When the technology department of Northwest Independent School District in Justin, Texas, began upgrading its aging firewalls, the staff didn't know the extent to which the district would begin to rely on the new models over the next few years.
In 2009, Northwest ISD chose to upgrade to new, more feature-rich Fortinet FortiGate-620B firewalls with content inspection, integrated multithreat security features, network security segmentation and high port density. Director of Technology Carl Shawn says the main reason for the upgrade was to consolidate appliances – intrusion protection, Internet filtering and antivirus – into a single device. Another important goal was to create higher capacity and throughput for the school district's network.
Those features were key to what was coming next: a massive rollout of netbooks, first to 3,500 high school students and then to about 4,000 middle school students. It was at that point that Shawn realized the true benefit of upgrading the firewalls. “We needed to be able to handle 7,500 netbooks without any latency, since students would be accessing the Internet a lot while in school,” he says.
With the new firewalls in place (one primary and one for redundancy), the district isn't experiencing bandwidth problems, and the IT department is well equipped to monitor the network for inappropriate access.
Out with the Old
The need for better manageability is one factor that has prompted organizations of all types to deploy next-generation firewalls, says Jeff Wilson, a principal analyst at Infonetics Research. Unlike earlier models, next-generation firewalls provide a much more granular level of application inspection and control – down to the individual user. In general, these firewalls also bundle traditional firewall functionality with intrusion prevention, antivirus and protocol filtering.
For Lee's Summit R-7 School District in Missouri, the reasons for upgrading from a nearly 6-year-old firewall to a pair of SonicWALL E7500 network security appliances were threefold: to move past a firewall so old that the manufacturer didn't support it anymore, consolidate multiple functions and gain better control of applications.
The IT group decided to upgrade to the new firewalls last year after realizing that these factors, along with the need for a device that could keep up with the district's growing bandwidth usage (the old firewall maxed out at 100 megabits per second, while the new one scales to 1 gigabit per second), made the change inevitable.
“We had a separate firewall, bandwidth management device and content filtering solution, all from different vendors with different management and maintenance requirements,” says Don Andrews, executive director of technology. “So instead of just replacing the firewall, we wanted to make sure everything was integrated.”
The number of security vulnerabilities documented in 2010, a 27 percent increase over 2009
SOURCE: IBM X-Force 2010 Trend and Risk Report (March 2011)
And by integrating multiple functions that were previously separate, Lee's Summit saves $15,000 to $20,000 per year.
What's more, the older firewall was so out of date that it had little if any intrusion protection capabilities. That, combined with the new model's application monitoring and intrusion detection capabilities, has made a big difference to the IT staff, which is charged with monitoring and restricting unacceptable applications.
“It has given us a lot more granular control over what goes in and out of our network,” explains Walter Woodward, network administrator at Lee's Summit. “We can block applications by application signature, and we can allow some applications for particular individuals or groups. Before, it was all or nothing – block everybody or allow everybody – but now we have much more control.”
Most organizations already have at least one firewall in place, but new pressures and requirements often make next-generation models attractive. When considering what to buy, keep these points in mind:
- Make sure the product has, at a minimum, a zero downtime configuration; support for user-based policy controls; the ability to identify applications and enforce network security policy at the application layer; full intrusion prevention; and good scalability.
- Determine the type of applications you need to control and how granular you need that control to be.
- Consider replacing your intrusion prevention system with the functionality integrated into a new firewall. This reduces complexity and makes management easier.