Smart Firewalls Equal Smarter Security

When Kevin Gibson began working for United Facilities about two years ago, he gained IT oversight of one server room and 10 warehouses that the logistics services firm uses to store food products before delivering them to grocers and large retailers across the country. While the products were moving between the warehouses and stores effectively, security, disaster recovery and manageability left something to be desired.

“We were relying on our carrier and some third-party contractors to provide us with a lot of services and tell us what was going on in terms of security, and we needed to take more responsibility for that,” says Gibson, IT administrator for the firm in East Peoria, Ill.

That, along with a confluence of disruptive storms and a lightning strike earlier this year that downed the company’s Internet connections, convinced Gibson and his team that United Facilities needed to revamp its security, failover and management strategies.

These are some of the main reasons why businesses are upgrading to next-generation firewalls, says Jeff Wilson, a principal analyst at Infonetics Research. Unlike earlier models, next-generation firewalls provide a much more granular level of application inspection and control — down to the individual user. In general, these devices also bundle traditional firewall functionality with intrusion prevention, antivirus and protocol filtering capabilities.

“If you want to control threats today in any sort of reasonable way, you need a more intelligent way to manage and control traffic, particularly web traffic,” Wilson says. “That calls for a firewall that has to not only be aware of applications and be able to identify them, but provide granular controls.”

Finding Failover

United Facilities recently installed a ­WatchGuard XTM 520 firewall in its East Peoria server room, along with WatchGuard XTM 21 models in each of the warehouses. Combined with the company’s Multiprotocol Label Switching that was already installed, along with the new firewalls, ­Gibson’s team could create VPNs at each site. Finally, the IT group contracted with a second carrier to install a separate network with T-1 lines linking each facility to headquarters. The first network serves as the primary connection for warehouse operations, and the second provides a failover path.

Gibson sought to achieve stronger security, complete failover and improved monitoring and management of warehouse and delivery. On the security front, the WatchGuard firewalls are a big step up from the patchwork of security devices the company had been using. They offer application-layer content inspection, and they block threats better than stateful packet firewalls.

“We developed a series of four internal networks and a series of tunnels for each of them, so we can have secure communications along four different paths from the warehouses to the server room,” Gibson explains. “Now we have the security and infrastructure to be able to monitor everything that’s going on throughout the networks.”

Closely related to security is failover, a must for business continuity. Gibson configured the WatchGuard devices to balance the primary and backup connections, as well as wireless backup solutions.

Finally, overall network management has greatly improved, thanks to the firewalls and the Windows-based ­WatchGuard System Manager. WSM allows Gibson to manage all appliances from a single console, including configuration, updates and VPN tunneling. IT staff can also use the management tool to validate security policies and monitor traffic in real time.

Achieving Peace of Mind

Control and management were two factors that spurred Erin Desko to replace the firewalls at BGMX Retail Solutions, a Vestal, N.Y., provider of back-end technology for retail stores, convenience stores and gas stations. BGMX’s databases and servers, which manage programs such as loyalty cards and gas points, connect to the cash registers and onsite systems of its clients via VPNs.

The firewalls at headquarters and customer locations were singularly focused on protecting ports and packets, but did not include other functionality such as antispam and antivirus. They also required separate switches and separate software to be able to read system logs. In addition, managing and customizing the older firewalls was challenging.

“It was really difficult to figure out what was going on with the network at the time I needed the information,” explains Desko, BGMX’s chief technology officer. “I used to spend 10 to 15 hours per week going through the [system logs], finding out what websites people shouldn’t be on and trying to figure out where our bandwidth was going.”

In late 2009, Desko decided to completely replace all the firewalls at headquarters, a second backup location and all customer sites. He deployed dual SonicWALL NSA 3500 next-generation firewalls at both company sites; a VPN runs between them. The new firewalls have upgraded failover capabilities, which give Desko more peace of mind. The customers use a SonicWALL TZ 100, TZ 210 or NSA 240 model, depending on size and function. Since implementing the new firewalls, Desko has grown to appreciate the flexibility and manageability.

“I don’t have to wait a day for a system to compile and get the data I need,” he says. “If I want to restrict what sites certain users can access, I can add a couple of rules with a few clicks, and they are applied instantly. I can even set alerts and get them on my BlackBerry.”

Security also has been upgraded. Desko says that is particularly important when working with retail establishments to maintain PCI compliance. “Before, there were a lot of holes hackers could get through that you can’t get through with the new firewalls,” he adds.