The California State University (CSU) is a leader in high-quality, accessible, student-focused higher education. With 23 campuses, 460,000 students, and 47,000 faculty and staff, the CSU system is the largest, most diverse, and one of the most affordable in the U.S.
To support its campuses and the Chancellor’s Office with reliable, robust and secure local area networks, the CSU has invested in a system-wide network infrastructure program called the Common Network Initiative (CNI), a system-wide network infrastructure program.
Over the last fifteen years, the CSU established a state-of-the art network infrastructure comprised of common hardware and software, switching, routing, wireless and security platforms. Most recently, the CSU deployed Juniper Networks for network security and Aruba Networks® for wireless, along with Alcatel-Lucent as the standard switching and routing vendor.
However, with the cyberthreat landscape changing so rapidly, the CSU decided to re-evaluate its Network security tools and deployment.
Some of our key accomplishments during the last fifteen years are:
- Received the highest discount from various selected vendors due to open competition that was achieved via the vendor agnostic RFP.
- Selected the best technologies for the campus networks based on a collaborative campus led process.
- Built a web of collaboration with all campuses via extensive working groups.
- Developed a common network infrastructure baseline and eliminated the need for campuses to have various network architectures. Built operational efficiencies via common configurations and standards. To establish key objectives for the CNI project, the Chancellor’s Office collaborated with CSU campuses to form working groups involving more than 40 CSU participants. Discussions were facilitated by the Chancellor’s Office and AT&T Consulting.
Through these discussions, the campus working groups developed the following criteria for a Next-Generation Security Platform that would meet the collective needs of the university system:
- Enable advanced threat and attack detection and mitigation, with the ability to detect and protect against current and emerging threats.
- Strengthen application security by detecting and identifying applications via the network enforcement device and then take protective action.
- Ensure consistent policy enforcement, generating and deploying security policies to meet privacy and regulatory compliance requirements.
- Unify management with the ability to correlate, analyze and report on security-related data from multiple sources.
With these objectives as a guide, the working groups engaged in a series of technical sessions facilitated by AT&T Consulting. These sessions leveraged the collective knowledge and experience of campus CIOs, security engineers, networking professionals, and other technical experts to develop a common technical standard, including detailed features and functional requirements in the Next-Generation Security Platform. This would ensure that the needs of all 23 campuses would be met consistently.
Based on the established standard, the CSU then issued a Request for Information (RFI) inviting any interested vendors to respond. Because of the broad range of capabilities needed to meet the objectives, the CSU expected to award business to multiple vendors.
Intensive Vendor Evaluation
In response to the RFI, the CSU received responses from 26 vendors, of which 18 passed the initial purchasing review. The CSU established another two internal working groups to further evaluate the remaining 18 vendors – one group focused solely on technical capabilities, the other on pricing. These working groups also created a scoring mechanism to evaluate the vendors based on a methodology agreed upon by the campuses and facilitated by AT&T Consulting. Each group worked independently without sharing any information with the other.
In the technical assessment, the campuses scored each vendor’s solution based on its ability to meet defined performance requirements and technical protocols. A major consideration was how easily each solution could be managed and maintained. Following the technical assessments, six vendors were invited to submit a total cost of ownership (TCO) report for their respective product offerings. The six vendors were Check Point®, Cisco®, F5 Networks®, Fortinet®, Juniper Networks®, and Palo Alto Networks®. Of these six, F5 and Palo Alto Networks offered the best TCO and were selected for a final evaluation.
Following this initial exam, the CSU consulted with Gartner®, which suggested a follow-up exercise to test the ease of configuring each vendor’s offering. In this phase of the evaluation, Palo Alto Networks and F5 were each requested in advance to demonstrate how to configure a variety of settings on their platforms. The objective was to observe the steps to complete the configuration and the effort involved, as well as to note if either vendor had built-in features to simplify the process.
At the conclusion of this final test, Palo Alto Networks proved to offer the most comprehensive technology, the easiest administration, and the lowest TOC. In fact the Palo Alto Networks Next-Generation Security Platform met all the CSU’s key objectives with a single platform, simplifying the total solution by working with just one vendor.
Alpha Stage Deployment
Following the selection of Palo Alto Networks, the CSU formed three focus groups to guide the CNI project moving forward. The Executive Focus Group provides guidance and makes recommendations on human resource issues and strategic deployment issues, such as security platform administration. The Security Architecture Baseline Focus Group ensures that the Palo Alto Networks platform is deployed consistently across the CSU system to support current and emerging security needs. The Standards and Policy Focus Group reviews the CSU’s internal policies and standards, as well as ISO/IEC27001/27002 standards, to ensure conformance on all Palo Alto Networks platform deployments across the university system.
The CSU selected two campuses – Bakersfield and Chico – as alpha sites to gather initial data that would inform production deployments. Based on the lessons learned from the alpha deployments, the CSU adopted a three-phase migration strategy.
Phase 1 involved a "like for like" replacement of Juniper firewalls with Palo Alto Networks next-generation firewalls, using existing security rules. During a 60-day proving period, the Palo Alto Networks next-generation firewalls logged application data, which was used to build application-based rules. In addition, Palo Alto Networks Threat Prevention service was enabled in "alert only" mode.
In Phase 2, the CSU cloned legacy security rules and added application information. During this phase, traffic was filtered based on the new application-based rule, while the legacy rule was retained for verification purposes. The Palo Alto Networks next-generation firewalls were also configured with User-ID™ to identify end users by name rather than only their IP address. Threat Prevention was also fully enabled to automatically block identified threats. This environment was then run for another 30 to 60 days.
At the conclusion of Phase 2, all standard security rules were added to the Palo Alto Networks next-generation firewalls based on policies established by the CSU campuses. At this point the legacy rules were reviewed to confirm they were no longer required. During the migration, Palo Alto Networks Professional Services provided the CSU team with documented best practices to ensure that Palo Alto Networks security features, such as App-ID™ rules and policies, are applied consistently across the campuses. The CSU operations teams also signed up for training prior to completing the Alpha stage.
In parallel with the Alpha testing, the CSU worked with Palo Alto Networks to engage a resident engineer. This Palo Alto Networks employee began working on-site November 30, 2015 and is responsible for the majority of ongoing production deployments across all campuses, ensuring that the deployments conform with the technical requirements and standards established for all the campuses.
To determine sizing for the Palo Alto Networks next-generation firewalls deployed at each campus, the CSU, in collaboration with Palo Alto Networks, considered three variables: number of students, number of concurrent sessions, WAN traffic plus projected growth over four years, and percentage of SSL decryption. Based on these considerations, Palo Alto Networks recommended the PA-5050 as the baseline edge firewall for medium-sized campuses, the PA-5060 as the baseline edge firewall for large campuses, and the PA-5060 for any data center firewall deployments.
In addition to the Palo Alto Networks next-generation firewalls, each campus is being enabled initially with a minimum of Palo Alto Networks Threat Protection. Soon all campuses will be able to add other Palo Alto Networks subscriptions, such as URL Filtering, WildFire® cloud-based malware analysis environment, and GlobalProtect™ as part of the ELA program. AT&T Consulting provides project management for each campus deployment to adhere to deployment schedules and ensure continuity across the university.
To date, we have completed the migration to the Palo Alto Networks Next-Generation border firewalls at 14 campuses with Threat Prevention enabled. By the end of June 2016, the Stanislaus campus is slated for deployment and will be the first campus to deploy the Palo Alto Networks platform to protect the WAN edge and data center, choosing a pair of PA-5060 next-generation firewalls for both.
The CSU security infrastructure refresh project will continue to roll out the Palo Alto Networks Next-Generation Security Platform, with additional deployments planned throughout 2016 and into 2017 at each of the remaining university campuses. In total the CSU will deploy over 100 firewalls in 30 locations in 18 months.