In my previous blog, we investigated the various possible service options for Firewall as a Service, and I discussed the do-it-yourself, basic and managed firewall options. A survey recently conducted within the senior secondary vocational education (MBO) sector revealed that the basic firewall is the most promising service option for the sector. But how do things look in the higher professional education (HBO) sector? In this blog, we will look at the results from the survey and from interviews that we have carried out in higher professional education. We will also look at the progress that has been made with service development for Firewall as a Service.
In the survey, we asked questions about use and management of a firewall. What concerns are there regarding management, is management outsourced or is there expertise on-premises? And what about purchasing – what conditions are important?
The key results of the research in the HBO sector
- Twelve respondents completed the questionnaire.
- 84% of respondents do not wish to do all firewall work themselves.
- 40% of respondents have concerns about the tendering process in case of outsourcing.
- 60% of respondents want management to be taken care of in case of outsourcing.
- 30% of respondents want flexible capacity scaling in case of outsourcing.
- 60% of respondents want flexible functionality scaling in case of outsourcing.
- None of the respondents want to carry out updates themselves in case of outsourcing
- 50% of respondents considered it important to determine the strategy themselves.
- 20% of respondents considered the brand of firewall important.
- 90% of respondents want secure Internet to be foremost in case of outsourcing.
Managed firewall is the most promising
Based on the responses, it would appear that HBO institutions consider secure Internet more important than the MBO sector (90% compared to 68%) and they are more open to the idea of relinquishing control over strategy (50% compared to 78%). It can therefore be concluded that HBO institutions have a greater preference for managed firewall than MBO institutions.
Institutions use two or more firewalls
The interviews revealed that HBO institutions often use two or more firewalls on the same campus – one for the external network and one for the internal network. For many HBO institutions, it is logical that the firewall used to secure external connectivity is integrated with the connectivity offered by SURF. The internal firewall, which is often located in the institution network’s data centre, is the responsibility of the institutions themselves. For other institutions, the SURF Firewall as a Service would be of interest only if both firewall functions (external and internal) were integrated.
External and internal
To begin with, the SURF Firewall as a Service will only operate externally. An internal firewall involves many additional technical and organisational aspects, as we would be entering the domain of the institution itself. We are working with the institutions to explore how and if we can extend Firewall as a Service so that we can also provide internal security for an institution’s network.
In order to quickly satisfy the demands of institutions, our service development programme will start on the basis of a hardware firewall. To ensure that the capacity of the hardware firewall is as optimal and (cost) efficient as possible, several institutions will be using the same hardware firewall, each within their own security domain. As soon as institutions require more capacity and functionality, we will extend the hardware platform. This way, institutions will be able to scale their firewall capacity through SURF. They will also save on expensive hardware investments, which are often scaled on capacity and functionality for five or ten years’ use.
We have begun a pilot to test how Firewall as a Service is provided and to evaluate the technical design. We hope that the pilot will enlighten us as to how the service variants integrate in practice and how the collaboration model with partners and suppliers will look. We will also be looking at the acceptance level of the solution for institutions, the preferred form of reports, and how SURFcert’s expertise can be used to improve the service. The pilot will run from September to December 2019 inclusive. Six institutions from different sectors have already indicated that they wish to take part in the pilot.
Continuing to monitor NFV developments
Our original idea was to use network function virtualisation (NFV) to help shape the service, but after numerous experiments, this technology does not appear mature enough to realise this ambition. Nevertheless, we have observed how quickly the technology is being developed, so we continue to invest energy in developing NFV infrastructure. This will allow us to benefit from the advantages offered by scalability as quickly as possible.
Of interest to your institution? Please get in touch!
Our research was conducted in the senior secondary vocational education and higher professional education sectors, but we are always happy to talk to universities, UMCs and research institutions. Do you think that Firewall as a Service could benefit your institution? Fancy sharing some thoughts? Perhaps you’re interested in the pilot? Please get in touch, we’d love to discuss things with you. Contact us at firstname.lastname@example.org.