Business & Technology
An IT security infrastructure built to protect a government is incredibly complex. Using the right tools is essential in enabling staff to effectively and efficiently develop and maintain that infrastructure.
The government was in the midst of an initiative to consolidate IT services across its distributed data center infrastructure. The scale of the initiative was immense. The government employs hundreds of thousands of workers, who regularly use thousands of applications.
Protecting systems on this scale required a revamp of the network’s security infrastructure. The government’s IT services organization launched a request for proposals (RFP) with hundreds of mandatory technical requirements, including advanced threat protection, sandboxing, intrusion detection and prevention system (IDPS), and secure web gateway capabilities. The new solution also needed to streamline management and provide visibility into security events throughout the government.
Solutions that met these extensive technical requirements had to demonstrate they could perform at scale. Firewalls needed to support 100 Gigabit-per-second (Gbps) secure sockets layer (SSL) throughput, while maintaining millions of concurrent connections and hundreds of thousands of new sessions per second. They were also required to support up to 100 virtual domains (VDOMs) for segmentation.
FortiGate next-generation firewalls (NGFWs) and the other Fortinet products provided all the requisite security features, so Fortinet submitted a proposal and participated in a proof of concept (POC).
The solution Fortinet developed for the POC consists of a stack of clusters, each with four FortiGate NGFWs. Load-balancing capabilities enable the infrastructure to support smaller deployments with 40 Gbps, but also to scale up to 100 Gbps when an agency requires that much bandwidth. A FortiWeb web application firewall (WAF) manages internet traffic, and the NGFWs route suspected threats to a FortiSandbox cluster.
In the POC, Fortinet enabled every feature of the NGFWs, including sandboxing and full event logging. Fortinet also enabled a new IP reputation capability, through which the NGFW compares IP addresses for all traffic against the Fortinet IP Reputation database. The NGFW denies network access for any traffic from a low-scoring IP address, unless administrators have whitelisted the address.
With all these features running, the Fortinet solution met the government’s rigorous performance requirements, distributing 100 Gbps of SSL traffic evenly across the stack while demonstrating exceptional security capabilities. The incumbent solution, from another vendor, also met the RFP’s technical requirements. However, it had difficulty matching the performance of the Fortinet solution with all the requisite security features enabled. These results, combined with a compelling TCO, led the government to opt for the Fortinet solution.
The government’s IT services organization has deployed the Fortinet solution across multiple data centers, and it continues to expand the scope of the installation. To manage its geographically dispersed security infrastructure, the organization uses the Fortinet Fabric Management Center, which consists of the FortiManager centralized management solution and the FortiAnalyzer analytics and log management solution.
The FortiManager solution—deployed in each data center—provides the level of automation necessary to configure and control the large-scale security infrastructure. A Fortinet services team used the powerful FortiManager scripting capabilities to develop more than 50 different scripts for the government’s infrastructure. One simple script builds out an entire data center tenant, including creating the VDOMs and mapping the interfaces in all the NGFWs. Doing this manually would be incredibly time-consuming.
A FortiAnalyzer cluster in each data center provides insights into threats and vulnerabilities throughout the security infrastructure. It also provides customized reporting—based on complex queries developed by the Fortinet services team—to meet the highly specific requirements of the government’s IT services group.
Meanwhile, the FortiWeb WAF provides common vulnerabilities and exposures (CVE) and Open Web Application Security Project (OWASP) dashboards. If a new strain of malware emerges and the government wants to know whether it has appeared in agencies’ traffic, government IT staff can quickly find out via the CVE dashboard.
The IT organization’s security infrastructure project was successful in large part because of the concerted effort on the part of all team members. The government’s intensive POC process ensured that the Fortinet solution would meet its security and performance needs. During implementation, the Fortinet services team helped the IT organization leverage the automation capabilities within the Fabric Management Center, which is making it easier for staff to protect the huge government infrastructure.
Learn more about how Fortinet’s Fabric Management Center enables enterprise-class automation capabilities while helping network leaders realize industry-leading benefits like improved efficiency, reduced risk, and decreased TCO.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.