Company

Peter Kiewit Institute Pushes Security Beyond the Speed of Education

The Peter Kiewit Institute (PKI) is home to the University of Nebraska-Lincoln’s College of Engineering and the University of Nebraska at Omaha’s College of Information Science. The Institute is shaped by a dynamic alliance of education and industry with a mission to fuel collaborations in an academic research environment by forging best-in-class technology with tomorrow’s research and engineering talent.

One key aspect of this collaboration is to work with advanced technologies in a production network setting to provide students with real world experience. With the introduction of the Force10 Networks P-Series family of security appliances, the Peter Kiewit Institute is able to provide its students and faculty with a new experience – securing the network at line-rate 10 Gigabits per second (Gbps).

While networking speeds have increased to 10 Gbps, security has not kept pace. As a result, organizations have traditionally been forced to slow the speed of their networks to accommodate security or leave their networks unprotected. The Force10 P-Series is the industry’s only security appliance that can monitor, inspect and block traffic at line-rate 10 Gbps, ensuring that even the fastest high performance networks are secure.

"With growing demands for 10 Gigabit Ethernet capacity across our research groups, we were faced with the dilemma of how to secure the network without impacting performance," said Chris Cox, network administrator for the Peter Kiewit Institute. "The Force10 P-Series is the only solution that allows us to secure our network at line-rate 10 Gigabit speeds with an open system that delivers the flexibility suitable to an environment like ours."

The P-Series leverages open source security tools like Snort to provide up to date security rules that have been tested and refined by the industry. As an open source-based system, the P-Series delivers a high level of flexibility that allows PKI’s technical team to configure it to meet their specific security needs. In addition to running Snort signatures, PKI can customize rules for address resolution protocol (ARP) traffic, dynamic host configuration protocol (DHCP) as well as other dynamic protocols.

"We particularly liked the flexibility and open nature of the P-Series," said Cox. "It’s the first security appliance we’ve seen with operating system choices and Free BSD, which gives our students the opportunity to work with a variety of applications that can be tweaked for different security needs."

The Force10 P-Series leverages a programmable architecture that delivers the processing capabilities of hardware and the flexibility rules of software. The field programmable gate array (FPGA) architecture of the P-Series enables PKI to add, remove or edit rules in real time without creating security gaps. In addition to the programmable processing architecture, the P-Series employs the unique Dynamic Parallel Inspection technology, which processes thousands of rules simultaneously to ensure accurate inspection and monitoring at line-rate 10 Gbps.

"The parallel processing of the Force10 P-Series eliminates the need to order rules and enables us to perform logic on results from several rules, something no other security system can deliver," said Cox. "The Force10 P-Series is really the first we have seen to use FPGAs as they were intended, specifically as a programmable chip that lets you dynamically change code, and the result is an incredibly fast security appliance that allows us to rapidly respond to emerging security threats."

For PKI, one of those security issues was ARP storms. As their network bandwidth grew, PKI saw an increase in the storms but lacked a way to determine the root cause. Leveraging the inspection and monitoring applications of the Force10 P-Series, PKI can determine if the floods are coming from internal configuration problems or someone attempting to run port sweeps of the network. The high speed processing capabilities of the P-Series enables PKI to tap the network at the core without creating a bandwidth bottleneck. In addition to simplifying the security of the network, the P-Series allows PKI to eliminate multiple slower security appliances at the edge of the network.

"With the Force10 P-Series, we can deploy a single tap, rather than three or four, that is the inspection point for all traffic on the network and send inspected traffic to our Snort and Bro-based IPS applications and packet capture tools like Ethereal," Cox continues. "We don’t necessarily get a lot of attacks from the outside right now, but it’s nice to know we have the tools to analyze internal diagnostics applications and inspect traffic against our security controls."

A Secure Network for Future Expansion

With the ability to inspect and monitor traffic at line-rate 10 Gbps the Force10 P-Series provides PKI with visibility into its high performance 10 Gigabit Ethernet network to determine traffic characteristics, patterns and signature detections across their complex campus wide VLANs and subnets. Armed with this information, PKI’s students can develop more efficient network architectures and troubleshoot problems more effectively, providing an invaluable learning experience that translates into real world situations.

back to top >