANs to campus enterprise firewalls prevents that.
Long process to centrally fund and manage firewalls
“When I started at UNC in 2009, there were very few firewalls on campus,” Michael Williams said. Williams, Network Security Team Lead in the Information Security Office, managed the project.
In 2009 at UNC, those firewalls “had to be funded by the clients they protected, and most schools, departments and administrative units simply did not have the budget to pay for their own firewalls,” Williams said. “I would guess — and this is no exaggeration — that 99% of campus VLANs were not behind firewalls in 2009.”
In 2010, ITS received administrative funding to begin centralizing support for firewalls. “That service proved itself to be reliable and effective,” Williams said. “We had an easier and easier time working with partner organizations on campus to migrate their networks to firewalls. People were very enthusiastic about being able to be more secure once they knew the University was treating it as a service available to all rather than something individual units would have to pay for out of their own already-stretched budgets.”
Over time, “the Information Security Office and ITS Networking agreed that the standard should be for all new VLANs to be created behind firewalls by default,” Williams said. “We’ve always been close collaborators with ITS Networking, so this was an easy agreement between us,” he said. ITS Networking has “been exceptionally supportive of our work, and we’ve been extremely enthusiastic about trying to support any new initiatives they have.”
Firewall migration took years
Because of this partnership, Williams estimated that by 2020, about 75% of campus VLANs were behind firewalls — a huge leap from the 1% that was protected in 2009.
But, Williams said, “the remaining 25% included some of our most populated networks, especially those dedicated solely to users rather than to servers. If someone had an office on campus, and their desktop computer was plugged into a network port in the wall, there were decent odds they were not yet behind firewalls.”
The four-year project “involved inventorying, analyzing and developing detailed security requirements and rules for about 200 different VLANs on the campus network,” he said.
Just one VLAN can take days — even months — to analyze and migrate. “Think of all the folks on campus who have ever plugged in a printer or a network storage device they picked up from Student Stores,” Williams explained. “When I say ever, I mean ever. We had to find every single device like that in each of these networks and then write firewall rules to account for them and the contacts for each network had to be part of that process.”
While Williams managed the project, he said his teammates in Network Security, Dave Eiselman and John Allison, “deserve at least two-thirds of the credit.”
“Cut the cake” stage of the project
Williams said that technically, there’s still a little left to do on the firewall migration project. “I describe our current status as being at the ‘go ahead and cut the cake’ stage of the wedding.”
“For the last year or year and a half we’ve been down to the last handful of networks that still need to be inventoried and analyzed,” he said.
These remaining networks require a little detective work and require a lot of person-hours to resolve. “Most of those are ones the ownership of which is up in the air — no one has ever been the contact, or an organizational change such as a department splitting or merging has meant the positions originally overseeing them no longer exist — that sort of thing. Some of the remaining networks are simply too complex, with too many different kinds of things jumbled together over time. There are very few of that latter category left, though.”
Cross-campus collaboration
“The campus network is more secure than ever, all due to the extremely hard work and long hours put in by many teams across many organizations within the University,” Williams said.
This project required close collaboration within ITS and across campus. “I honestly cannot think of an IT organization that did not work with us at some point,” Williams said. “We started this project in 2020 and we’ve been working across organizational lines ever since.”
When asked how he felt about completing the project, Williams had just a few words — “relieved, satisfied and very proud to be a part of such an amazing team.”