Gain visibility into network to create and enforce application usage policy by user to free up bandwidth and strengthen security.
Palo Alto Networks PA-2000 Series, PA-200 and PA-500 next-generation firewalls for granular visibility of threats and better control of Internet applications.
Increased application visibility and control; reduced bandwidth consumption by 30 percent for more reliable Internet and application access; enabled flexible application usage policy by user; strengthened security; lowered IT security costs; supported educational initiatives
Located in British Columbia, Canada, the School District of Chilliwack is a learning community of over 13,000 students, served by 2,300 teachers and support staff. The district’s diverse programs include 37 elementary, middle and secondary neighborhood schools as well as alternate and distance learning programs.
Nestled in the Fraser Valley just 50 miles east of Vancouver, B.C., the town of Chilliwack is in the midst of a population explosion. As Vancouver continues to grow, more people are choosing to settle down in nearby Chilliwack and commute to jobs in Vancouver. The growth spurt is driving up enrollment at the School District of Chilliwack’s 37 schools—ballooning its network user base to over 20,000—and causing many schools to rebuild to accommodate more students.
Technology and the Internet play integral roles in supporting the school district’s mission. “There’s a big push to use technology and online resources for educational purposes,” says Randy Janzen, IT Foreman for the district. “We have some apps hosted online and students often go to web sites that facilitate learning.” In addition, growing numbers of users want VPN connections to access school resources from home.
About half of the district’s traffic stems from Internet usage and the remainder from applications. A centralized network routs all traffic through the district’s 400 megabyte connection at its main data center. This includes traffic generated by two high schools, which share a 100 megabyte connection, and 35 middle and elementary schools, each of which has a 10 megabyte connection. The school district’s ISP provides centralized URL filtering and threat prevention services. Managing all the technology to support the district’s burgeoning student population is an IT staff of twelve.
Several IT challenges surfaced—including a spike in bandwidth usage—as the School District of Chilliwack grappled with the influx of students. More users, and an increase in students using bit torrent clients, coupled with routing all traffic through its main site, began causing slow application response times and unreliable Internet access.
“We had centralized all of our services on our 100 meg link at our main data center site, but with only a 10 meg link back to the schools it wasn’t working well,” says Janzen. “About 80 percent of bandwidth was used up daily at the 10 meg sites, and it often reached 100 percent. It took five minutes for a desktop to load and applications were taking a long time to launch.” Janzen and his colleagues began rethinking the district’s centralized architecture and realized the need for more network visibility.
Another issue stressing the district’s bandwidth stemmed from the transient make up of its users. “People accessing the network are usually moving around the building from workstation to workstation,” says Janzen. “It’s not like a business setting where a person is assigned a desktop and an individual IP. In a school, if there’s a problem with traffic it’s virtually impossible to identify the user.” The network visibility required to quickly match activity to a specific user, and to enable flexible user policies, became increasingly important to the district. “Some teachers wanted us to block students from accessing Facebook and other applications, but all our ISP could do was filter out inappropriate content,” says Janzen. “We didn’t have the visibility to block or control certain apps.”
The nature of the security threats to the district’s network further exposed the limitations of its existing IT infrastructure. “Our security risks are internal not external,” says Janzen. “We have to guard against internal hacking, which is challenging because every user has administrative access from their local desktop and can download any utility they want to try to hack into the network. A port-based security system is inadequate for dealing with this type of threat.”
Janzen and his team were ready to act. They sought a security solution offering superior network visibility and that integrated with Active Directory to tie an IP address to a specific user. This capability would enable flexible access policies by user, allow IT personnel to monitor traffic and solve the school district’s unique security vulnerabilities. Ease of use was also paramount. “We didn’t have time for a huge learning curve to figure out the set up for a solution,” says Janzen.
To alleviate congestion on its Internet links, and administrative burdens such as installing updates on hundreds of computers, the district moved to a distributed architecture. “By decentralizing and distributing resources like file shares and desktop upgrades and making them local instead of all in the data center, and creating VPN connections to our sites, we hoped to significantly reduce bandwidth utilization and costs,” says Janzen. But first, he had to find the right solution.
The district’s IT partner, X-10 Networks, suggested Palo Alto Networks. “I did some research and concluded that Palo Alto Networks might be a really good fit,” says Janzen. The PA-2000 Series, PA-200 and PA-500 next-generation firewalls afford unprecedented visibility and granular policy control of applications and content—by user, not just IP address—at up to 20Gbps with no performance degradation. The firewalls isolate and protect data through security policies that are based on the user or group identity from within Active Directory. The user and group identity is then tied directly to a specific application, and the application can then be inspected for threats and unauthorized data transfer.
The firewalls enable enterprises to extend protection over all types of traffic, applications, and threats to remote users. Palo Alto Networks firewalls accurately identify and control applications—regardless of port, protocol, evasive tactic or SSL encryption—and scan content to stop threats and prevent data leakage. This level of granular control is unmatched by any firewall solution on the market. The PA-2000 Series, PA-500 and PA-200 give enterprises complete visibility and control, while significantly reducing total cost of ownership through device consolidation.
Janzen’s team put the Palo Alto Networks firewall through a rigorous two month evaluation. “A solution couldn’t take a lot of time to figure out, set up or monitor,” says Janzen. “It was very easy to do all of this with the Palo Alto Networks box.”
They analyzed the firewalls’ suitability to address its bandwidth problem. “We quickly created some VPN tunnels between our sites and main data center,” says Janzen. “We immediately saw that Windows updates coming down from the server at one site were eating up all the bandwidth and fixed the problem right away. Previously, this would have taken a lot of time and trouble to diagnose and rectify.”
The ease of setting up and monitoring VPN clients with Palo Alto Networks stood out. “Setting up a VPN connection is really simple,” says Janzen. “I went home and right clicked and connected and didn’t even have to log in. It was clear that Palo Alto Networks firewalls would enable us to easily meet demand for VPN connections.”
The ability of Palo Alto Networks to integrate with Active Directory made the firewalls even more attractive. “Matching a user name and IP address with Active Directory is so important for schools,” says Janzen. “Palo Alto Networks boxes are multi-faceted application-based firewalls that you can do a lot with to control applications.”
The School District of Chilliwack made its decision. The granular network visibility provided by Palo Alto Networks would enable it to solve its bandwidth problems, decentralize its infrastructure, squash bit torrent activity, create and enforce flexible user policies and support educational initiatives. “We thought Palo Alto Networks was a great, perfect fit,” says Janzen.
The district purchased and installed 20 Palo Alto Networks PA-200 next-generation firewalls at its elementary schools, seven PA-2050s at its main data center, and a PA-500 for its two high schools. Each firewall comes fully licensed with threat prevention and URL filtering. By adding a PA-200 in each remote site, all internal traffic tunnels through the district’s WAN links and is then forwarded locally to its ISP.
The next-generation firewalls allowed the School District of Chilliwack to seamlessly move to a distributed network and resolve its bandwidth issues. Their visibility enables application usage policies that let it control how its bandwidth is used. Internet access and availability improved dramatically. “We’ve shaved off at least 30 percent of our traffic by reconfiguring our infrastructure, reducing bit torrent activity and identifying excessive usage,” says Janzen. “We no longer have significant issues with network slowness.”
Bit torrent traffic ceased to plague the district. “In the past we didn’t have any control over access, so we’d try to block certain ports and students would find ways around it,” says Janzen. “Now we have the visibility to control applications. This enhances security and alerts us to traffic concerns.”
Another benefit the district realized by deploying Palo Alto Networks is reduced costs. “It’s now easy to troubleshoot problems and fulfill requests like blocking Facebook, which saves us time,” says Janzen. The district also anticipates saving significant money on network administration. “Once we finish creating VPNs between all of our sites we’ll consolidate servers at our main site,” says Janzen. “Then we’ll take an app that’s installed locally on a server and through a VPN connection let everyone can connect to it. That will save us 20 servers on the elementary schools alone.” According to Janzen, with each server costing the district approximately US$3,000-$4,000 per site, that’s an estimated US$60,000- $80,000 in annual savings.
The district’s IT team expects additional savings on administration costs. “We plan to purchase Palo Alto Networks’ Panorama product to centrally manage all of our firewalls from one location,” says Janzen. “This will reduce the time it takes technicians to update and monitor all the firewalls.” Panorama is a centralized security management system that provides global, centralized control over a network of Palo Alto Networks firewalls including logging, reporting, policy management and all aspects of devices and/or virtual systems under management.
Deployment was easy. “We set up our first firewall and then replicated a snapshot of it to each additional firewall, changed the gateway and IP address and created a VPN session,” says Janzen. “Deployment was rapid and flawless.” The district’s IT team set up all 27 firewalls without having to make a single call to technical support. “Palo Alto Networks firewalls are so intuitive and easy to use,” he says. “Just login and click on a tab to get the information you need or change a setting. It’s simple.”
The distributed deployment and policy-based features of Palo Alto Networks nextgeneration firewalls, combined with their unmatched visibility and application control, enabled the School District of Chilliwack to increase security and free up bandwidth. Janzen and his colleagues are pleased the results. “I just recommended Palo Alto Networks to another school district,” Janzen says. “They will solve the issues every school district deals with like the need to monitor which student is generating which traffic, bit torrent downloads and controlling applications. The firewalls’ feature set is rich and everything works really well.”
Palo Alto Networks helped us eliminate our exposure to BitTorrent and other security risks, save resources and prepare for more users,” adds Jameson. “The efficiencies of Palo Alto Networks firewalls helped us get our issues under control.”
“We were told to do more with less and build a secure, rock solid and more userfriendly network,” says Moss. “We did that with Palo Alto Networks next-generation firewalls—if we tried to rip them out and go to another solution there would be a massive rebellion.”
“Before Palo Alto Networks we’d block certain ports and students would find ways around it. Matching a user name and IP address with Active Directory is so helpful. Palo Alto Networks firewalls are multi-faceted application-based firewalls that effectively control applications.”