Implementing Application Layer Security with NGFW

Challenges

The main driver for this project arose from a major security breach experienced at one of this media organization’s partners.  As a result of their close relationship with this partner, they wanted to ensure that they were protected against the potential threat of the hackers extending their attack. With the possibility of a targeted attack, they decided it was time to modernize their firewalls as fast as possible. It was clear that Vandis needed to complete the installation quickly in order to minimize their risk of an attack.

After evaluating this company’s environment, Vandis acknowledged that the biggest challenge that was going to be faced was converting the rule base from the legacy technology to the new solution. Many of these rules had been deployed over the years and, as a result, were either no longer relevant or were in the wrong order.

Selection Criteria

This organization made it very clear to Vandis that a solution needed to be chosen and implemented immediately as this was one of their top priorities. The solution that was going to be chosen had to be in full compliance with the new security regulations. Lastly, the new solution needed to be able to easily handle the exchange of rules from the previous firewall. Vandis suggested that Check Point Software Technologies, Palo Alto Networks and Sophos would meet their requirements and fit seamlessly within their environment.

Solution

With no time to complete a proof of concept (POC), this organization relied heavily on the recommendation of Vandis. After additional consultation, Vandis concluded that Palo Alto Networks firewall would be the best fit for this organization. This company perceived Palo Alto to have one of the best products on the market to protect against AVPs and decided to implement them because Palo Alto Network’s App ID engine would be the best suited to detect and protect against hackers trying to take advantage of vulnerabilities and existing protocols. In order for the new firewall to be deployed, Vandis worked diligently with the customer to decide which rules were mandatory for their operations and what order to arrange them in. One of the major benefits of implementing Palo Alto was the ability to simplify this organizations environment. Their existing solution incorporated two routers, each doing border gateway protocol (BGP) with one ISP and the other performing HA on the inside with two firewalls. With the deployment of their new firewall solution, the company was able to move the BGP to the firewall which allowed for a more simplified environment. The implementation of the solution throughout their entire environment was performed by Vandis over the course of a week and did not encounter any unforeseen issues. With the solution operating at full capacity, Vandis’ engineering team performed a short transfer of knowledge with this organization’s IT team in order to advise and explain the best practices and to field any questions they had.

Results

After completing the project, this organization had fully upgraded their aging firewalls and are better equipped to handle any advance threats they may face. With the protection of App ID, this company is now more protected in layers 2 through 7. Their overall environment is simpler and easier to maintain due to the fact that they were able to collapse their functional external routers, switches and firewalls into one HA pair device. The streamlined interface and simplified Palo Alto rule base has also provided for easier user engagement.