Wide area network (WAN) operations should include more than security management, but one global telecom operator drowning in thousands of firewall requests for its data centers around the world found little time to do much else. Deploying a group of next-generation firewalls allowed IDT Corp. to decommission dozens of weak legacy firewalls and simplify WAN security management.
"It was almost in the first week of accepting this responsibility that I realized something had to change," said Golan Ben-Oni, senior vice president of network architecture at IDT, a Newark, N.J.-based global voice and calling card services provider that has also branched out into energy supply services. "I was getting frustrated with having to maintain this massive body with all these configuration rules…. I had a staff of eight just dealing with firewall rules, and it wasn't appropriate."
While shopping around for a WAN security management solution about a year ago, Ben-Oni heard one vendor repeatedly try to position itself above a competitor he had never heard of: Palo Alto Networks. The next-generation firewall vendor's name had come up so many times that Ben-Oni figured it would be worth looking into them.
Seven days into his trial with Palo Alto, Ben-Oni was sold.
"In the course of the first week, I had gotten more done than I had in months and months," he said. "Once I was able to get the Palo Alto [firewalls] in, I was able to return to my normal job and get some sleep at night."
Traditional firewalls fail when they rely only on port or protocol information to identify and moderate applications on the network, according to Chris King, Palo Alto's director of product marketing. Palo Alto's firewalls have application-layer visibility into WAN traffic.
As some enterprises gave up entirely trying to manage access to so many applications as Internet use grew more widespread, third-party developers were engineering scripts to allow their apps to walk around firewalls, King said.
"The firewall didn't evolve the way applications evolved," he said. "We're able to control applications by [identifying] the app itself, not by some approximation like port."
Next-generation firewalls replace dozens of legacy firewalls
With 16,000 users scattered among IDT's global offices and with millions of customers using its network, the IDT networking team had been unable to keep up with the ballooning number of requests to set up new firewalls or reconfigure the dozens of existing ones it used in its data centers and smaller data facilities around the world.
But using Palo Alto's next-generation firewalls enabled Ben-Oni to decommission dozens of weak firewalls and replace them with fewer, more intelligent ones that revealed more about user and application behavior.
"In addition to replacing firewalls on a multi-to-one basis, I was also able to replace other products on the network," he said. "My ability to manage [WAN security] is considerably easier now and my visibility is considerably better."
Just within one data center at company's corporate headquarters, Ben-Oni decommissioned 24 devices -- eight pairs of firewalls, three pairs of VPN concentrators and a pair of Internet Proxy servers -- leaving four Palo Alto next-generation firewalls.
Between IDT's two other U.S. data centers, 10 firewalls remain. The Palo Alto solution also enabled IDT recently to consolidate one of its 10 data centers, Ben-Oni said.
Palo Alto's management tool, the Application Command Center, clearly presents warnings and queries in a simple user interface, King said. The interface enables administrators to see the top 100 applications being used, the 50 riskiest apps on the network, and which end users are accessing them the most.
For IDT, the interface also relieves "the drudgery of having to go through thousands and thousands of lines of code versus being able to visually represent it and see what you want," Ben-Oni said.
"I've never been addicted to a device," he added. "But it's just that good. You just want to play with it all day."
After seeing how much non-work-related Web browsing and applications were consuming the network, Ben-Oni sent a friendly alert to employees about a new technology that offered "really great reporting in how our network is being used." When he ran the report the next day, non-work-related activity had plummeted.
"Just the threat of this device causes people to react," he said.
The intrusion prevention system within the Palo Alto firewalls revealed that IDT's other WAN security products were not up to snuff, Ben-Oni said.
"It also made me realize that my other vendors are not doing a good job -- like my antivirus vendors," he said. "Now, my firewalls are telling me about machines that are infected that my antivirus software hadn't picked up."
Let us know what you think about the story; email: Jessica Scarpati, News Writer
Dig deeper on Internet and application security