AT A GLANCE
CRHC includes Concord Hospital, Concord Regional Visiting Nurses Association, Riverbend Community Mental Health, and related affiliates.
Viewing Palo Alto Networks as a Strategic Network Security Platform
After CRHC's external auditors expressed dissatisfaction with the organization's existing firewalls, CRHC's information security team explored alternative "next-generation" firewall solutions.
Palo Alto Networks provides exactly what CRHC was looking for. While the original reason for looking at Palo Alto Networks was PCI compliance— which has been achieved—the benefits provided by Palo Alto Networks far exceed compliance. They include application and user awareness, virtual firewall instances, improved security, improved visibility — and much lower costs due to consolidating devices. Palo Alto Networks was implemented quickly once the CRHC team made the adjustment from port-based concepts to application-based firewall rule sets.
Based in Concord, New Hampshire, Capital Region Health Care (CRHC) is a regional health delivery system. It includes Concord Hospital, which has 3,200 employees, including more than 750 physicians and nurses, at the main campus and more than 10 remote sites.
All aspects of information security at CRHC are managed by a small but capable IT security team. Mark Starry manages IT security as well as all enterprise architecture; Mike Goodnow is a senior security engineer who manages all day-to-day ad hoc security requests, including firewall requests, issues with logging, and any issues related to accessing applications. The most significant priority for CRHC's information security team is to support the business by protecting sensitive patient data.
AN EXTERNAL AUDIT CAUSED CRHC TO SEEK A NEW FIREWALL SOLUTION
In early 2008, CRHC's external auditors (Sage Data Security of South Portland, Maine) conducted a security audit related to CRHC's compliance with industry best practices, HIPAA, and PCI. PCI compliance is important to CRHC, as the organization has a large number of credit card transactions.
As a result of this audit, CRHC's auditors expressed concern with CRHC's existing firewall solutions, which included ISS (IBM), Juniper, and Check Point. The concerns included that the existing solutions were not standard and some did not support the creation of rules bases on the interface. They also did not enable CRHC to adequately segregate its network (as is required by PCI), and the existing firewalls did not provide CRHC the ability to control access to specific applications.
In addition to the compliance concerns, CRHC viewed its existing firewall solutions as expensive and saw them as lacking important security features. One result was that CRHC experienced malicious content coming into its network, mostly because malicious code entered the organization over well known ports. In some cases this malicious code was injected into business- related applications. Other than Palo Alto, CRHC quickly determined that all other "Next Generation" firewalls were really just Unified Threat Management systems, with no new technology—just the repackaging of existing technology.
CRHC explored whether its current solutions could address the deficiencies identified in the audit. The conclusion reached by CRHC was that these solutions were not application-aware (and the companies had no short-term plans to make them application-aware) and did not have adequate compensating controls. The solutions were also expensive. As a result, CRHC decided to explore alternative solutions.
"Since implementing Palo Alto, I have come to the conclusion that a firewall that is not application and user aware provides little value to our organization."
- Mark Starry
EVALUATING PALO ALTO NETWORKS
Having concluded that its current firewall solutions were not adequate, CRHC began looking into other next-generation options. CRHC learned about Palo Alto Networks at an IANS Information Security Forum in 2008. CRHC saw Palo Alto Networks as a unique application-aware solution.
"Palo Alto Networks is the only firewall solution that is application-aware. User authorization is based on domain credentials."
- Mike Goodnow
At another IANS Forum a year later, CRHC saw that Palo Alto Networks had made significant progress in a short period of time. The improved product supported integration with Active Directory and included URL filtering.
After having seen how much Palo Alto Networks had improved, CRHC decided to bring in Palo Alto Networks for an evaluation in their network. During this evaluation, CRHC confirmed that:
- Application awareness is a key. The CRHC team had thought that the concept of application awareness was critical. The ability to evaluate Palo Alto Networks' application-aware product further reinforced this belief.
In the evaluation, Palo Alto Networks immediately saw—and was able to identify—traffic related to 50 applications traversing Port 80. Palo Alto Networks enabled CRHC to see that only about 25% of its traffic on Port 80 came from legitimate applications; the other 75% was not from authorized applications. (This evaluation began in view-only mode, but it would have been possible to also use Palo Alto Networks to block this unauthorized traffic.)
CRHC's team views application awareness as Palo Alto Networks' most important feature. Application awareness provides visibility about what applications are running on the network, which yields much greater control.
- Palo Alto Networks helped CRHC become PCI compliant. Palo Alto Networks enabled CRHC to address all of the network security issues that had been raised by CRHC's auditors in regards to PCI. Becoming compliant included using separate virtual firewall instances to segment PCI-related databases and devices from the regular business network.
Segmentation can be achieved by leveraging Active Directory to establish rules for who is authorized to access which applications. (CRHC's auditors have been effusive in their praise of this capability as an excellent compensating control to network segmentation.)
In addition, during the evaluation, CRHC learned that Palo Alto Networks:
- Is extremely easy to install. It was up and running in just one day. Mark Starry described Palo Alto Networks as "plug and play." Mike Goodnow said that Palo Alto Networks is at the top of his list when it comes to setup and management.
- Improves security. CRHC saw during the evaluation that in addition to compliance, Palo Alto Networks' application-aware firewall does everything that an IPS, an antivirus solution, and a traditional firewall do.
One way Palo Alto Networks' application-aware firewall works: a rule can be set to identify certain applications and to not allow attachments for traffic related to those applications. For example, Palo Alto Networks can determine if an application is web mail and can then strip off all attachments, which prevents malware from entering the network.
- Has few false positives. The number of false positive in the evaluation was very small—and far better than CRHC's previous solutions.
- Provides great customer service. During the evaluation, CRHC saw how responsive Palo Alto Networks was. Palo Alto Networks' support staff provided answered the phone immediately and their level of support was outstanding.
THE POSITIVE EVALUATION LED CRHC TO DEVELOP A BUSINESS CASE TO BRING IN PALO ALTO NETWORKS
CRHC's evaluation of Palo Alto Networks led CRHC to conclude that they wanted to purchase Palo Alto Networks. In order to push the transaction forward, the information security team developed a compelling business case outlining the anticipated benefits of the upgrade. This business case had the following components:
- Improved compliance. Palo Alto Networks would improve CRHC's ability to comply with PCI and make compliance easier. Palo Alto Networks was strongly supported by the organization's auditors.
- Improved information security. Along with application awareness, Palo Alto Networks' ASIC-based firewall has all of the capabilities of IPS solutions, antivirus, URL filtering, and traditional firewalls. These capabilities — along with the added control from application awareness — result in better protection. Mark Starry observed that Palo Alto Networks also has many of the capabilities of unified threat management.
In addition, Palo Alto Networks would be able to provide real-time visibility over CRHC's perimeter and entire network. It could tell CRHC's information security team exactly what is going on across the network. Having fewer devices means fewer places to look for incidents. Along with increased real-time visibility and good automated reports, CRHC would have more information and greater control, which would mean better security.
- Cost savings. Palo Alto Networks would be able to help CRHC achieve cost savings in the following ways:
- Through lower licensing and support costs. The cost for CRHC to purchase and maintain Palo Alto Networks would be much less than CRHC's ongoing annual support costs for its existing firewalls.
- By consolidating devices. Using Palo Alto Networks would enable CRHC to eliminate devices such as URL filtering, antivirus, and IDS/IPS. Having fewer devices would be easier for CRHC to manage (due to less labor) and would save money in ongoing maintenance and support costs for the eliminated products.
- By switching to a lower-cost MSSP. CRHC had been using IBM ISS as an outsourced managed security service provider (MSSP) for several years to provide 24/7 monitoring of CRHC's network. But IBM ISS was pricey compared to other MSSPs and couldn't handle the logging model that CRHC wanted to implement.
CRHC viewed SecureWorks as a more reasonably priced, more robust managed services solution, and SecureWorks was the only MSSP to support Palo Alto Networks at the time. By adopting Palo Alto Networks it would become possible for CRHC to switch to SecureWorks, which could save CRHC about $50,000 per year while also resulting in improved service.
- Standardization. CRHC had jumped around a bit with multiple firewalls from different vendors. The robustness of Palo Alto Networks would provide a platform that would enable CRHC to standardize.
CRHC HAS ADOPTED PALO ALTO NETWORKS AND IS EXPANDING ITS USE
The above business case enabled Mark Starry and Mike Goodnow to convince their management to adopt Palo Alto Networks more broadly. (Improved compliance, improved security, and cost savings were difficult for CRHC management to refute.)
CRHC now has five Palo Alto Networks devices. CRHC is currently in the process of consolidating and replacing its other devices, phasing out CheckPoint and Juniper. All new projects are on Palo Alto Networks.
Since implementing these five Palo Alto Networks devices, lessons that CRHC has learned about Palo Alto Networks include:
- It can block Facebook applications. CRHC allows users to look at Facebook, but uses Palo Alto Networks to prevent and block any Facebook applications or APIs.
- It is easy to manage. Palo Alto Networks' user-friendly central management console (called Panorama) makes it extremely easy for a small team like CRHC's to manage its network. CRHC has found that this centralized management console makes it easier to manage Palo Alto Networks than Juniper and Check Point.
- It is extremely fast. Palo Alto Networks' boxes support and work well within CRHC's 10 GB infrastructure.
- It has high availability. Because the availability of the Palo Alto Network boxes is so high, it is possible to take a device off line to make changes and do testing with no packet loss.
ABOUT PALO ALTO NETWORKS
Palo Alto NetworksTM (paloaltonetworks.com) is the leader in next-generation firewalls, enabling unprecedented visibility and granular policy control of applications and content—by user, not just IP address—at up to 10Gbps with no performance degradation. Based on patent-pending App-IDTM technology, Palo Alto Networks firewalls accurately identify and control applications — regardless of port, protocol, evasive tactic, or SSL encryption — and scan content to stop threats and prevent data leakage. Enterprises can for the first time embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation.
IANS is the premier membership organization for practicing information security professionals. IANS' mission is to provide key technical and business insights to help members solve their most pressing technical and professional challenges.
IANS achieves this mission through a broad offering of services provided to its members ⎯insightful events, thought-provoking publications, best-practice research, and unique networking opportunities.
IANS is committed to providing its members with unbiased, relevant insights to increase their productivity and effectiveness as emerging technical leaders inside their organizations.