BACKGROUND
Brigham Young University–Hawaii (BYU Hawaii) is a small campus of intercultural leadership development, where a diverse population of over 2,500 students representing over 70 countries live, study and work together. A BYU Hawaii education involves intellectual learning and career preparation, as well as moral, ethical and spiritual enrichment.
ALL IS WELL – OR IS IT?
A small in-house IT staff manages the technology that fuels the educational and spiritual mission of BYU Hawaii. The school's network consisted of 156 virtual servers running VMware, Cisco Adaptive Security Appliances (ASA) firewalls, numerous appliances and web filtering from Websense. This mix of networking and security technologies supported the activities of 2,750 student users, and over 500 researchers and support staff accessing a variety of applications – including social media.
BYU Hawaii's network seemed fairly stable. "We didn't have glaring performance issues, but our data center seemed to be using more internet bandwidth then it should," says Neal Moss, Systems and Network Analyst, IT Infrastructure, BYU Hawaii. "Our firewall looked like Swiss Cheese. The firewall had more ports open than needed to be and there were rules that had been there for years. No one had time to clean up the mess."
WHAT YOU DON'T KNOW CAN HURT YOU
BYU Hawaii's Cisco firewalls were not up for renewal for another year, so alternative solutions were not under consideration. That all changed quickly, however, when the university told Moss to prepare his infrastructure to support 2,250 more students – a nearly 50 percent increase. "That drove us to look at our existing security environment and to fix the issues with our servers," says Moss.
An evaluation of the school's current security environment was launched. "We were surprised," says Moss. "A host of transparent, previously unknown security risks and security compromises, such as lots of open connections, had taken root."
LEARNING WHAT YOU DON'T KNOW
On top of this, BitTorrent and other malware were eating up network resources.
"Student users were unwittingly engaging in activities that invite BitTorrent and other risks," explains Bryan Jameson, Systems Developer, BYU Hawaii. Moss and Jameson estimate that 25-30 percent of BYU Hawaii's one gigabyte Internet connection was being used by unapproved sources. They also noted a degradation in network performance due to server side traffic on their switches and routers.
The cumbersome manageability of BYU Hawaii's current Cisco firewalls posed another issue. Creating acceptable usage rules was extremely time-consuming, and enforcement was ineffective, given rules were port-based. "The audit revealed we had over 2,800 rules, most of which were unenforceable," says Jameson. "If a rule wasn't working, a new one was written and another port opened. This was laborious, inefficient and created vulnerabilities."
THE DIRECTIVE: MAKE SECURITY ‘ROCK SOLID'
Faced with an imminent influx of additional users, and armed with new information about the vulnerability and misuse of its network, action was imperative. "The mandate from above was to get our network ready and make security "rock solid," says Moss. "We had to get visibility into our network to see what was really going in and out to regain control. In the process, we had to gain more efficiencies to support the dramatic expansion in our student body."
To achieve these goals, the university decided to redesign its IT security infrastructure based on a ‘zero trust' model with a next-generation firewall as the linchpin. Under this plan, all servers are being moved into a new data center design and assigned a virtualized server zone. This would protect the server from other zones, as well as internal and external access. "An important criteria for the firewall was it had to be application- based versus port-based," says Moss. "It had to tell us what applications were truly being allowed to and from our network. We used the information to help us decide which apps to allow or disallow, making it easier to build a secure network."
TRUE APPLICATION-LEVEL VISIBILITY
BYU Hawaii evaluated three vendors, including the latest firewalls from Cisco and Palo Alto Networks. "We only looked at those who claimed to have a next-generation firewall," says Moss. After extensive testing, the choice was clear. "No one else even came close to Palo Alto Networks. No one else has a true application-based firewall. They are all based on protocol or ports. No one could do true application-based firewalling and go to the application level like Palo Alto Networks," he adds.
Palo Alto Networks next-generation firewalls safely enable applications, users and content through innovative, tightly integrated technologies and services. The firewalls determine an application's identity and classify it across all ports. Next, the application and user are assigned a safe enablement policy, which will apply to all users and protect the network against all type of threats from the application – both known and unknown. The PA-5000 Series of next-generation firewalls protects data centers, large enterprise Internet gateways, and service provider environments where traffic demands require predictable, high-speed next-generation firewall and threat prevention throughput at throughput speeds of up to 20 Gbps.
In addition, University resources were being misused. Several servers were hosting game servers, while others had social media and backdoors implanted. A handful of servers were completely taken over. "One server was a launching point for attacks," Moss says. "We had lost control over several web servers and application servers. Penetrations into the network had been happening for months or longer. Our existing firewalls had so many ports open that hackers were able to own the DMZ. Our network was compromised and open to squatters."
The university's IT team was wowed by the application-based visibility and easy upper-level management features of the PA-5000 Series. "We could instantly see what's traversing our network, what people are using, and where they're going on the Internet," says Jameson. The PA-5000 Series gives enterprises complete visibility and control, while significantly reducing total cost of ownership through device consolidation. The firewalls enable enterprises to extend protection over all types of traffic, applications, and threats to remote users. Palo Alto Networks safely enables applications, instead of the block-or-nothing approach offered by traditional port-blocking firewalls.
Convinced that only Palo Alto Networks could better protect its network, and support its infrastructure redesign and expanding user base, BYU Hawaii purchased two PA-5020 firewalls. "Palo Alto Networks is our primary firewall for the whole university, sitting at our data center, which is our egress point for the Internet," states Moss. The PA-5020s protect all of the university's key data and core infrastructure, running high availability with IPS, threat prevention, URL filtering and antivirus – all in one box. In the near future, BYU Hawaii plans to implement decryption.
HACKING OFF THE HACKERS
Soon after installing Palo Alto Networks, Moss and his team began taking back control of their network and reclaiming Internet bandwidth. "Once we started locking down the network and blocking access to servers, the hackers and squatters tried to fight back and prove they had more control than we did," says Moss.
"They became more aggressive in their attacks, changing IP addresses, bouncing off other servers and using more aggressive exploit tools," adds Jameson. "But the visibility of the PA-5020s let us see exactly what was coming in, dig into application-level hacks to see where traffic was coming from and going to, and identify certain addresses causing problems. We quickly created policies and shut them off."
ZONING OUT AND WORKING 30-40 TIMES FASTER
With Palo Alto Networks firewalls in the forefront, BYU Hawaii is successfully converting its network into a zero trust zoned architecture, with 97 percent virtualized servers, and improved security. Moss' team created policies ranging from denying specific applications to denying users' access to all internal servers, web servers and server management servers. "We set up rules where one server can't talk to another server in a different zone without us first allowing the application – and it all has to go through our Palo Alto Networks firewall," says Jameson. "No one can do anything from one server to another anymore."
Creating rules is now far more efficient. "What used to require 5-6 hours and a ton of research to figure out what's open and what isn't is now 30-40 times faster," says Moss. "We can assess the issue and quickly create and deploy new enforceable rules with Palo Alto Networks. What's even more impressive is that we now have a zoned architecture. We are using the advanced features of the firewall. Within the Palo Alto Networks firewall we have created virtual firewalls and virtual interfaces to protect servers and users from each other and between server zones – every zone has its own IP range and VLAN – and we're still saving time compared to before," says Jameson. The school removed its Cisco firewalls entirely and replaced all of its previous rules with new ones.
DOING MORE WITH LESS - EDUCATION'S MANTRA
BYU Hawaii has been able to get rid of its Websense web filtering and switch to the inline web filtering and malware prevention included in the Palo Alto Networks PA-5000 Series. The university had been paying $48,000 per year for Websense, not including maintenance and server fees. "With what we've saved on Websense and subscription fees alone for two years pays for all of our Palo Alto Networks firewalls and maintenance - and we get everything in one box," says Moss. "Plus, we were able to reduce the number of devices on our network and save money on maintenance fees and management time."
Moss and his colleagues have high praise for the depth of information the PA-5000 Series provides and its ease of use. "Palo Alto Networks allows me to give other IT staff the ability to troubleshoot their own problems," he says. "I can empower them to identify a problem and come up with a solution before coming to me. This saves me a lot of time. I can empower to do things that were too complex and time-consuming to do before. Now, in 15 minutes or less they troubleshoot their problem and know what is needed to fix the issue. They then can create a change request. Once approved, we are able to make the change in the firewall fairly quickly."
The IT team at BYU Hawaii is equally impressed with Palo Alto Networks technical support. "I've never seen tech support as good as Palo Alto Networks," says Moss. "I give them a 10+ whereas I'd give my tech support from other vendors a three. You just don't get this type of support from other vendors."
WORD SPREADS THROUGH CAMPUS
Not long after installing the Palo Alto Networks PA-5020s, word of the success BYU Hawaii was enjoying began to spread to BYU's other campuses. "BYU-Idaho called to ask about Palo Alto Networks, then purchased the product and are implementing it at various locations," says Moss. Following suit, LDS Business College in Salt Lake City has purchased and is installing their solution. BYU-Provo is currently looking to Palo Alto Networks.
Faced with the monumental task of redesigning its network to accommodate twice as many users, and with ratcheting up network security, BYU Hawaii feels it made the right call in moving to Palo Alto Networks. "Redesigning our network using Palo Alto Networks helped us eliminate our exposure to BitTorrent and other security risks, save resources and prepare for more users," adds Jameson. "The efficiencies of Palo Alto Networks firewalls helped us get our issues under control."
"We were told to do more with less and build a secure, rock solid and more user-friendly network," says Moss. "We did that with Palo Alto Networks next- generation firewalls – if we tried to rip them out and go to another solution there would be a massive rebellion."