Introduction

A financial institution was using obsolete perimeter network firewalls in a pair of their data centers, which were in desperate need of an upgrade. In addition to the firewall refresh, the customer wanted to add other security capabilities to their data center locations, including advanced intrusion prevention (IPS), SSL decryption for inspection of traffic, DoS (denial of service) prevention, and web application firewalling.

The financial institution also had other network security products in production that were either end of life/end of support or in need of support renewals and/or upgrades. They decided to consolidate some of these products and capabilities to help improve the overall security and management of the organization.

Sentinel and Fortis engineers were engaged to refresh the firewalls at both the production and DR data centers. This included both externally facing firewalls as well as virtual internal firewall systems. 

Solution

The Fortis Advisory Services team worked with the customer’s security and IT teams to create a detailed blueprint design document and testing plan for the deployment. The initial blueprint was based on the financial institution’s existing firewall services. This engagement also added a number of new services not previously deployed that required complete planning and design.

• Analyze the current environment to make sure it is ready for infrastructure implementation.
• Engage with the customer’s team to collaborate on technical and policy requirements for the new security systems deployment, including:
  • Firewall policy requirements (Advisory)
  • Firewall services – based on existing

• Intrusion Prevention Services (IPS) – new added capability
  • External IPS
  • Internal 3rd party virtual IPS
• Denial of Services
• URL filtering – using the existing filtering services, policy, and reporting as a baseline
• Anti-malware prevention services (AMP) – new service
• Web application firewall services (WAFS) – new service
  • Fortis required involvement of the Sentinel application team to work with Radware for this component

• Redundancy and DR of Firepower VMs and FMC
• VMware redundancy and failover
• Backup copy process/script or other means to protect the virtual FMC at the DR site
• Develop specific requirements, design, and then use a case-specific blueprint document based upon customer discussion

Advisory Services

Fortis provided Advisory Services consulting for the deployment. This included time to work with the customer’s security team on creating the optimal setup for existing and new services that closely adhered to the security policies and standards of the organization. Fortis documented these standards for the project engineering team to set up during the deployment of these services. When applicable, existing systems were reviewed for configuration and formed a baseline for how the new services would be configured. Since many new services were included as part of this deployment, including web application firewalls, IPS, and anti-malware, the Fortis Advisory team collaborated with the customer’s security team to clearly define the policy and business outcome expectations for these enhanced security solutions.

Advisory Services also performed a small assessment on the new perimeter and third party internal firewalls. This included testing the policy to check if enforcement functioned as expected, along with a brief summary report of the findings. Fortis provided time for the final testing and report.

Firepower Threat Defense

Firepower Threat Defense (FTD) was deployed based on the Advisory policy recommendations and the design blueprint. The system planned for high compliance services and policy setup in support of these requirements where applicable. The following was deployed:

• Firepower Management Center VMware
  • On customer’s VMware
  • Log integrated to either HP Arcsight or to Fortis SECaaS-Managed SIEM if contracted
  • Ready to manage firepower physical and virtual instances
• Firepower Appliances
• Production pair of FTD high-availability
• DR single FTD with similar to same policy as production
• Policy on perimeter firewalls in conjunction with Advisory recommended policies and in support of compliance services
• (2) virtual appliances to protect each third party provider connected to the network
  • The above was planned on how to segment via VLAN and through the single FTDs using sub-interfaces
  • Fortis assumed the same or very similar policies were applied to each of the third party providers

• AMP anti-malware
  • Assure this is in place and operational
  • Setup AMP inspection policies per planning
  • Confirm AMP operations
• URL Services
  • Based upon current URL and reporting
  • Setup for production and DR

• SSL decryption policy
  • Deployment with hardware acceleration (newer version capability on FTD)
  • Setup of SSL policies for traffic inspection
  • Testing of SSL
  • Measurement of amount of SSL traffic and load on firewalls
• VPN services
  • Setup of VPN services for remote access
  • Assumes multi-factor integration of Cisco Duo or other provided/compatible multi-factor solution
    • The deployment of a multi-factor authentication system was NOT part of this engagement and required additional deployment.

• Automated copy or replication services to DR
• VMware redundancy of FTDs and FMCs within the data center(s)

Conclusion

The customer significantly hardened their security posture by upgrading their firewalls, deploying new services within their environment, optimizing policies and settings, as well as taking advantage of the advanced features and management provided by Cisco’s Firepower solution.