IT is a precondition
As for any educational institution, IT is important for the Onderwijsgroep Tilburg (OGT). But it is a precondition, not a core activity. So if there are opportunities to outsource IT to a specialised, trusted party, that is interesting. "That applies to the firewall, for example," says Hans Hermans, head of Operational Services at OGT. "It takes a lot of effort to purchase and properly manage a firewall. So when I heard in the meeting of Coördinerend SURF Contactpersonen that SURF was going to start a pilot with a managed firewall, I was immediately interested. I wanted to know more about the advantages, but was also curious about the extent to which we could retain control ourselves.
The pilot for the managed firewall was executed in 2019 and 2020. OGT chose to send all its eduroam traffic through SURF's central firewall. Once the firewall was set up, OGT had little to worry about. Hans Hermans: "The pilot was flawless. The service was very stable and it was great to see how much knowledge and skill the SURF staff working on the pilot had. As participants, we were also able to provide input for the pilot, so we really did do it together with SURF. Because of those positive experiences, we now dare to take the step of having all our traffic handled by SURFfirewall."
Hans has experienced a number of benefits of a managed firewall in practice. "I hinted at it earlier: IT operations takes effort. You have to keep the hardware technically up to date, run updates for the latest features and good security, and set up a fallback scenario. You have to train your own people for this, or hire external people. By outsourcing it to a party like SURF, we know that the operations is in good hands. You also get a better operational process because an external party has operations as its core task. They can, for example, automate the process and make it smarter. We don't have the room for that ourselves.
Another major advantage is scalability. A hardware firewall lasts about six years. If you buy a new one, you have to estimate what the expected throughput will be in six years' time. "You have to look into a crystal ball, which is almost impossible," says Hans. "You have to take a margin, and you pay for that margin. By purchasing the firewall as a managed service, we will buy exactly what we need. And if we want to increase or decrease the capacity, we can simply do that."
This flexibility therefore saves costs. According to Hans Hermans, the costs of SURFfirewall are 25% lower than those of an in-house firewall for the same throughput. But because you buy exactly what you need from SURFfirewall, the cost savings are even greater.
"By outsourcing management to a party like SURF, we know it's in good hands."
With all those benefits of outsourcing operations, as a customer you still remain in control. Hans: "That's the beauty of SURFfirewall: SURF takes care of the operational aspects, but you remain responsible for drawing up the firewall rules. We think that's a good balance."
Integral approach to IT services
Hans Hermans sees more than just technical and economic advantages to SURFfirewall: "This is a product of SURF, an organisation that takes an integrated approach to IT services. There is a connection with services such as SURFinternet and SURFcert. So we don't just get an internet connection from SURF, but also services in the field of security, for example. This integral approach is appealing to us. And of course we are a member of SURF for a reason: we choose to be part of the cooperation and want to make a contribution to it. That's why we have a 'SURF, first' policy when it comes to IT services."
Involve network managers
Hans has a few more tips for institutions considering using SURFfirewall. "My most important tip: involve your network administrators in the process. Discuss the benefits and show that you're not taking work away from them by outsourcing the firewall. After all, administrators help with the set-up and are responsible for the firewall rules." As a second tip, Hans says that you should determine the replacement of your Firewall in a timely manner, so that you have enough time to choose the firewall’s successor. Which could eventually be SURFfirewall.
The preparations to use SURFfirewall as a production service at OGT are in full swing. "We hope to be ready and running the managed firewall in a few months. From then on, all our incoming and outgoing internet traffic will run through SURFfirewall and we'll have a lot less to worry about!"