at a glance

OVERVIEW
Warren Rogers Associates pioneered the development of Statistical Inventory Reconciliation Analysis (SIRA) and Continual Reconciliation for monitoring underground fuel tanks and associated lines. These methods are certified in accordance with EPA requirements and have been used by petroleum marketers for more than 25 years. Today, Warren Rogers specializes in statistical analysis and precision fuel system diagnostics for the retail petroleum industry and develops innovative ways to identify and combat fuel shrinkage and theft.

CHALLENGE
Achieve PCI compliance for thousands of remote data collection devices at fueling stations by segmenting traffic and preventing malicious network traffic from penetrating the company’s cloudbased corporate data center.

SOLUTION
Palo Alto Networks® Next-Generation Security Platform deployed in Amazon Web Services (AWS) to segment network traffic coming from thousands of remote data collection devices, prevent malicious traffic from infiltrating fuel system diagnostics and reporting systems, white-list applications and services, and segment cardholder data to ensure PCI compliance in the company’s cloud-based data center

SUBSCRIPTIONS
Threat Prevention, GlobalProtect™

APPLIANCES
VM-300 (8)

RESULTS

  • Ensures PCI compliance by guaranteeing that customer cardholder data is not collected on the Warren Rogers network
  • Saves hours of administration time with single-point policy management
  • Increases availability with multiple virtualized gateways in the AWS Cloud
  • Prevents cyberthreats from infiltrating the cloud-based data center
  • Streamlines onboarding of new customers with uniform security approach

Story Summary
As an industry leader in retail fuel monitoring and diagnostics, Warren Rogers Associates (Warren Rogers) manages thousands of data collection devices installed at service stations across the U.S. Because these devices reside alongside its customers’ business systems that handle credit and debit card data, Warren Rogers had to guarantee it would prevent cardholder data from being collected to ensure PCI DSS compliance.

By deploying Palo Alto Networks Next-Generation Security Platform with VM-Series next-generation virtualized firewalls and GlobalProtect gateways in AWS, Warren Rogers created a PCI-compliant network that automatically blocks cardholder data from other network traffic. With the virtualized Palo Alto Networks platform deployed in multiple Amazon Web Services (AWS) regions, Warren Rogers also achieves disaster resilience to ensure continuous availability of threat prevention and secure gateway services while simplifying day-to-day administration and onboarding of new customers as the business expands.

A new industry is born
In 1979 Warren Rogers invented the fuel monitoring industry. The brainchild of cofounders Dr. Warren Rogers and Jill Jones, the company has continued to be a pioneer and leader in fuel storage and management to this day.

Today, Warren Rogers continuously monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical analysis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank systems at risk of leaks, illegal siphoning, or other potentially hazardous situations. These services are important to station owners grappling with tight margins in a fluctuating petroleum market and critical to avoiding disastrous environmental impacts and costly fines.

To serve its customers with valuable insights, Warren Rogers installs remote data collection devices on each fuel station’s local network. These devices are minimally configured network appliances called “On Site Processors” (OSPs). The OSPs collect data from every dispenser, tank and line at the station, and transmit it back to the Warren Rogers data center for analysis and reporting.

Traditionally, Warren Rogers used standard encryption methods for real-time data transmission to its datacenter and occasional client VPN access to maintain the OSPs. Sometimes an OSP resides on the same local network as the stations’ payment processing systems. In this case, the Payment Card Industry (PCI) data security standard (DSS) potentially brought the OSP into scope for PCI DSS assessments, even though the OSP does not handle cardholder data. Therefore, Warren Rogers took the initiative to make its OSPs PCI-compliant by ensuring that cardholder data is not collected, regardless of how the OSP is deployed within the local network.

Warren Rogers was determined to find a solution that met the following criteria:

  • Encrypts all data communication and ensured that the encryption methodology was always current and used best security practices
  • Uses the inherent capabilities of AWS
  • Provides the ability to scan, alert, and block any traffic containing cardholder data
  • Scales to accommodate a growing population of OSPs.

Virtualized firewall security in the AWS cloud
After researching potential vendors, Warren Rogers found the Palo Alto Networks Next-Generation Security Platform to be the best fit for its unique business requirements. Consisting of Next-Generation Firewalls, Threat Intelligence Cloud services, and Advanced Endpoint Protection, the Palo Alto Networks platform also offered another key feature: cloud support.

Warren Rogers deployed eight Palo Alto Networks VM-300 virtualized next-generation firewalls in a “hub-and-spoke” network typology, with advanced threat prevention features configured on each firewall. The hub is one VM-300 virtualized firewall deployed at the company’s data center in AWS, where it acts as the primary secure gateway for all outside network traffic and the company’s internal business operations.

The spokes are multiple “satellite” VM-300 virtualized firewalls deployed across AWS regions and Availability Zones. All of these virtualized firewalls are configured with GlobalProtect gateways that pass their traffic to the hub over secure IPsec tunnels. With built-in host identity profile (HIP) checking, GlobalProtect gateways enable Warren Rogers to securely and accurately control traffic to and from its OSPs.

Warren Rogers also installed GlobalProtect clients on thousands of OSPs. The GlobalProtect client establishes a secure connection to the closest satellite firewall. This ensures end-to-end security of fuel data transmitted from the OSPs to the satellite firewall and through to the company’s primary AWS-based data center.

Matthew McLimans, Computer Engineer at Warren Rogers, remarks, “Palo Alto Networks was the only network security vendor we found that had a platform designed for the cloud. It’s ideal since we can take advantage of AWS’s redundancy to ensure high availability of our virtualized firewalls and GlobalProtect gateways. It makes it easy for us to scale our security platform as we continue to bring on new customers and business ventures.”

Security zones keep data where it belongs
Palo Alto Networks provides Warren Rogers with a single vantage point for segmenting traffic and implementing security policies across all its virtualized firewalls. For example, the company has set up three security zones: one for all data coming from the OSPs running the GlobalProtect client, a second trusted zone for data-receiving servers in its data center, and a third Internet zone for outbound traffic to trusted resources such as Microsoft Update servers.

Segmenting traffic using security zones proved especially important for achieving PCI compliance. This ensured that no cardholder data intermingled with other traffic on the same network, effectively keeping the company’s network out of PCI scope for its customers. In addition to security zones, Warren Rogers also defined data filtering profiles in the virtualized next-generation firewalls to automatically block any traffic coming from the OSPs that may contain cardholder data.

“The VM-Series next-generation firewall and the features of GlobalProtect have helped us with our PCI compliance,” says McLimans. “They give our customers reassurance that we don’t collect cardholder data, which makes them more comfortable working with us. In fact, our customers are impressed with the security measures we have put in place. Our security initiative with Palo Alto Networks has elevated our reputation within the industry as a security-conscious organization.”

Universal policy management from one vantage point
Threat prevention brings another vitally important benefit to Warren Rogers. With a growing number of OSPs transmitting fuel data across the country, the threat of cyberattack is always a concern. Infiltration of malware or a breach at a customer retail site could lead to serious problems in the company’s data center, potentially affecting business operations and impacting both revenue and reputation.

"We’re confident that the Palo Alto Networks platform is protecting our business in AWS," McLimans affirms. "We can implement very granular security policies and have greater visibility into our traffic. With Palo Alto Networks, we can see how much data is coming from each site, what kind of data it is, and if the data contains malicious content, protecting Warren Rogers and our customers."

Policies also dictate user privileges for accessing OSPs remotely through the Palo Alto Networks platform. Only authorized users specified within defined groups are allowed network access to the OSPs. No other traffic is allowed, thus limiting access to only those users with proper credentials. Moreover, every action taken by authorized users is logged to provide a full audit history.

“We know which employees are accessing our protected servers, and when they are accessing them,” notes McLimans. “This is just another big benefit of the Palo Alto Networks platform as it gives us the ability to generate audit reports for our compliance.”

Stronger security made simple and efficient
Administration of the secure environment is now easier and more efficient because policies implemented on the company’s primary virtualized firewall in the data center are automatically reflected at each of the satellite gateways. In fact, the entire network configuration is simpler.

In the past, Warren Rogers required its customers to provide a VPN connection for remote access to the OSPs. However, this became an administrative nightmare because each customer had its own methodology and best practices. A typical configuration also required customers to open additional ports on their network for live data transmission from the OSPs. Now, with the Palo Alto Networks platform in AWS, all communication between the data center and the OSPs is conducted over a single, secure network connection via GlobalProtect, greatly simplifying the configuration over the previous approach.

“Palo Alto Networks eliminated a lot of headaches and saved us hours of administration overhead,” declares McLimans. “Instead of managing multiple VPNs for each customer, our service techs have a common interface for accessing each OSP. We can manage running services and applications through GlobalProtect’s HIP checks. We can direct our traffic through GlobalProtect to a specified server behind our firewall. Palo Alto Networks always provides the newest encryption methodologies, which keeps our compliance efforts ahead of the curve. It’s simpler for everyone, but most important, it’s more secure.”

Disaster resilience ensures business continuity
By running the Palo Alto Networks platform in AWS, Warren Rogers gained additional advantages, such as availability and disaster resilience. Having virtualized firewalls with GlobalProtect in multiple AWS Regions and Availability Zones assures Warren Rogers of maintaining secure and compliant connectivity with its customers in the event of an outage at any one of the AWS sites.

With GlobalProtect, every OSP connects to multiple virtualized next-generation firewalls, automatically using the best available connection. However, in a disaster recovery scenario where connections to the best firewall are not available, the GlobalProtect client on the OSP will automatically fail over to another firewall in a different AWS Region to maintain secure connectivity.

McLimans notes, “This kind of uptime assurance enables us to maintain a continuous and secure flow of data coming in from the OSPs. So, if our monitoring system detects a catastrophic leak or some other emergency at one of our customers’ stations, we can provide our services reliably and alert them.”

As Warren Rogers continues to expand its business, the Palo Alto Networks platform also helps the company onboard new customers.

“Every customer is different in the way they implement our OSP at their fueling locations,” McLimans points out. “The Palo Alto Networks platform provides a uniform approach for implementing security regardless of where the OSP sits on their local network. Palo Alto Networks is also a brand our customers recognize as a leader in the security market, which makes everyone more comfortable.”

He concludes, “Palo Alto Networks is providing value well beyond addressing our initial need for PCI compliance, and we expect that value to continue to grow as Warren Rogers pursues new business opportunities.”


 

VM-Series Specsheet

To help customers address the diverse cloud and virtualization use cases and the growing need for greater performance, the VM-Series has been optimized and expanded to deliver industry-leading performance of up to 16Gbps of App-ID enabled firewall throughput across five models. Customers can protect their cloud and virtualization initiatives with a security feature set that mirrors those protecting their physical networks and delivers a consistent security posture from the network to the cloud.
  • 6
  • 54322

VM-Series on Vmware

Key features, performance capacities and specifications of VM-Series for VMware.
  • 5
  • 24478

AWS Reference Architecture

This guide provides a foundation for securing network infrastructure using Palo Alto Networks® VMSeries virtualized next generation firewalls within the Amazon Web Services (AWS) public cloud. For an organization with a desire to move to public cloud infrastructure, the next question is often “How do I secure my applications in a public cloud?” This guide provides an overview of AWS components and how they can be used to build a scalable and secure public cloud infrastructure on AWS using the VM-Series. The architectures begin with a single virtual private cloud suitable for organizations getting started and scales to thousands to meet any size organization’s operational requirements.
  • 5
  • 6802

Azure Reference Architecture

Although IaaS providers are responsible for ensuring the security and availability of their infrastructure, ultimately, organizations are still responsible for the security of the applications and data. This reference architecture describes how your organization can use the Palo Alto Networks® VM-Series firewalls to bring visibility, control, and protection to your applications built in Microsoft Azure. This document provides architectural guidance for solution architects and engineers who are familiar with the next-generation firewall but not Azure. It links the technical aspects of the Azure and Palo Alto Networks solution together before exploring the technical design models of the architecture. Use this guide as a roadmap for architectural discussions between Palo Alto Networks and your organization.
  • 3
  • 5841

VM-Series On Google Cloud Deployment Guidelines

Organizations are adopting Google® Cloud Platform to take advantage of the same technologies that drive common Google services. Many business initiatives, such as big data, analytics and machine learning, deployed on GCP allow you to leverage contextual data collected from billions of search engine data points. The power behind GCP, combined with agility and a global footprint, help you quickly deploy enterprise-class applications and services.
  • 2
  • 6941

Palo Alto Networks and VMware NSX SD-WAN by VeloCloud

Eliminate backhaul and deliver both assurance and security for enterprise and cloud applications over internet and hybrid-WAN
  • 0
  • 1369