Transcript Project Activities and Timeline

Security Enhancement
Proxy Replacement
Firewall Replacement
IDS Replacement
January, 2012
Contents
 Business Problem
 Project Scope
 Proposed Solution
 Project Costs
 Project Activities and Timeline
 Risks
2
Business Problem
 Current Proxy Servers (BlueCoat) are not capable of handing
traffic patterns from Culver City.

As a result, Culver City traffic is not routing through a proxy server, and inbound traffic is not
investigated for malware.


We are not GISS Network Management 3.5.2 compliant.
Proxy servers can’t monitor all traffic, only http and https traffic.
 Current Firewalls are having performance issues and need to
be replaced.



Corporate Pointe – F/W dropping packets, poor performance for DMC environment. Upgraded
Internet circuit to 10 Gig, Current firewall being replaced with OneNET Post-Production funds.
Chandler – F/W reaching it’s peak before dropping packets. Plans to upgrade Chandler Internet to
10 Gig to support failover for DMC in Corporate Pointe. Current firewall will be replaced with
OneNET Post-Production funds.
London firewall has had performance problems causing slowdown to customers. Needs restarting to
temporarily resolve this problem.
 IDS in Chandler and Corporate Pointe need to be upgraded to
support 10 Gig.

Corporate Pointe IDS’s are dropping packets due to increased bandwidth and cannot keep up with
the demand.
3
Project Scope

In-Scope
o
o
o
o
o
o
o
Replace existing CheckPoint Firewalls with next generation firewalls that
provide f/w, proxy, and IDS / IPS services, in the following locations
o Corporate Pointe (Culver City Datacenter)
o Chandler, AZ
o London, UK
o Hong Kong, HK
Add additional firewall pairs to the following locations
o Studio Productions Internet
o Singapore new Internet
Enable IDS / IPS Services on new firewalls.
Enable Proxy Services on new firewalls and retire them.
Shutdown all Blue Coat Proxy Servers
Repurpose existing IDS servers in Corporate Pointe and Chandler to
alternate locations.
Shutdown existing CheckPoint firewalls.
4
Proposed Solution
 Replace current CheckPoint Firewalls with Palo Alto Network
“Next Generation Firewall” appliances.
 Regains GISS Network Management 3.5.2 compliance.
 Enables much better performance to meet current, and estimated future
demand over the next 3 years.
 Enabling Threat Prevention means we can consolidate this service onto
the same platform, and shutdown aging and poor performing BlueCoat
Proxy Servers.

Closed the GAP we have with GISP Policy for having all clients route through a Proxy server
to gain Internet access.
 Enabling IDS / IPS services means we won’t have to purchase 10 Gig
IDS’s from Symantec, saving $180,000 per year lease over 5 years.
(900,000).
5
Project Costs
Product Costs
Replace with
CheckPoint
Replace with
Palo Alto
5 Year Maint.
5 Year Maint.
Corporate Pointe 10 Gig HA
$862,350.00
$835,540.00
$
159,115.00
$
273,000.00
Chandler 10 Gig HA
$862,350.00
$835,540.00
$
159,115.00
$
273,000.00
London 1 Gig HA
$325,140.00
$237,150.00
$
48,521.00
$
52,000.00
Hong Kong 1 Gig HA
$325,140.00
$237,150.00
$
48,521.00
$
52,000.00
Studio Productions 1 Gig HA
$325,140.00
$237,150.00
$
48,521.00
$
52,000.00
Singpore 1 Gig HA
$325,140.00
$237,150.00
$
48,521.00
$
52,000.00
$24,500.00
$0.00
$
7,800.00
$
7,360.00
URL Filtering
$0.00
$0.00
$
93,000.00
$
465,000.00
Threat Prevention
$0.00
$0.00
$
93,000.00
$
465,000.00
$66,920.00
$
66,920.00
External Professional Services
$88,240.00
$
88,240.00
Project Manager
$80,000.00
$
80,000.00
$
941,274.00
$
1,691,360.00
$
(519,000.00)
$
422,274.00
$
1,691,360.00
Management Software
nternal GNS Engineering
Total
Funded from OneNET Post-Productions
NET TOTAL
$3,284,920.00
$2,619,680.00
-$519,000.00
$2,765,920.00
$2,619,680.00
6
Vendor Selection
Selected Vendor
Palo Alto Networks
o Palo Alto Networks “Next Generation Firewalls” have proven to be very well
received in the industry, and have placed Palo Alto in the top right quadrant of
Gartner’s Firewall Survey.
o PoC ran by SPE GNS group proved this solution works very well as an integrated
firewall, IDS/IPS, Proxy solution.
o Solution provides for consolidated reporting for virus, applications, and web
browsing for Investigative Services group.
o Solution provides integration of Active Directory so Investigative Services can
search by AD username as well as by IP address, port.
Reviewed Vendors
o
o
o
o
o
Palo Alto Networks
CheckPoint Systems
Cisco
Zscaler
Blue Coat
7
Project Activities and Timeline
Activity
Timeline
Groups Involved
Solution Selection / Proof of Concept
Weeks 1 - 12
GNS, (completed)
Operational Planning
Weeks 6 - 16
GNS, GSD, ADM
Procurement
Weeks 12-14
GNS, Procurement
Configuration / Testing
Weeks 14-18
GNS
Deployment
Weeks 16-24
GNS
GNS / TCS Training
Weeks 12-14
GNS, Vendor
Production Turnover
Week 14-18
GNS
Retire CheckPoint, BlueCoat
Week 24
GNS
8
Risks
•
Firewall replacement requires much up-front planning to ensure all the rules are properly migrated and
working.
•
Migrating to the new solution will require outages, which need to be supported by the business.

Getting the Master Sales Agreement in place has proven to be very challenging, and is not completed yet.
This could delay the execution of this project.
9