Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Proxy Replacement
Firewall Replacement
IDS Replacement
January, 2012
Contents
Business Problem
Project Scope
Proposed Solution
Project Costs
Project Activities and Timeline
Risks
2
Business Problem
Current Proxy Servers (BlueCoat) are not capable of handing
traffic patterns from Culver City.
As a result, Culver City traffic is not routing through a proxy server, and inbound traffic is not
investigated for malware.
We are not GISS Network Management 3.5.2 compliant.
Proxy servers can’t monitor all traffic, only http and https traffic.
In-Scope
o Replace existing CheckPoint Firewalls with next generation firewalls that
provide f/w, proxy, and IDS / IPS services, in the following locations
o Corporate Pointe (Culver City Datacenter)
o Chandler, AZ
o London, UK
o Hong Kong, HK
o Add additional firewall pairs to the following locations
o Studio Productions Internet
o Singapore new Internet
o Enable IDS / IPS Services on new firewalls.
o Enable Proxy Services on new firewalls and retire them.
o Shutdown all Blue Coat Proxy Servers
o Repurpose existing IDS servers in Corporate Pointe and Chandler to
alternate locations.
o Shutdown existing CheckPoint firewalls.
4
Proposed Solution
5
Project Costs
6
Vendor Selection
Selected Vendor
Palo Alto Networks
o Palo Alto Networks “Next Generation Firewalls” have proven to be very well
received in the industry, and have placed Palo Alto in the top right quadrant of
Gartner’s Firewall Survey.
o PoC ran by SPE GNS group proved this solution works very well as an integrated
firewall, IDS/IPS, Proxy solution.
o Solution provides for consolidated reporting for virus, applications, and web
browsing for Investigative Services group.
o Solution provides integration of Active Directory so Investigative Services can
search by AD username as well as by IP address, port.
Reviewed Vendors
o Palo Alto Networks
o CheckPoint Systems
o Cisco
o Zscaler
o Blue Coat
7
Project Activities and Timeline
8
Risks
• Firewall replacement requires much up-front planning to ensure all the rules are properly migrated and
working.
• Migrating to the new solution will require outages, which need to be supported by the business.
Getting the Master Sales Agreement in place has proven to be very challenging, and is not completed yet.
This could delay the execution of this project.