A leading design, engineering, and construction firm, The Weitz Company has offices and jobsites across the United States, all requiring reliable, secure access back to applications and data in the corporate data center. With growing use of SaaS applications, backhauling both corporate and internet traffic resulted in bandwidth constraints on the company’s MPLS network. Moreover, its legacy managed firewall was aging and lacked visibility. When Weitz decided to break out internet traffic directly from its branches and jobsites, visibility and control got even worse.
Meanwhile, end-user laptops were being infected with ransomware on a weekly basis. As Weitz looked to replace its managed firewall, the company discovered that the Palo Alto Networks Security Operating Platform could deliver next-generation network security correlated with advanced endpoint protection and integrated threat intelligence to address its security needs from end to end. By consolidating on the Palo Alto Networks platform, Weitz projects savings of over $200,000 while eliminating successful malware attacks and enabling consistent security enforcement from the data center to branches and distributed jobsites.
Security That Goes Far Beyond a Firewall
From one end of the U.S. to the other, The Weitz Company is making its mark on the construction industry. Whether a senior living facility in Washington, a scientific research laboratory in Florida, or university halls, hotels, office buildings, industrial plants, or virtually any other type of structure in between, this leading general contractor, design-builder and construction manager demonstrates for all to see why it’s renowned for innovation and meticulous attention to detail.
Planning and managing large commercial or industrial construction projects requires carefully orchestrated logistics, clear communications, and reliable access to project files and business tools. Traditionally, Weitz backhauled data traffic from branches and jobsites across an MPLS network to the corporate data center in Des Moines, Iowa, for access to project files and the internet—all secured through a managed Cisco ASA firewall. This approach worked well enough when most data resided on corporate servers, but as more and more services were pushed to cloud applications like Box and Salesforce®, the MPLS network became bandwidth constrained.
To alleviate the bandwidth issues, the company built IPsec tunnels to split traffic so branches could break out locally to the internet and use the MPLS network only for accessing the data center. However, this technique limited visibility and control of the traffic, exposing security risks. Controlling traffic coming in from jobsites was even more challenging. Projects are always starting up and shutting down in different markets, and may require network access for as little as a few months or as long as several years. Keeping tabs on traffic coming into and going out of these remote sites was nearly impossible.
Meanwhile, the managed ASA firewall was running out of life. Finding a replacement fell on Weitz System Administrator Owen Fuller. But he saw the need for more than just a simple device upgrade. “Our entire network topology had changed, and a traditional firewall wasn’t going to do the job anymore. We needed a next-generation approach to network security.”
Fuller narrowed his search to SonicWall, Fortinet, and Palo Alto Networks, and dug into a deeper evaluation. “I wear many different hats and wanted something that I could rely on without a lot of hand-holding,” he notes, “Palo Alto Networks stood out because they offered the advanced security capabilities we needed with intuitive management that I could come back to anytime and immediately know what to do.”
He also liked that the Palo Alto Networks Security Operating Platform integrated seamlessly with Weitz’s Aruba networking equipment. But there was another big factor that drew Fuller to the Palo Alto Networks platform: advanced endpoint protection that is integrated and coordinated with network security. Turns out, the company’s McAfee antivirus software was missing a lot of cyberattacks, and infections were rampant.
With its multimethod, preemptive approach, Traps™ advanced endpoint protection offered Fuller an attractive alternative to traditional antivirus. “Given the speed that new exploits come out, we can no longer rely on signature-based approaches to endpoint protection. In this day and age, you need techniques like threat intelligence and machine learning to stay ahead of the threats.”
Stronger Security with Dramatic Cost Savings
Ready to put the Palo Alto Networks platform through its paces, Fuller embarked on a proof of concept (POC) that included both network security and advanced endpoint protection. Fuller found this to be an easy process as well as an opportunity to ensure that Palo Alto Networks lived up to his expectations for technical support.
“I liked that we could get our hands on the equipment and have a direct experience with the support organization,” Fuller says. “One thing I emphasized from the start was if your support isn’t good, I don’t care how good your product is.
“We were really happy with how simple the Palo Alto Networks platform is to manage,” he said. “Traps, in particular, was very easy to set up, and out of the box it just worked. Then seeing how we could use Panorama to take the logs from the Endpoint Security Manager and correlate that data with the next-generation firewalls—it was a no brainer to go with this platform approach.”
While Fuller and his team were convinced, the next challenge would be to convince senior management to make the investment. However, any concerns about that quickly disappeared when Fuller presented the business case. By deploying the Palo Alto Networks platform in its data centers and at each branch location, the company could eliminate the need for its MPLS network, instead using IPsec tunnels on commodity internet links. In addition, Weitz no longer needed separate antivirus software or its Websense content filtering since the Palo Alto Networks Security Operating Platform provides complete, end-to-end security.
“The cool thing was when we were trying to sell this project internally, I could show management a five-year savings of over $200,000 by consolidating on the Palo Alto Networks platform. These were hard dollar savings, and we’d be much more secure. Plus, we’d have more bandwidth at the branches because we could go purely with IPsec tunnels over the internet. It was about a 15-minute meeting with the executives.”
Simplifying Network and Endpoint Security Across a Shifting Landscape
With the POC a success, and having full buy-in from the executive team, Fuller rolled the POC directly into production. Today, Weitz has a high availability pair of PA-3050 nextgeneration firewalls in its corporate data center, with PA-220 next-generation firewalls now the standard at each branch. Traps is deployed to 1,200 endpoints across the company. Weitz also takes full advantage of platform subscriptions for Threat Prevention, URL Filtering, GlobalProtect™ network security for endpoints, and WildFire® malware prevention service.
“When we learned about WildFire, that was pretty cool,” Fuller remarks. “The idea that WildFire proactively analyzes whether something really is a threat or not gives us that extra layer of protection and reduces false positives. I’ve heard of other companies that took several hours or even a day to resolve whether a file was safe, but WildFire turns around results in five minutes. That’s the kind of responsiveness you need when you’re trying to run a business.”
In addition, Fuller and his team created a unique approach to outfit the company’s jobsites, which are in constant flux, with secure IT services. The result is what Fuller calls a “jobsite-in-a-box”—a ruggedized case with a rack of physical servers, hypervisor to run virtual machines, power supply, and networking. Fuller also includes a VM-50 virtualized nextgeneration firewall to secure this self-contained, mini-cloud.
Just like the permanent branch locations, the jobsite-in-a-box connects back to the corporate data center and out to the internet across split IPsec tunnels, with the same security policies consistently applied and enforced.
“Using the virtualized next-generation firewalls for our jobsites allows us to be very consistent with our security policies,” says Fuller. “We can create a configuration template in Panorama and apply that as easily to the jobsite as we can to a branch or the data center, so we know policies are enforced across the board. Threat detection and prevention happen regardless of where people connect to our network.”
Confidence That Everything Is Under Control Regardless of Location
Since deploying the Palo Alto Networks Security Operating Platform, Fuller reports that among the biggest benefits are increased visibility and having direct control over security, compared to the previous managed services. “We can now see what’s happening on the network. For example, if there are blocked attempts to hit a URL that’s not in a safe category, we have the flexibility to split-tunnel a jobsite or office without worrying about where the traffic is going. The Palo Alto Networks platform gives us confidence that everything is under control.”
In addition, Traps advanced endpoint protection has virtually eliminated incidents of ransomware and other malware from disrupting end users and taxing service desk staff. In fact, endpoint infections have dropped from one or more per week to zero since implementing Traps.
“We used to have a running joke about who the next victim would be,” Fuller quips. “The difference Traps made was almost instantaneous.
“Our service desk people are stretched pretty thin as it is, and cleaning up ransomware could take them days,” Fuller adds. “That’s valuable time we’ve been able to give them back and avoid a lot of lost productivity for our end users.”
As The Weitz Company continues its work across the United States, Fuller is confident he can maintain consistent security across additional locations and jobsites. The key is having a standardized security infrastructure built on the Palo Alto Networks Security Operating Platform, easily managed centrally through Panorama™ network security management.
“It’s very helpful to know I don’t have to start from square one every time. Instead, I can use templates in Panorama to push out configurations and policies. Panorama is my single source of truth, which saves time and avoids configuration errors when bringing on a new site. That’s critical for the company to grow, knowing that the infrastructure is secure.”