IT service provider regio iT is a partner for city and district municipal authorities. With branches in Aachen and Gütersloh, regio iT helps around 320 customers and 20,500 clients from the municipal field meet challenges brought on by rapid development in the IT world and increasing cost pressures. regio iT’s current 340 employees take on the tasks of operating and supporting database and server systems as well as entire IT infrastructures for energy suppliers, waste disposal companies, schools, and non-profit organizations, and of managing the data of citizens within the region.
The Challenge of a New Firewall
Operating as a service provider for city and district municipal authorities, regio iT takes its responsibility very seriously. As the first regional data center, the company is certified for important internationally applicable standards ISO 9001 (quality management), ISO 20000 (IT service management), and ISO 27001 (information security management).
To meet its own quality criteria, regio iT checks its status regarding these standards regularly through internal and external audits. According to Ounsal Ouzeir, Head of Team IT Infrastructure at regio iT, “The new concept should aim for a service-oriented approach so that customer needs for more data security can be met even better. For that reason we set out the basic requirement that the new concept should meet various security criteria in every case. In addition to firewalls, central logging, monitoring, and administration, identifiable access by end devices and users via certificates must be able to be supported and managed.”
regio iT had previously approached other firewall providers but had not found a suitable solution. During a successful storage project, regio iT contacted DTS Systeme GmbH, a system integration and cloud services provider with 29 years of IT industry experience and 14 years of security experience, six Germany branches and two high-performance in-house data centers in Herford and Münster. DTS Systems GmbH presented regio iT with potential solutions from Palo Alto Networks and one other provider.
Markus Kohlmeier, Head of IT Infrastructure & Security at DTS Systeme GmbH, explains, “The technology from Palo Alto Networks put forward the idea of a data center that effectively separates the branches from each other. Palo Alto Networks favors the logical perimeter concept, which provides the necessary framework for ensuring a standardized and consistent approach to security regardless of the network connection and branch in question. Rules and policies remain consistent and are applied across the networks with optimal intelligence and network security”.
At a follow-up meeting, the solutions from both firewall providers were demonstrated on site at regio iT’s request. Palo Alto Networks won out due to their impressive technology and reasonable cost.
In line with standard practice, DTS Systeme GmbH implemented a Palo Alto Networks trial period for regio iT. “The results were impressive,” Ounsal Ouzeir remembers. “Just two hours into the trial period, the Palo Alto Networks system detected the first threats that the existing intrusion prevention system (IPS) had not adequately identified. The IPS module from Palo Alto Networks protects against weak points and/or exploits, and detects both known and unknown security gaps at the network and application level. It prevents buffer overflows and denial-of-service attacks and blocks port scans.” regio iT’s trial period with the solution was extended for an additional four weeks for further test purposes.
In August 2011 multiple Palo Alto Networks firewalls were implemented in regio iT’s network infrastructure. The firewalls are mainly used to manage communication routes and check for threats. DTS Systeme GmbH was in charge of the entire implementation project, from system setup and training through to advice and support during the migration of the infrastructure, and finally remote support.
Intelligent Segmentation of Networks, APplication Control
Achim Kraus, Senior Systems Engineer at Palo Alto Networks, explains, “The architecture of modern data centers must allow for strict separation between public, non-public, and even secret areas. Web servers that allow outside access must be cut off from all company data, for example, through the use of firewalls. Mail servers are also part of the public segment and should be protected separately. The send and receive function connects confidential and non-confidential areas. Segmentation can, of course, be implemented according to functional criteria as well.”
This intelligent segmentation works thanks to comprehensive application controls, which can be used to set up an optimal infrastructure very easily. The function simplifies the administration of the firewall infrastructure. Application control can also prevent undesired communication. Conventional firewalls cannot guarantee this. The App-ID™ function of the Palo Alto Networks firewall uses up to four different data traffic classification mechanisms to identify which applications are being run on the network, regardless of port, protocol, SSL encryption, or other possible bypass methods. Unique identification of the application is the first action of the firewall, which is then used as a basis for further decisions within the infrastructure. In addition to the App-ID identification technology, the Palo Alto Networks firewall also uses Content-ID™. A stream-based analysis module detects and block threats and limits unauthorized transmissions of files and confidential data. A URL database controls internet usage at the same time.
Restoring transparency and control over the use of applications is just one part of the tasks today’s IT departments are charged with, however. Checking permissible data traffic is another important requirement. To meet this challenge, a module for identifying security risks is wirelessly integrated in the firewall. Detection is based on signatures and combines these with a stream-based scan to block security gaps, viruses, and spyware in a single stroke.
Andreas Pelzner, Technical Head and CIO of regio iT, is positive in his assessment: “We are very happy with the solution. From the very beginning we were able to identify potential threats that the existing product from a competitor had not adequately detected. Content identification both in the perimeter and data center provided targeted protection that was significantly higher than what conventional firewall technology could achieve. At the same time transparency was greatly improved thanks to the combined logging of the Palo Alto Networks firewall and IPS logs. Our market analysis showed that Palo Alto Networks is the only provider that can meet performance data requirements with application control and threat prevention. This is especially important in the data center environment. We can offer our customers optimal security thanks to the strict separation of public and non-public areas.” The firewall can also be virtualized so that a separate virtual system is available if an individual customer requires this. This may be necessary if the customer has to have their log files and infrastructures audited, for example, or would like to view and independently manage their infrastructure. All of these functions have a positive secondary effect. “We were able to reduce costs by consolidating the firewall, administrative work has significantly decreased, and there is greater flexibility to meet customer requirements. At the same time, security was improved for our customers,” concludes Andreas Pelzner.
Available in German.