Security Becomes Smarter

Over the past decade, the stream of critical data pouring into the Kenmore, Wash., headquarters of the Northshore Utility District from five remote water storage sites has become a flood. Factor in the need to keep information safely flowing between the main office and service trucks roaming the 17-square-mile area served by the water and sewer utility, and IT Director Stephen Schommer faces a complex network security challenge.

But help has arrived by way of the utility's ongoing implementation of WatchGuard XTM 520 and XTM 22 next-generation firewalls, which consolidate the policy-based filtering of standard firewalls with full intrusion prevention system functionality and centralized management to reduce trips to the remote sites.

"The integration of the firewall and IPS system is so convenient it almost makes security plug-and-play," says Schommer, who leads a four-person IT staff. "Not a lot of oversight is required." He says the devices automatically update threat signatures, alert administrators to potential problems, and can be managed remotely from any computer.

Centralized management of security functions is just one of the benefits provided by next-generation firewalls compared with older models, according to Greg Young, a Gartner research vice president. Intelligent firewalls perform deep packet inspection and can detect application-specific attacks, as well as enforce application-specific security policies for incoming and outgoing network traffic. Integration of the firewall and IPS provides better visibility and threat correlation and speeds responses to threats. Organizations achieve better security at a lower cost because they no longer have to maintain separate firewall and IPS platforms, Young says.

"The tricky part of the adoption decision is simply timing," Young advises. "You want to dovetail the replacement of the firewall and the IPS so you don't lose too much value that you've already paid for."

Refresh Requirements

The Northshore Utility District moved to the WatchGuard XTM 520 model when its existing firewalls from the same manufacturer reached end of life. Price was a consideration, but more important were factors such as a history of excellent support from WatchGuard and ease of deployment, Schommer says.

Speed and throughput also factored into the decision. Increased security requirements for water providers after Sept. 11 translated into a dramatic increase in real-time network traffic from the storage sites, including access-­control card swipes, surveillance video and information from Supervisory ­Control and Data ­Acquisition systems, along with standard operations. "Even with all the data we push over the network, the throughput limits of the XTM 520s far exceed our needs," Schommer says.

For the Southern California city of Rancho Palos Verdes, speed, bandwidth and price were also primary concerns in the choice of the SonicWALL NSA 7500 intelligent firewall, says Dennis McLean, director of finance and information technology. Like the Northshore Utility District, Rancho Palos Verdes deployed next-generation firewalls when its existing firewalls, in this case SonicWALL 3000 series appliances, reached a refresh point about two years ago.

"We maintain a pretty robust technology infrastructure for a relatively small community," McLean says. "We wanted security without compromising on the performance of our applications."

The SonicWALL NSA 7500 offered the required backplane speed along with streamlined management, the capacity to support three Internet connections for redundancy and the manufacturer's proven record of reliability with the city, says Ted Vegvari, director of Palos Verdes on the Net (PVNET), the nonprofit entity to which Rancho Palos Verdes outsources its day-to-day IT management. Once the NSA 7500 arrived, PVNET Senior Technical ­Services Manager Sean McKee installed it during a holiday break.

One driver of the transition to intelligent firewalls was the need to have deep packet inspection capabilities of the city's Voice over IP telephone system, Vegvari says.

"After we installed the VoIP system, we realized that we had more to be afraid of from intrusions and attacks," he says. "Not only are your phones at risk, your computers are at risk as well. For all our systems, we wanted to be able to do more analysis of network traffic and block attacks as they happen."

Judicial Decision

Similarly, California state courts two years ago began a migration to Cisco ASA 5500 Series intelligent firewalls when Cisco announced it would no longer upgrade its PIX 500 series of firewalls, which were deployed throughout the 58-court system. With the inevitable transition, the Administrative Office of the Courts sought increased security capabilities, says Raul Ortega, information security officer for the AOC.

"We wanted firewalls that could do more than open and close ports," Ortega says. "We wanted better integration with IPS, but we also use our firewalls as perimeter routers. The ASA 5500s give us the bandwidth and speeds we need without overdesigning and moving up to the next, more expensive box."

When the implementation is complete next year, there will be approximately 140 ASA 5500 Series devices deployed throughout AOC. The court system has in the past separated its firewalls and VPN, but because of the increased capabilities and control provided by next-generation firewalls, the IT security staff is considering consolidating those functions, Ortega says.

"The new firewalls are more than just a tool; they're becoming the foundation of our security architecture," he says.