Building a Better Firewall
District IT managers turn to next-generation devices for more powerful oversight of network activities.
Brown arrived in the midst of the district's five-year plan to replace older, but still usable, SonicWall PRO Series firewalls with the company's advanced Network Security Appliance 3500 and E-Class NSA E6500 next-generation firewalls (NGFWs), starting first with the 3500 models. PCSSD has been replacing seven or eight firewalls each year, depending on available funding, for the past three years.
"The IT staff already knew how important it was to replace the firewalls we had, because those devices can't address the types of threats our networks now face," Brown says. "A lot of the newer threats are coming through on ports we have to have open, and the older firewalls weren't catching them."
The next-generation appliances incorporate the technology necessary to combat those threats – intrusion prevention, gateway antivirus, antispyware and application layer controls – and enable comprehensive bandwidth management. "We can set aside bandwidth for certain applications, such as our student database, so that other network users aren't using up all of the available bandwidth," explains Jimmy Hogg, director of IT operations, who is leading the district's firewall replacement effort. The upgrade also gives IT staff more control over applications that students can access, allowing them to block proxies, as well as social networking, video, music and gaming sites.
The need for better manageability is one factor that has prompted organizations of all types to deploy NGFWs, says Jeff Wilson, a principal analyst at Infonetics Research. Unlike earlier models, NGFWs provide a much more granular level of application inspection and control – all the way to the individual user. In general, these firewalls also bundle traditional firewall functionality with intrusion prevention, antivirus and protocol filtering.
Hogg says these capabilities have increased PCSSD's network performance immeasurably. "Not only is it faster, but the people who really need the bandwidth can have it," he says.
Out with the Old
When the technology department of Northwest Independent School District in Justin, Texas, began upgrading its aging firewalls, the staff didn't know the extent to which the district would begin to rely on the new models over the next few years.
In 2009, Northwest ISD chose to upgrade to new, more feature-rich Fortinet FortiGate-620B firewalls with content inspection, integrated multithreat security features, network security segmentation and high port density. Director of Technology Carl Shawn says the main reason for the upgrade was to consolidate appliances – intrusion protection, Internet filtering and antivirus – into a single device. Another important goal was to create higher capacity and throughput for the school district's network.
Those features were key to what was coming next: a massive rollout of netbooks, first to 3,500 high school students and then to about 4,000 middle school students. It was at that point that Shawn realized the true benefit of upgrading the firewalls. "We needed to be able to handle 7,500 netbooks without any latency, since students would be accessing the Internet a lot while in school," he says.
With the new firewalls in place (one primary and one for redundancy), the district isn't experiencing bandwidth problems, and the IT department is well equipped to monitor the network for inappropriate access.
Lee's Summit R-7 School District in Missouri also chose to upgrade, replacing a nearly 6-year-old firewall with a pair of SonicWall E-Class NSA E7500 NGFWs. The existing firewall was so old that the manufacturer didn't support it anymore, and it couldn't keep up with the district's growing bandwidth usage. (The old firewall maxed out at 100 megabits per second, while the new one scales to 1 gigabit per second.)
By the end of 2014, 35% of all Internet connections will be secured using next-generation firewalls, up from less than 1% in late 2009. Furthermore, 60% of new firewall purchases will be next-generation devices.
SOURCE: "Defining the Next-Generation Firewall" (Gartner, October 2009)
Consolidation was another benefit. The old solution involved a separate firewall, bandwidth management device and content filtering solution – all from different manufacturers with different management and maintenance requirements, says Don Andrews, executive director of technology. By integrating multiple functions that were previously separate, Lee's Summit saves $15,000 to $20,000 per year.
What's more, the older firewall was so out of date that it had little if any intrusion protection capabilities. That, combined with the E7500's application monitoring and intrusion detection capabilities, has made a big difference to the IT staff, which is charged with monitoring and restricting unacceptable applications.
The NGFWs "have given us a lot more granular control over what goes in and out of our network," says Walter Woodward, network administrator at Lee's Summit. "We can block applications by application signature, and we can allow some applications for particular individuals or groups. Before, it was all or nothing – block everybody or allow everybody – but now we have much more control."
Smart Selection
Most schools and districts already have at least one firewall in place, but new pressures and requirements often make next-generation models attractive. When considering what to buy, keep these points in mind:
- Make sure the product has, at a minimum, a zero downtime configuration; support for user-based policy controls; the ability to identify applications and enforce network security policy at the application layer; full intrusion prevention; and good scalability.
- Determine the type of applications you need to control and how granular you need that control to be.
- Consider replacing your intrusion prevention system with the functionality integrated into a new firewall. This reduces complexity and makes management easier.