Shining a Light on Security
In manufacturing, limiting costs, satisfying special requests from production units, and protecting IP are key issues. From basic light bulbs to specialized LEDs, the enterprise light company (ELC) has been the world’s foremost maker of light products for one hundred years. As the company grew, so did its number of offices and locations, and the network that connects them all together.
As it evolved alongside the company, ELC’s network became highly decentralized, efficiencies declined and IT struggled to maintain the level of security and responsiveness it desired. That’s when a chance encounter led ELC’s IT team to test the next-generation firewall from Palo Alto Networks. Learn why the company was so impressed with Palo Alto Networks that it quickly reconfigured its network to standardize security on it.
SPOTLIGHTING IT ISSUES
A massive, global manufacturer with 20,000 users at over 100 sites in 50 countries, ELC must diligently protect its Intellectual Property (IP) and be extremely efficient operationally. This means keeping IT costs down and limiting the time and money it devotes to addressing security concerns.
Most of the company’s traffic is internal, but it provides extranet services for three websites that host catalogs, and supports customer applications and connections with business partners through VPN tunnels. Each branch office connects to the company’s datacenters via MLPS and a local Internet access point. “Our network was highly decentralized with different rules for access at sites,” says ELC’s Corporate InfoSec Officer and Data Protection Officer. “This wasn’t extremely efficient nor as secure as we wanted, and it frustrated traveling staff when they tried to connect.”
NETWORK PUTS IT IN THE DARK
ELC’s decentralized network was cumbersome to maintain, costly, and made it difficult for IT to respond quickly to the needs of the business. “We must keep IT costs down while being highly responsive,” says ELC’s Corporate InfoSec Officer. “In manufacturing, we use a lot of customized applications and get lots of requests for tweaks to policies to accommodate production. Our network is very heterogeneous and has to support a variety of needs. For example, a special banking app may want to talk to other apps, or a service support app a supplier is using to service on-site equipment needs to talk to another app or system.”
The huge, decentralized network with thousands of users distributed across many sites hindered IT’s ability to support the business quickly and efficiently, and to track changes. “In a highly decentralized IT landscape, it was always a challenge to learn things like which VPN router or IT device had been changed,” says ELC’s Corporate InfoSec Officer. Fulfilling business requests was time-consuming and inefficient. “It took a half a day of work to accommodate changes because we had to do global configuration changes manually for 78 proxy servers. At one point we had over 1,000 lines of configuration in our previous firewall solution.”
ELC’s decentralized network, IT management burdens, and lack of network visibility detracted from security. “If something went wrong in India, China, or Brazil, it was impossible to search the log of every proxy server to identify the problem. We couldn’t get a consolidated view to address a threat or infection. We needed visibility and a global view of devices to improve security and make uniform changes, and better protect our IP and business.”
A LIGHT BULB GOES ON
The IT department wasn’t actively looking for a solution to their problems, but a solution found them anyhow. “My boss asked us to meet a friend to hear about a so-called ‘next-generation’ firewall. We weren’t that interested, but we met him anyway and he gave us a demo firewall from Palo Alto Networks. He told us to install it in virtual wire behind our existing Cisco firewall, and then he’d come back in two weeks,” says ELC’s Corporate InfoSec Officer.
The enterprise security platform from Palo Alto Networks consists of a Next-generation Firewall, Threat Intelligence Cloud, and Advanced Endpoint Security. The firewall delivers application, user, and content visibility and control, as well as protection against network-based cyber threats integrated within the firewall through a purpose-built hardware and software architecture. The Threat Intelligence Cloud provides central intelligence capabilities, as well as automation of the delivery of preventative measures against cyber attacks.
Their IT team spent two hours setting up the Palo Alto Networks PA-2050 next-generation firewall. “We let it run for two weeks and it gave us a great overview of our apps, systems, and users,” says ELC’s Security Operations Manager. “Plus, our 1,000 lines of configurations instantly went down to just 75 rules.”
ELC’s InfoSec Officer was equally surprised. “The filtering capabilities let us see exactly what we’re doing in the network, where to allow VPN protocols, and more—so many things were answered in seconds, and we could easily help someone with an app issue in minutes,” he says. “We were totally surprised by the capabilities of a modern security system like Palo Alto Networks. We fell in love with the PA-2050 and told our boss’ friend he didn’t need to take it back, and immediately ordered a second one. It fit so well we didn’t look at any other options.”
FLIPPING THE SWITCH
Within weeks, ELC replaced the legacy firewalls at its main datacenter that protect its primary Internet connection. “The migration to Palo Alto Networks was so smooth it didn’t interrupt our daily work at all,” says ELC’s Security Operations Manager. Next, ELC swapped out its three main firewalls, then decided to replace all 78 of its proxy servers with 56 Palo Alto Networks PA-200 next-generation firewalls. “We calculated that replacing the 78 proxy servers with the PA-200s would be really cost-effective.” ELC also purchased and deployed six PA-5020, two PA-2050, two PA-3020, and five PA-500 next-generation Palo Alto Networks firewalls.
ELC added Panorama from Palo Alto Networks to efficiently and centrally manage all of its firewalls and policies. Panorama, running as a VMware virtual machine, provides centralized management and logging capabilities to easily manage all security platforms from one location and interface, and quickly deploy uniform polices to all devices. It also added a subscription to GlobalProtect™, which extends to their secure application enablement policies to all users—including mobile—regardless of location or device used for access.
The deployment of Palo Alto Networks was uneventful. “We took out the box, set up an IP, hit a button, clicked and told the person at each local site around the world to remove the cables and proxy servers. No local tweaks were required because the configuration is done globally, and distributed through Panorama. We just clicked and synchronized everything.” ELC is using all the features of the Palo Alto Networks firewalls, including URL filtering (PAN-DB), WildFire, Threat Prevention including IPS, and as a VPN gateway for employees to access the network.
RESULTS LIGHT UP
Due to standardizing security on Palo Alto Networks, ELC has reaped a variety of benefits. These include better efficiencies and lower IT management costs, increased security, and the ability to satisfy requests for exceptions to rules faster. “With Palo Alto Networks, we deliver better service, more securely, faster, and more accurately, and do so using fewer resources,” says ELC’s InfoSec Officer.
IT is now far more responsive. “It used to take half a day to accommodate changes,” says ELC’s Security Operations Manager. “Now, users can request access to things on their own and get an instant, automatic reply based on our rules, instead of us having to look at each one and decide.”
ELC appreciates Palo Alto Networks unique, comprehensive approach to security. “The difference between app- versus port-based firewall security is dramatic. Cisco is totally port-based and difficult to manage, especially on non-standard communication requests. The app awareness of Palo Alto Networks allows us to shrink our rule sets considerably, and gives us information we can read and use. Previously, we couldn’t make anything out of our logs. Now it’s so easy: we just click, look, and understand. It’s like going from zero to 100 kilometers per hour in seconds.”