security enhancement proxy replacement firewall replacement ids replacement january, 2012
DESCRIPTION
3 Business Problem Current Proxy Servers (BlueCoat) are not capable of handing traffic patterns from Culver City. As a result, Culver City traffic is not routing through a proxy server, and inbound traffic is not investigated for malware. We are not GISS Network Management compliant. Proxy servers can’t monitor all traffic, only http and https traffic. Current Firewalls are having performance issues and need to be replaced. Corporate Pointe – F/W dropping packets, poor performance for DMC environment. Upgraded Internet circuit to 10 Gig, Current firewall being replaced with OneNET Post-Production funds. Chandler – F/W reaching it’s peak before dropping packets. Plans to upgrade Chandler Internet to 10 Gig to support failover for DMC in Corporate Pointe. Current firewall will be replaced with OneNET Post-Production funds. London firewall has had performance problems causing slowdown to customers. Needs restarting to temporarily resolve this problem. IDS in Chandler and Corporate Pointe need to be upgraded to support 10 Gig. Corporate Pointe IDS’s are dropping packets due to increased bandwidth and cannot keep up with the demand.TRANSCRIPT
Security EnhancementProxy Replacement
Firewall ReplacementIDS Replacement
January, 2012
2
Contents
Business Problem
Project Scope
Proposed Solution
Project Costs
Project Activities and Timeline
Risks
3
Business Problem Current Proxy Servers (BlueCoat) are not capable of handing
traffic patterns from Culver City. As a result, Culver City traffic is not routing through a proxy server, and inbound traffic is not
investigated for malware. We are not GISS Network Management 3.5.2 compliant. Proxy servers can’t monitor all traffic, only http and https traffic.
Current Firewalls are having performance issues and need to be replaced.
Corporate Pointe – F/W dropping packets, poor performance for DMC environment. Upgraded Internet circuit to 10 Gig, Current firewall being replaced with OneNET Post-Production funds.
Chandler – F/W reaching it’s peak before dropping packets. Plans to upgrade Chandler Internet to 10 Gig to support failover for DMC in Corporate Pointe. Current firewall will be replaced with OneNET Post-Production funds.
London firewall has had performance problems causing slowdown to customers. Needs restarting to temporarily resolve this problem.
IDS in Chandler and Corporate Pointe need to be upgraded to support 10 Gig.
Corporate Pointe IDS’s are dropping packets due to increased bandwidth and cannot keep up with the demand.
4
Project Scope
In-Scopeo Replace existing CheckPoint Firewalls with next generation firewalls that
provide f/w, proxy, and IDS / IPS services, in the following locationso Corporate Pointe (Culver City Datacenter)o Chandler, AZo London, UKo Hong Kong, HK
o Add additional firewall pairs to the following locationso Studio Productions Interneto Singapore new Internet
o Enable IDS / IPS Services on new firewalls.o Enable Proxy Services on new firewalls and retire them.o Shutdown all Blue Coat Proxy Serverso Repurpose existing IDS servers in Corporate Pointe and Chandler to
alternate locations.o Shutdown existing CheckPoint firewalls.
5
Proposed Solution
Replace current CheckPoint Firewalls with Palo Alto Network “Next Generation Firewall” appliances.
Regains GISS Network Management 3.5.2 compliance.
Enables much better performance to meet current, and estimated future demand over the next 3 years.
Enabling Threat Prevention means we can consolidate this service onto the same platform, and shutdown aging and poor performing BlueCoat Proxy Servers.
Closed the GAP we have with GISP Policy for having all clients route through a Proxy server to gain Internet access.
Enabling IDS / IPS services means we won’t have to purchase 10 Gig IDS’s from Symantec, saving $180,000 per year lease over 5 years. (900,000).
6
Project Costs
7
Vendor SelectionSelected Vendor
Palo Alto Networkso Palo Alto Networks “Next Generation Firewalls” have proven to be very well
received in the industry, and have placed Palo Alto in the top right quadrant of Gartner’s Firewall Survey.
o PoC ran by SPE GNS group proved this solution works very well as an integrated firewall, IDS/IPS, Proxy solution.
o Solution provides for consolidated reporting for virus, applications, and web browsing for Investigative Services group.
o Solution provides integration of Active Directory so Investigative Services can search by AD username as well as by IP address, port.
Reviewed Vendorso Palo Alto Networkso CheckPoint Systemso Ciscoo Zscalero Blue Coat
8
Project Activities and Timeline
Activity Timeline Groups Involved
Solution Selection / Proof of Concept Weeks 1 - 12 GNS, (completed)
Operational Planning Weeks 6 - 16 GNS, GSD, ADM
Procurement Weeks 12-14 GNS, Procurement
Configuration / Testing Weeks 14-18 GNS
Deployment Weeks 16-24 GNS
GNS / TCS Training Weeks 12-14 GNS, Vendor
Production Turnover Week 14-18 GNS
Retire CheckPoint, BlueCoat Week 24 GNS
9
Risks
• Firewall replacement requires much up-front planning to ensure all the rules are properly migrated and working.
• Migrating to the new solution will require outages, which need to be supported by the business.
Getting the Master Sales Agreement in place has proven to be very challenging, and is not completed yet. This could delay the execution of this project.