CRHC includes Concord Hospital, Concord Regional Visiting Nurses Association, Riverbend Community Mental Health, and related affiliates.
After CRHC's external auditors expressed dissatisfaction with the organization's existing firewalls, CRHC's information security team explored alternative "next-generation" firewall solutions.
Palo Alto Networks provides exactly what CRHC was looking for. While the original reason for looking at Palo Alto Networks was PCI compliance— which has been achieved—the benefits provided by Palo Alto Networks far exceed compliance. They include application and user awareness, virtual firewall instances, improved security, improved visibility — and much lower costs due to consolidating devices. Palo Alto Networks was implemented quickly once the CRHC team made the adjustment from port-based concepts to application-based firewall rule sets.
Based in Concord, New Hampshire, Capital Region Health Care (CRHC) is a regional health delivery system. It includes Concord Hospital, which has 3,200 employees, including more than 750 physicians and nurses, at the main campus and more than 10 remote sites.
All aspects of information security at CRHC are managed by a small but capable IT security team. Mark Starry manages IT security as well as all enterprise architecture; Mike Goodnow is a senior security engineer who manages all day-to-day ad hoc security requests, including firewall requests, issues with logging, and any issues related to accessing applications. The most significant priority for CRHC's information security team is to support the business by protecting sensitive patient data.
AN EXTERNAL AUDIT CAUSED CRHC TO SEEK A NEW FIREWALL SOLUTION
In early 2008, CRHC's external auditors (Sage Data Security of South Portland, Maine) conducted a security audit related to CRHC's compliance with industry best practices, HIPAA, and PCI. PCI compliance is important to CRHC, as the organization has a large number of credit card transactions.
As a result of this audit, CRHC's auditors expressed concern with CRHC's existing firewall solutions, which included ISS (IBM), Juniper, and Check Point. The concerns included that the existing solutions were not standard and some did not support the creation of rules bases on the interface. They also did not enable CRHC to adequately segregate its network (as is required by PCI), and the existing firewalls did not provide CRHC the ability to control access to specific applications.
In addition to the compliance concerns, CRHC viewed its existing firewall solutions as expensive and saw them as lacking important security features. One result was that CRHC experienced malicious content coming into its network, mostly because malicious code entered the organization over well known ports. In some cases this malicious code was injected into business- related applications. Other than Palo Alto, CRHC quickly determined that all other "Next Generation" firewalls were really just Unified Threat Management systems, with no new technology—just the repackaging of existing technology.
CRHC explored whether its current solutions could address the deficiencies identified in the audit. The conclusion reached by CRHC was that these solutions were not application-aware (and the companies had no short-term plans to make them application-aware) and did not have adequate compensating controls. The solutions were also expensive. As a result, CRHC decided to explore alternative solutions.
"Since implementing Palo Alto, I have come to the conclusion that a firewall that is not application and user aware provides little value to our organization."
- Mark Starry
EVALUATING PALO ALTO NETWORKS
Having concluded that its current firewall solutions were not adequate, CRHC began looking into other next-generation options. CRHC learned about Palo Alto Networks at an IANS Information Security Forum in 2008. CRHC saw Palo Alto Networks as a unique application-aware solution.
"Palo Alto Networks is the only firewall solution that is application-aware. User authorization is based on domain credentials."
- Mike Goodnow
At another IANS Forum a year later, CRHC saw that Palo Alto Networks had made significant progress in a short period of time. The improved product supported integration with Active Directory and included URL filtering.
After having seen how much Palo Alto Networks had improved, CRHC decided to bring in Palo Alto Networks for an evaluation in their network. During this evaluation, CRHC confirmed that:
In addition, during the evaluation, CRHC learned that Palo Alto Networks:
THE POSITIVE EVALUATION LED CRHC TO DEVELOP A BUSINESS CASE TO BRING IN PALO ALTO NETWORKS
CRHC's evaluation of Palo Alto Networks led CRHC to conclude that they wanted to purchase Palo Alto Networks. In order to push the transaction forward, the information security team developed a compelling business case outlining the anticipated benefits of the upgrade. This business case had the following components:
CRHC HAS ADOPTED PALO ALTO NETWORKS AND IS EXPANDING ITS USE
The above business case enabled Mark Starry and Mike Goodnow to convince their management to adopt Palo Alto Networks more broadly. (Improved compliance, improved security, and cost savings were difficult for CRHC management to refute.)
CRHC now has five Palo Alto Networks devices. CRHC is currently in the process of consolidating and replacing its other devices, phasing out CheckPoint and Juniper. All new projects are on Palo Alto Networks.
Since implementing these five Palo Alto Networks devices, lessons that CRHC has learned about Palo Alto Networks include:
ABOUT PALO ALTO NETWORKS
Palo Alto NetworksTM (paloaltonetworks.com) is the leader in next-generation firewalls, enabling unprecedented visibility and granular policy control of applications and content—by user, not just IP address—at up to 10Gbps with no performance degradation. Based on patent-pending App-IDTM technology, Palo Alto Networks firewalls accurately identify and control applications — regardless of port, protocol, evasive tactic, or SSL encryption — and scan content to stop threats and prevent data leakage. Enterprises can for the first time embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation.
IANS is the premier membership organization for practicing information security professionals. IANS' mission is to provide key technical and business insights to help members solve their most pressing technical and professional challenges.
IANS achieves this mission through a broad offering of services provided to its members ⎯insightful events, thought-provoking publications, best-practice research, and unique networking opportunities.
IANS is committed to providing its members with unbiased, relevant insights to increase their productivity and effectiveness as emerging technical leaders inside their organizations.