Viewing Palo Alto Networks as a Strategic Network Security Platform IANS WORKING KNOWLEDGE SERIES CASE STUDY 2010
About Capital Region Health Care (CRHC) and Concord Hospital CRHC includes Concord Hospital, Concord Regional Visiting Nurses Association, Riverbend Community Mental Health, and related affiliates. Concord Hospital, a regional medical center in Concord, NH, is the second busiest acute care hospital in the state with 295 licensed beds. In fiscal year 2009, there were over 65,000 emergency room visits and 17,194 total admissions. It provides traditional acute-care services in 42 medical specialties and subspecialties. Quick Read Capital Region Health Care (CRHC): A regional health care provider with a small but extremely capable IT security team. An audit revealed issues with PCI compliance related to CRHC s firewalls. This led CRHC to look into next-generation firewall solutions. Palo Alto Networks was exactly what CRHC was looking for. CRHC s team liked that Palo Alto Networks is application and user aware. CRHC saw a strong business case for adopting Palo Alto Networks. In addition to helping CRHC be compliant, Palo Alto Networks provides improved security, better visibility, and lower costs. Palo Alto Networks: Leader in next-generation firewalls. Enables unprecedented visibility and granular policy control of applications and content by user, not just IP address. Company s firewalls accurately identify and control applications regardless of port, protocol, evasive tactic, or SSL encryption and scan content to stop threats and prevent data leakage. Enables enterprises to embrace Web 2.0 while maintaining complete visibility and control. Provides a platform for consolidating existing devices and reducing the total cost of ownership. Overview After CRHC s external auditors expressed dissatisfaction with the organization s existing firewalls, CRHC s information security team explored alternative next-generation firewall solutions. Palo Alto Networks provides exactly what CRHC was looking for. While the original reason for looking at Palo Alto Networks was PCI compliance which has been achieved the benefits provided by Palo Alto Networks far exceed compliance. They include application and user awareness, virtual firewall instances, improved security, improved visibility and much lower costs due to consolidating devices. Palo Alto Networks was implemented quickly once the CRHC team made the adjustment from port-based concepts to application-based firewall rule sets. Case Study CRHC Background Based in Concord, New Hampshire, Capital Region Health Care (CRHC) is a regional health delivery system. It includes Concord Hospital, which has 3,200 employees, including more than 750 physicians and nurses, at the main campus and more than 10 remote sites. Our priority is on the patient side, protecting patient data. All aspects of information security at CRHC are managed by a small but capable IT security team. Mark Starry manages IT security as well as all enterprise architecture; Mike Goodnow is a senior security engineer who manages all day-to-day ad hoc security requests, including firewall requests, issues with logging, and any issues related to accessing applications. The most significant priority for CRHC s information security team is to support the business by protecting sensitive patient data.
An External Audit Caused CRHC to Seek a New Firewall Solution In early 2008, CRHC s external auditors (Sage Data Security of South Portland, Maine) conducted a security audit related to CRHC s compliance with industry best practices, HIPAA, and PCI. PCI compliance is important to CRHC, as the organization has a large number of credit card transactions. The auditors beat up on our (previous) firewall. As a result of this audit, CRHC s auditors expressed concern with CRHC s existing firewall solutions, which included ISS (IBM), Juniper, and Checkpoint. The concerns included that the existing solutions were not standard and some did not support the creation of rules bases on the interface. They also did not enable CRHC to adequately segregate its network (as is required by PCI), and the existing firewalls did not provide CRHC the ability to control access to specific applications. In addition to the compliance concerns, CRHC viewed its existing firewall solutions as expensive and saw them as lacking important security features. One result was that CRHC experienced malicious content coming into its network, mostly because malicious code entered the organization over well known ports. In some cases this malicious code was injected into businessrelated applications. Other than Palo Alto, CRHC quickly determined that all other Next Generation firewalls were really just Unified Threat Management systems, with no new technology just the repackaging of existing technology. CRHC explored whether its current solutions could address the deficiencies identified in the audit. The conclusion reached by CRHC was that these solutions were not application-aware (and the companies had no short-term plans to make them application-aware) and did not have adequate compensating controls. The solutions were also expensive. As a result, CRHC decided to explore alternative solutions. Since implementing Palo Alto, I have come to the conclusion that a firewall that is not application and user aware provides little value to our organization. Evaluating Palo Alto Networks Having concluded that its current firewall solutions were not adequate, CRHC began looking into other next-generation options. CRHC learned about Palo Alto Networks at an IANS Information Security Forum in 2008. CRHC saw Palo Alto Networks as a unique application-aware solution. We really liked Palo Alto Networks. We saw it as exactly what we needed. Palo Alto Networks is the only firewall solution that is applicationaware. User authorization is based on domain credentials. At another IANS Forum a year later, CRHC saw that Palo Alto Networks had made significant progress in a short period of time. The improved product supported integration with Active Directory and included URL filtering. 2010 IANS Page 2 of 6
After having seen how much Palo Alto Networks had improved, CRHC decided to bring in Palo Alto Networks for an evaluation in their network. During this evaluation, CRHC confirmed that: Palo Alto Networks cares about the application, not the URL it can track the user to the application. Application awareness is a key. The CRHC team had thought that the concept of application awareness was critical. The ability to evaluate Palo Alto Networks application-aware product further reinforced this belief. In the evaluation, Palo Alto Networks immediately saw and was able to identify traffic related to 50 applications traversing Port 80. Palo Alto Networks enabled CRHC to see that only about 25% of its traffic on Port 80 came from legitimate applications; the other 75% was not from authorized applications. (This evaluation began in view-only mode, but it would have been possible to also use Palo Alto Networks to block this unauthorized traffic.) CRHC s team views application awareness as Palo Alto Networks most important feature. Application awareness provides visibility about what applications are running on the network, which yields much greater control. Palo Alto Networks helped CRHC become PCI compliant. Palo Alto Networks enabled CRHC to address all of the network security issues that had been raised by CRHC s auditors in regards to PCI. Becoming compliant included using separate virtual firewall instances to segment PCI-related databases and devices from the regular business network. Segmentation can be achieved by leveraging Active Directory to establish rules for who is authorized to access which applications. (CRHC s auditors have been effusive in their praise of this capability as an excellent compensating control to network segmentation.) In addition, during the evaluation, CRHC learned that Palo Alto Networks: We set rules so that Palo Alto Networks only allows legitimate web traffic. We have caught tons of stuff [that isn t legitmate]. Is extremely easy to install. It was up and running in just one day. Mark Starry described Palo Alto Networks as plug and play. Mike Goodnow said that Palo Alto Networks is at the top of his list when it comes to setup and management. Improves security. CRHC saw during the evaluation that in addition to compliance, Palo Alto Networks application-aware firewall does everything that an IPS, an antivirus solution, and a traditional firewall do. One way Palo Alto Networks application-aware firewall works: a rule can be set to identify certain applications and to not allow attachments for traffic related to those applications. For example, Palo Alto Networks can determine if an application is web mail and can then strip off all attachments, which prevents malware from entering the network. 2010 IANS Page 3 of 6
Has few false positives. The number of false positive in the evaluation was very small and far better than CRHC s previous solutions. Provides great customer service. During the evaluation, CRHC saw how responsive Palo Alto Networks was. Palo Alto Networks support staff provided answered the phone immediately and their level of support was outstanding. The Positive Evaluation Led CRHC to Develop a Business Case to Bring In Palo Alto Networks We realized we could use [Palo Alto Networks] to consolidate and take out other appliances. Consolidation means fewer systems and less support.we have saved tens of thousands of dollars. - CRHC s evaluation of Palo Alto Networks led CRHC to conclude that they wanted to purchase Palo Alto Networks. In order to push the transaction forward, the information security team developed a compelling business case outlining the anticipated benefits of the upgrade. This business case had the following components: Improved compliance. Palo Alto Networks would improve CRHC s ability to comply with PCI and make compliance easier. Palo Alto Networks was strongly supported by the organization s auditors. Improved information security. Along with application awareness, Palo Alto Networks ASIC-based firewall has all of the capabilities of IPS solutions, antivirus, URL filtering, and traditional firewalls. These capabilities along with the added control from application awareness result in better protection. Mark Starry observed that Palo Alto Networks also has many of the capabilities of unified threat management. In addition, Palo Alto Networks would be able to provide real-time visibility over CRHC s perimeter and entire network. It could tell CRHC s information security team exactly what is going on across the network. Having fewer devices means fewer places to look for incidents. Along with increased real-time visibility and good automated reports, CRHC would have more information and greater control, which would mean better security. Cost savings. Palo Alto Networks would be able to help CRHC achieve cost savings in the following ways: - Through lower licensing and support costs. The cost for CRHC to purchase and maintain Palo Alto Networks would be much less than CRHC s ongoing annual support costs for its existing firewalls. - By consolidating devices. Using Palo Alto Networks would enable CRHC to eliminate devices such as URL filtering, antivirus, and IDS/IPS. Having fewer devices would be easier for CRHC to manage (due to less labor) and would save money in ongoing maintenance and support costs for the eliminated products. - By switching to a lower-cost MSSP. CRHC had been using IBM ISS as an outsourced managed security service provider (MSSP) for several years to provide 24/7 monitoring of CRHC s network. But IBM ISS was pricey compared to other MSSPs and couldn t handle the logging model that CRHC wanted to implement. 2010 IANS Page 4 of 6
We view Palo Alto Networks as a strategic network security platform. CRHC viewed SecureWorks as a more reasonably priced, more robust managed services solution, and SecureWorks was the only MSSP to support Palo Alto Networks at the time. By adopting Palo Alto Networks it would become possible for CRHC to switch to SecureWorks, which could save CRHC about $50,000 per year while also resulting in improved service. Standardization. CRHC had jumped around a bit with multiple firewalls from different vendors. The robustness of Palo Alto Networks would provide a platform that would enable CRHC to standardize. CRHC Has Adopted Palo Alto Networks and Is Expanding Its Use The above business case enabled Mark Starry and Mike Goodnow to convince their management to adopt Palo Alto Networks more broadly. (Improved compliance, improved security, and cost savings were difficult for CRHC management to refute.) CRHC now has five Palo Alto Networks devices. CRHC is currently in the process of consolidating and replacing its other devices, phasing out CheckPoint and Juniper. All new projects are on Palo Alto Networks. Since implementing these five Palo Alto Networks devices, lessons that CRHC has learned about Palo Alto Networks include: It can block Facebook applications. CRHC allows users to look at Facebook, but uses Palo Alto Networks to prevent and block any Facebook applications or APIs. It is easy to manage. Palo Alto Networks user-friendly central management console (called Panorama) makes it extremely easy for a small team like CRHC s to manage its network. CRHC has found that this centralized management console makes it easier to manage Palo Alto Networks than Juniper and CheckPoint. It is extremely fast. Palo Alto Networks boxes support and work well within CRHC s 10 GB infrastructure. It has high availability. Because the availability of the Palo Alto Network boxes is so high, it is possible to take a device off line to make changes and do testing with no packet loss. 2010 IANS Page 5 of 6
About Palo Alto Networks Palo Alto Networks (paloaltonetworks.com) is the leader in next-generation firewalls, enabling unprecedented visibility and granular policy control of applications and content by user, not just IP address at up to 10Gbps with no performance degradation. Based on patent-pending App-ID technology, Palo Alto Networks firewalls accurately identify and control applications regardless of port, protocol, evasive tactic, or SSL encryption and scan content to stop threats and prevent data leakage. Enterprises can for the first time embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation. About IANS IANS is the premier membership organization for practicing information security professionals. IANS mission is to provide key technical and business insights to help members solve their most pressing technical and professional challenges. IANS achieves this mission through a broad offering of services provided to its members insightful events, thought-provoking publications, best-practice research, and unique networking opportunities. IANS is committed to providing its members with unbiased, relevant insights to increase their productivity and effectiveness as emerging technical leaders inside their organizations. 2010 IANS Page 6 of 6