With the objective of implementing a consistent enterprise-wide IT policy, Sterlite Technologies Ltd. recently deployed a firewall implementation with distributed threat management systems wedded to a home-grown, single-instance central policy control system. “A situation existed where even though a common pan-organization policy was being implemented, the interpretation was inconsistent across locations, leading to dilution of the IT policy,” says Jawed Ahmed, CISO at Sterlite Technologies.
Sterlite in its present avatar is an amalgamation of three different organizations. Having operated as independent units in the past, the support functions of these businesses — particularly IT — worked in isolation. In addition, from three locations in 2006, Sterlite had grown to 11 physical locations over the years.
Sterlite thus needed a robust solution for centralized single-instance control of unified threat management (UTM) devices — scalable, yet inexpensive. Previously, Sterlite used firewalls provided by vendors such as Fortinet. Sterlite’s infosec policy, framed by Ernst & Young in 2007, while robust, wilted under the challenge of implementation due to its dependence on local control. The firewall implementation was further spurred by the need for central control/logging and user mobility.
Requirements and resolution
A lack of suitable off-the-shelf solutions prompted Sterlite to develop an in-house firewall implementation — integrating high-end UTMs to a home-grown logging and control solution. No solution offered centralized policy control; those that did, needed changes to be made individually for locations.
Software development for the firewall implementation was done in-house by Ahmed and his team. “The rough edges were polished at the prototype stage itself, so no major issues were faced when the project went live,” explains Ahmed. Only hardware was procured from vendors.
Sterlite’s home-grown solution for its firewall implementation is based on shell scripts. It leverages the shell access provided through the secure shell (SSH) protocol to UTMs, by manufacturers. Using this, configuration files can be downloaded, modified and uploaded. A central repository of configuration files is maintained at Sterlite’s Pune control center.
The system connects to individual firewalls every 20 minutes, and checks firewall configuration files’ timestamps against those on the central server, updating them as necessary. The firewall policies can be controlled and modified (using shell script) via a Web interface.
The firewall implementation has a central policy common for all locations, as well as local policies per location, all centrally controllable. Viability of a working prototype of the proposed firewall implementation was established in July 2010, and hardware was procured and installed over an eight week period.
SonicWALL’s NFA3500 was the hardware selected for this firewall implementation. “A highly scalable solution, the NFA3500 can go up to 500 concurrent tunnels and support deep-packet inspection (DPI). It is lean, as it lacks bulky management software,” says Ahmed. These firewalls operate at the 11 locations without any redundancies. Discrete physical connections are in place, each with two pipes working in failover mode.
The backend runs on a Fedora 10 server. It doubles up as a sys-log server and management server, which collects hourly firewall logs. The logs are then pushed to a round robin database (RRD). The RRD stores and facilitates querying of log databases for report generation.
Testing and implementation
The project commenced in July 2010. The entire firewall implementation took around eight weeks, and was fully operational by October 2010.
Getting the policy control solution to work smoothly became a challenge during the firewall implementation. For example, log files manageable in size during testing increased to humungous proportions in the enterprise environment — hogging WAN bandwidth. This problem was solved by compressing the log-files —sometimes as large as 3 GB — before retrieval to the central server.
By the time the hardware was installed, the prototype had been successfully tested, making installation an out-of-the-box affair. For the first five weeks, the firewalls were run on their default configurations under local personnel. During this period, the firewalls were individually configured and control centralized.
Change management was another issue after the firewall implementation. Previously, the network infrastructure was managed locally. Enforcing central policies created administrative control issues. To deal with this, policies were enforced in a phased manner without being harsh from the outset.
Controls were gradually tightened over an eight week period. Change management involved new procedures for access provisioning and user training (with focus on best practices) imparted at all locations.
Expenditure and ROI
Cumulative capital expenditure for Sterlite’s firewall implementation was approximately Rs 25 lakh (Rs 2.5 million). The previous infrastructure has been completely replaced.
Teething troubles with the firewall implementation were overcome with constant tweaking, and the system has been stable since the last five months. Administrative manpower has been reduced from three dedicated staff to a single person who centrally manages the firewall implementation, and also handles other functions such as the mail server. According to Ahmed, ROI has already been achieved.
Having profiled traffic from different locations, monitoring is now essentially restricted to anomalous traffic. Only exception reports need to be tracked. For instance, Sterlite’s Aurangabad branch has a daily traffic of 4.5 GB. If traffic crosses 5 GB, the team is notified by email, for immediate investigation.
User satisfaction has increased after the firewall implementation, with standardization of quality of service. Bandwidth issues are largely a thing of the past, says Ahmed. With centralized policy cracking down on P2P and other bandwidth-intensive traffic, users enjoy much better connectivity.
Sterlite relies heavily on cloud applications such as Google Apps and Salesforce CRM, making Internet access critical. Improved response times have boosted productivity and the end-user experience. Sterlite plans to augment the firewall implementation with risk/vulnerability assessment and penetration testing exercises in the near future.
This was first published in June 2011