Business & Technology
Organizations are continuing to expand and are looking for ways to secure their multiple network locations. There are various challenges to overcome and consider to protect the entire attack surface from internal as well as external threats with advanced security. The digital attack surface is expanding at a rapid rate, making it increasingly difficult to defend against advanced threats. The search for and selection of the right solution that provides comprehensive security is imperative for these organizations aiming for a strong security posture. To achieve this, organizations require a strategy that brings security to the forefront of the network buildout and seamlessly integrates it with the networking stack. The goal is to enable network security practitioners to manage all security risks that are associated with applications and infrastructure in today’s hybrid data centers.
In particular, one specific organization – a cooperative of school boards in primary and secondary education – needed a network security platform that can provide comprehensive threat protection for thousands of primary and secondary schools in multiple network locations. This organization required a solution that could provide IPsec secure access from any school to their data centers and perform a content inspection as traffic leaves for, and enters back from, the Internet. Finally, they also wanted to take their security to a whole new level with advanced security detection and enforcement between all schools – within or across various school boards.
In this instance, this large cooperative of school boards selected a security strategy and solution that would enable each education facility to have high-bandwidth internet access with advanced security protection across its numerous locations. This organization’s vision was to serve the needs of almost a million students by building a network that provides massive scale and performance for security and advanced networking capabilities that work together to provide a strong security posture. In addition to reliably securing the numerous school locations, the solution was selected by the group of school boards to lower IT expenditures by building a joint security solution that could benefit from economies of scale and offer a low total cost of ownership. The specific advanced security requirements include turning on application identification, web filtering, an intrusion prevention system, and anti-virus concurrently and having the data center capacity reach 715 Gbps of threat protection that consolidates all of the above-mentioned capabilities. Additionally, all of the existing and future schools that join this partnership will continue to connect using IPsec capabilities to the established data centers.
This education organization manages two large national data centers – a primary and a secondary data center working in an active-passive arrangement. The participating schools are spread across different school districts that connect to the primary data center using an IPsec tunnel that originates from a FortiGate CPE. The schools route all traffic via the primary data center and when that data center is inaccessible, they automatically fail over via the backup IPsec tunnel to the secondary data center, providing the required performance and reliability. In this scenario, these IPsec tunnels from each school are terminated on a FortiGate Next-generation Firewall that is placed in each data entry as a VPN concentrator. This allows all participating schools to securely backhaul traffic to the two data centers while preserving the confidentiality of the data.
To ensure better access control, traffic between each school board is segmented using a FortiOS feature called VDOM (Virtual Domain). These virtual domains allow this organization to take a FortiGate and logically partition it, providing each school board the ability to create unique security and network policies that suit its needs while still participate in the knowledge sharing conglomerate of school boards.
The FortiGates seamlessly integrate advanced networking and security capabilities like application identification, web filtering, and intrusion prevention system capabilities for thousands of schools and enable a massively scalable network security platform offering the required performance of 715 Gbps.
This advanced security solution also provides traffic content inspection between any two schools that want to communicate with one another, including schools within the same district. This is paramount to building a strong cybersecurity posture for all schools that fall within this educational organization’s jurisdiction. Although performing SSL/TLS inspection (including TLS 1.3) on encrypted traffic for full visibility was not initially a requirement in the organization’s search for the right solution, Fortinet’s SSL/TLS inspection performance was seen by the organization as a key benefit of Fortinet’s security solution. Moreover, the organization had requirements for centralized management and reporting capabilities to reduce network complexity and risk, while increasing efficiency. By leveraging the Fortinet Fabric Management Center, which is composed of FortiManager and FortiAnalyzer, this organization can benefit from single pane of glass management across their two data centers to reduce cost and complexity, and streamline operations. Additionally, the Fabric Management Center offers best practices for compliance and workflow automation to provide better protection against breaches.
Fortinet’s ability to build complex, massively scalable, and high-performance Layer 7 advanced security reduced the organization’s security complexity challenges, providing better visibility and heightened performance. True to its goals, the organization will be able to scale to 715 Gbps throughput for its sites within the next few years with the Fortinet solution.
Furthermore, the organization will have the ability to leverage its existing investment in Fortinet solutions and can simply turn on built-in SD-WAN capabilities to employ additional broadband transports to their WAN infrastructure and preserve user experience while realizing the industry’s best investment protection.
Networks are continually growing and evolving, and the adoption of new technologies or workflows can increase the attack surface and open the door to new threats. At the same time, cybercriminals are launching increasingly sophisticated attacks. For this cooperative of school boards, Fortinet provided the network security platform that could seamlessly integrate advanced networking and security capabilities, run multiple best-of-breed security services concurrently and deliver the required scale and performance with industry’s most optimized Total Cost of Ownership (TCO). With Fortinet, this organization will be able to protect up to one million students and has an effectively future-proofed investment that gives them the ability to turn on TLS inspection and Secure SD-WAN on their already deployed FortiGate infrastructure.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.