Internet2 Community Voices Series: Cost-Effective, Scalable Solution for Network Security at the Border

By Dan Kirkland, Network Architect Lead, University of Michigan

Estimated reading time: 3 minutes

Watch the video from the Network Routing Security at Scale at the University of Michigan event held on Thursday, August 12, at 1 p.m. ET.

The University of Michigan’s network, UMnet, is the core unifying technology that enables many of the university’s mission-critical IT systems and connects all schools, colleges, and institutes to each other and to the internet.

UMnet provides multiple redundant 100 gigabit-per-second connections to the internet, offering immense flexibility and the opportunity to collaborate with anyone, anywhere. However, what remains a challenge is the lack of readily available, cost-effective solutions for protecting the network against security threats.

In response to this challenge, the university’s Information and Technology Services department completed a proof-of-concept for a custom network border security system that scales with the university’s network capacity needs. Following the success of that project, the solution is now in full-scale, production deployment.

How the System Works

The Network Border Infrastructure Security (NBIS) system provides both visibility and security enforcement on network traffic to and from external entities as it traverses the UMnet border. 

First, all external-facing border router interfaces—including the multiple 100-gigabit interfaces—are fed through Gigamon optical taps. The replicated traffic is sent to Arista tap aggregation switches, which also combine the multiple packet streams together to address the asymmetric flow of traffic across multiple border router sites. 

The system then filters for known actors and out-of-scope devices to prepare the traffic for consumption by other services.

The primary consumers of this traffic are Corelight AP 2000 sensors running Zeek open-source software. From their analysis of the network traffic, these appliances generate logs and intel that are exported to an environment running Crowdstrike Humio for storage and further analysis.

Additionally, Corsa NSE7200 appliances installed on all border links serve as bumps-in-the-wire. These appliances provide high-speed, high-scale filtering capabilities. In particular, their GigaFilter feature is heavily leveraged—allowing for arbitrary filtering across any/all addresses in the entire IPv4 address space.

Gluing these components together is an internally-developed software known as the “Blocking Arbiter.” Still under active development, this software is designed to combine the locally-generated threat intelligence from NBIS with additional external threat feeds and then use the data to program and manage the active filtering policy on the NSE7200s. 

The basic premise is that this software has two paths: a “slow path” for filtering long-standing threats and a “fast path” for quickly responding to and filtering newly-discovered threats. This is combined with additional logic to ensure that the appropriate filtering state is maintained throughout.

Join Us for the Talk

I hope you will join me and Daniel Eklund, network planning manager for the University of Michigan, on Thursday, August 12, at 1 p.m. ET to learn more about the NBIS. We will share the details on how the solution uses various methods to classify network traffic as either a threat or not, modifies access control lists on an inline device to stop detected threats, and accommodates large research flows by passing that data through without further inspection.

The Internet2 Community Voices Series provides the opportunity to hear from experts, learn from their research, and connect with the community each month beginning in May 2021. Each talk is a stand-alone event, with a registration to access the live talk and the post-event recording and supporting materials.