Background
As one of the largest civilian agencies in the U.S. federal government, this agency serves a sizable citizen population and hundreds of thousands of employees with many regional facilities throughout the nation.
Several years before more recent expansion, the agency had chosen Palo Alto Networks Security Operating Platform to consolidate its network security operations and improve threat prevention. The agency originally chose Palo Alto Networks for web content filtering but quickly discovered it would be possible to replace more than 80 existing security appliances – including web filtering devices, antivirus scanners, firewalls, load balancers and caching servers – with eight Palo Alto Networks PA-5060 next-generation firewalls.
With one-tenth as many devices to manage, less power consumption and integrated security features from a single management interface, the agency greatly reduced its network operational overhead. It also quickly discovered many threats that had gone undetected by its previous vendors. Over time, the agency grew its Palo Alto Networks footprint to 16 appliances.
Growing the Agency and Increasing SSL Traffic
As it pursued the right product to protect itself from cyberattacks, the agency was growing, as was its network traffic – particularly encrypted traffic. In three or four years, the percentage of SSL-encrypted traffic it saw shot up from less than 30 percent to more than 70 percent. Combined with climbing rates of traffic overall, the agency was unable to inspect such volume of encrypted traffic while maintaining sufficient performance at the internet edge.
At the same time, the agency was planning architectural changes to its network to support the Trusted Internet Connections, or TIC, Initiative. It turned again to Palo Alto Networks for options.
Securing Trusted Internet Connections
After some tests, Palo Alto Networks recommended the PA7080, which can scale to more than 100 Gbps of throughput with the Threat Prevention subscription enabled and scale automatically as new computing power becomes available. A high-performance appliance at the internet edge enabled the agency to continue to consolidate internet traffic into its current TIC gateways as well as simplify the monitoring of external network connections, meeting TIC requirements. With URL Filtering, Threat Prevention and WildFire® malware prevention service subscriptions, the agency maintained the same level of protection as its previous appliances provided, only with much higher performance. This also enabled the agency to start decrypting the massive share of encrypted internet traffic that traversed its network.
Since SSL decryption is inherently part of Palo Alto Networks appliances, the agency has gained in-line decryption without incurring additional costs or the latency and management overhead specialized SSL decryption appliances and load balancers introduce. Using the SSL Decryption Broker feature Palo Alto Networks appliances support, the agency can decrypt SSL traffic in-line as well as choose to send copies of decrypted traffic to its network forensics team and data loss prevention appliances. The forensics team can use this to gain insight into potential threats hidden in encrypted traffic, enabling the network security team to tighten policies at the internet edge.
For more information on how governments can benefit from the SSL Decryption Broker feature, read the “SSL Decryption Broker for Federal Government” blog post.
Whitelisting by Application Reduces Risk of Threats
Because the agency has different levels of sensitive data it must protect, it takes steps to reduce threats from potentially infiltrating its network. One way to accomplish this is to limit the applications that traverse its network. Like many organizations, the agency has a certain amount of “shadow IT” applications. Palo Alto Networks App-ID™ technology, another feature inherent in all appliances, identifies thousands of applications, including software-as-a-service applications, making it easy for agency security teams to identify the applications on the network, how they are being used and by whom.
As a first step, the agency catalogued which applications each department needed to function, and then began to selectively block certain high-risk, nonessential applications, such as file transfer applications the agency has not sanctioned. Eventually, the agency fully implemented application whitelisting, empowering its employees to do their jobs without adding unnecessary risk.
Deployment Details
The agency maintains high availability pairs of PA-7080 next-generation firewalls at each TIC gateway and inspects all traffic to and from the internet. Agency employee traffic is loadbalanced based on geography across multiple geographically distributed TIC gateways. The final two PA-7080s are for lab testing. The agency also uses Panorama™ network security management for nightly configuration backups and custom reporting. A Palo Alto Networks technical account manager and resident engineer work with the agency’s IT and security staff to ensure this large deployment continues to run smoothly.