Security Enhancement

Proxy Replacement
Firewall Replacement
IDS Replacement

January, 2012
 Contents

 Business Problem
 Project Scope
 Proposed Solution
 Project Costs
 Project Activities and Timeline
 Risks

2
 Business Problem
 Current Proxy Servers (BlueCoat) are not capable of handing
traffic patterns from Culver City.
 As a result, Culver City traffic is not routing through a proxy server, and inbound traffic is not
investigated for malware.
 We are not GISS Network Management 3.5.2 compliant.
 Proxy servers can’t monitor all traffic, only http and https traffic.

 Current Firewalls are having performance issues and need to

be replaced.
 Corporate Pointe – F/W dropping packets, poor performance for DMC environment. Upgraded
Internet circuit to 10 Gig, Current firewall being replaced with OneNET Post-Production funds.
 Chandler – F/W reaching it’s peak before dropping packets. Plans to upgrade Chandler Internet to
10 Gig to support failover for DMC in Corporate Pointe. Current firewall will be replaced with
OneNET Post-Production funds.
 London firewall has had performance problems causing slowdown to customers. Needs restarting
to temporarily resolve this problem.

 IDS in Chandler and Corporate Pointe need to be upgraded to

support 10 Gig.
 Corporate Pointe IDS’s are dropping packets due to increased bandwidth and cannot keep up with
the demand.
3
 Project Scope

 In-Scope
o Replace existing CheckPoint Firewalls with next generation firewalls that
provide f/w, proxy, and IDS / IPS services, in the following locations
o Corporate Pointe (Culver City Datacenter)
o Chandler, AZ
o London, UK
o Hong Kong, HK
o Add additional firewall pairs to the following locations
o Studio Productions Internet
o Singapore new Internet
o Enable IDS / IPS Services on new firewalls.
o Enable Proxy Services on new firewalls and retire them.
o Shutdown all Blue Coat Proxy Servers
o Repurpose existing IDS servers in Corporate Pointe and Chandler to
alternate locations.
o Shutdown existing CheckPoint firewalls.

4
 Proposed Solution

 Replace current CheckPoint Firewalls with Palo Alto Network

“Next Generation Firewall” appliances.
 Regains GISS Network Management 3.5.2 compliance.

 Enables much better performance to meet current, and estimated future

demand over the next 3 years.

 Enabling Threat Prevention means we can consolidate this service onto

the same platform, and shutdown aging and poor performing BlueCoat
Proxy Servers.
 Closed the GAP we have with GISP Policy for having all clients route through a Proxy server
to gain Internet access.

 Enabling IDS / IPS services means we won’t have to purchase 10 Gig

IDS’s from Symantec, saving $180,000 per year lease over 5 years.
(900,000).

5
 Project Costs

Re plac e with Re plac e with

Pro duc t Co s ts Che c kPo int 5 Ye ar Maint. Palo Alto 5 Ye ar Maint.
Corporate Pointe 10 Gig HA $862,350.00 $835,540.00 $ 159,115.00 $ 273,000.00
Chandler 10 Gig HA $862,350.00 $835,540.00 $ 159,115.00 $ 273,000.00
London 1 Gig HA $325,140.00 $237,150.00 $ 48,521.00 $ 52,000.00
Hong Kong 1 Gig HA $325,140.00 $237,150.00 $ 48,521.00 $ 52,000.00
Studio Productions 1 Gig HA $325,140.00 $237,150.00 $ 48,521.00 $ 52,000.00
Singpore 1 Gig HA $325,140.00 $237,150.00 $ 48,521.00 $ 52,000.00
Management Software $24,500.00 $0.00 $ 7,800.00 $ 7,360.00
URL Filtering $0.00 $0.00 $ 93,000.00 $ 465,000.00
Threat Prevention $0.00 $0.00 $ 93,000.00 $ 465,000.00
nternal GNS Engineering $66,920.00 $ 66,920.00
External Professional Services $88,240.00 $ 88,240.00
Project Manager $80,000.00 $ 80,000.00
Total $3,284,920.00 $2,619,680.00 $ 941,274.00 $ 1,691,360.00
Funded from OneNET Post-Productions -$519,000.00 $ (519,000.00)
NET TOTAL $2,765,920.00 $2,619,680.00 $ 422,274.00 $ 1,691,360.00

6
 Vendor Selection
Selected Vendor
Palo Alto Networks
o Palo Alto Networks “Next Generation Firewalls” have proven to be very well
received in the industry, and have placed Palo Alto in the top right quadrant of
Gartner’s Firewall Survey.
o PoC ran by SPE GNS group proved this solution works very well as an integrated
firewall, IDS/IPS, Proxy solution.
o Solution provides for consolidated reporting for virus, applications, and web
browsing for Investigative Services group.
o Solution provides integration of Active Directory so Investigative Services can
search by AD username as well as by IP address, port.

Reviewed Vendors
o Palo Alto Networks
o CheckPoint Systems
o Cisco
o Zscaler
o Blue Coat

7
Project Activities and Timeline

Activity Timeline Groups Involved

Solution Selection / Proof of Concept Weeks 1 - 12 GNS, (completed)

Operational Planning Weeks 6 - 16 GNS, GSD, ADM

Procurement Weeks 12-14 GNS, Procurement

Configuration / Testing Weeks 14-18 GNS

Deployment Weeks 16-24 GNS

GNS / TCS Training Weeks 12-14 GNS, Vendor

Production Turnover Week 14-18 GNS

Retire CheckPoint, BlueCoat Week 24 GNS

8
Risks

• Firewall replacement requires much up-front planning to ensure all the rules are properly migrated and
working.

• Migrating to the new solution will require outages, which need to be supported by the business.

 Getting the Master Sales Agreement in place has proven to be very challenging, and is not completed yet.
This could delay the execution of this project.