How Cisco IT Deployed Cisco Firewall Services Modules at Scientific Atlanta

Similar documents
How Cisco ASR 1000 Enables Cisco Business Strategies by Providing Capacity and Resiliency for Collaborative Applications

How Cisco IT Deployed Enterprise Messaging on Cisco UCS

How Cisco India Simplified VoIP and PSTN calls with Logical Partitioning for Cisco Unified Communications Manager

High Availability WAN

Sony Adopts Cisco Solution for Global IPv6 Project

How Cisco IT Simplified Network Growth with EIGRP

University Lowers Barriers, Fortifies Security with Virtualization

How Cisco IT Is Accelerating Adoption of IPv6

How Cisco Expedites IT Integration of an Acquisition

Truffle Broadband Bonding Network Appliance

How Cisco IT Migrated TDM Local Access from SONET to OC-192 Infrastructure

Water Provider Relocates, Modernizes Data Center

Contact Center Migration to UCS

Never Drop a Call With TecInfo SIP Proxy White Paper

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Citrix NetScaler LLB Deployment Guide

Using Lancope StealthWatch for Information Security Monitoring

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

How Cisco Multilayer Director Switch Operates with Other SAN Switches During SAN Migration

How Cisco IT Introduced Cisco Jabber

CASE STUDY GLOBAL CONSUMER GOODS MANUFACTURER ACHIEVES SIGNIFICANT SAVINGS AND FLEXIBILITY THE CUSTOMER THE CHALLENGE

WAN VPN Solutions. How Cisco Uses VPN Solutions to Extend the WAN. A Cisco on Cisco Case Study: Inside Cisco IT

MIPv6: New Capabilities for Seamless Roaming Among Wired, Wireless, and Cellular Networks

Financial Services Company Improves Communication with Cisco Unified Communications

Avaya Aura Scalability and Reliability Overview

SMARTER, SIMPLER NETWORKING

Stateful Failover Technology White Paper

EVERYTHING YOU NEED TO KNOW ABOUT NETWORK FAILOVER

PIX/ASA/FWSM Platform User Interface Reference

Investor Presentation. February 2016

How Cisco IT Upgraded Intrusion Prevention Software to Improve Endpoint Security

Transitioning to Symyx

INNOVATION MINDSET DRIVES THE MOVE TO REPLACE MPLS WITH INTERNET SD-WAN

Top-Down Network Design

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

MAN Architecture. How Cisco IT Architected Headquarters MAN. A Cisco on Cisco Case Study: Inside Cisco IT

ALCATEL Edge Services Router

Reaping the Benefits of Managed Services

WHITE PAPER ARUBA SD-BRANCH OVERVIEW

Case Study Parc de Vilgénis College

Cisco Cisco Sales Expert. Practice Test. Version

Case Study: Cisco Converges PSTN and VoIP Infrastructure in India for Increased Productivity and Lower Cost

How Cisco IT Upgraded Intrusion Detection to Improve Scalability and Performance

Logical Network Design (Part II)

CIO Update: Security Platforms Will Transform the Network Security Arena

Network Service Description

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

Seamless Cloud Connectivity. for your business

Technical Document. What You Need to Know About Ethernet Audio

How Cisco Deploys Video Conferencing for Employee Collaboration

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

SD-WAN Transform Your Agency

How Cisco IT Built Local Access Ring at Headquarters

Cloud Leased Line (CLL) for Enterprise to Branch Office Communications

Logistics Company Improves IT Uptime and Management

NetVanta Business Networking Solutions

Community College LAN Deployment Guide

India Operator BNG and IP Router

Meraki 2014 Solution Brochure

Community College LAN Design Considerations

THE CUSTOMER SITUATION. The Customer Background

Seven Criteria for a Sound Investment in WAN Optimization

WHITE PAPER. Monitoring Converged Networks: Link Aggregation

Deploying Gigabit Ethernet to the Desktop: Drivers and Applications

Introducing Campus Networks

Firewalls for Secure Unified Communications

NOAA TICAP. Robert Sears NOAA/OCIO/SDD/N-Wave

Security and Reliability of the SoundBite Platform Andy Gilbert, VP of Operations Ed Gardner, Information Security Officer

SD-WAN. Managed Services. Expereo SD-WAN Managed Services Overview.

Dynamic WAN Selection

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

CCNP Switch Questions/Answers Cisco Enterprise Campus Architecture

6 Key Factors to Consider When Choosing a Transparent Caching Solution

WHY NETWORK FAILOVER PROTECTION IS A BUSINESS NECESSITY

Why Vyatta is Better than Cisco

Unified Communications VoIP Routing/Switching Security 3G Wi-Fi. NetVanta Business Networking Solutions

GUIDE. Optimal Network Designs with Cohesity

RingCentral White Paper UCaaS Connectivity Options in the New Age. White Paper. UCaaS Connectivity Options in the New Age: Best Practices

Data Center Operations Guide

Cisco SCE 2020 Service Control Engine

SIP Trunks. The cost-effective and flexible alternative to ISDN

Migration Technologies. Dual Stack and Tunneling Using GRE, 6to4, and 6in4.

COURSE PROJECT SEM ATTENTION ALL ADVANCED DIPLOMA & BACHELOR STUDENTS

How Cisco IT Improved Development Processes with a New Operating Model

How Cisco IT Designed a Separate Network to Test Cisco Alpha Equipment

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco 4000 Series Integrated Services Routers: Architecture for Branch-Office Agility

University of British Columbia

IP Telephony Migration Options

ZyXEL supports the growing IT demands of Highdown School and Sixth Form Centre

WHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS

6WINDGate. White Paper. Packet Processing Software for Wireless Infrastructure

Branch Redefined: Enabling the Distributed Enterprise with SD-WAN

X.25 Substitution. Maintaining X.25 services over a fully supported NGN/IP infrastructure. The Challenge. How it Works. Solution

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

TECHNICAL BRIEF. 3Com. XRN Technology Brief

Intel Network Builders Solution Brief. Etisalat* and Intel Virtualizing the Internet. Flexibility

Simplify IP Telephony with System i. IBM System i IP Telephony

Intermedia. CX-E Cloud Hosting Provider. Introduction. Why Intermedia for CX-E Cloud? Cost of Ownership

Transcription:

How Cisco IT Deployed Cisco Firewall Services Modules at Scientific Atlanta Deployment increases network security, reliability, and availability. Cisco IT Case Study / Security / Firewall Services Module: This case study describes Cisco IT s internal deployment of the Cisco Firewall Services Module (FWSM) within the network of the former Scientific Atlanta company, which was acquired by Cisco in February 2006. Cisco customers can draw on Cisco IT's real-world experience in this area to help support similar enterprise needs. The failover capability of the Cisco FWSM is seamless and nearly instantaneous. We could lose several ports in the primary module and never notice it because the transition to backup occurs so quickly. Kelly Alexander, Network Architect, Cisco Information Security Group BACKGROUND On November 18, 2005, Cisco announced its acquisition of Scientific-Atlanta of Lawrenceville, Georgia. Scientific Atlanta is a leading global provider of set-top boxes, end-to-end video distribution networks, and video systems integration. The acquisition allows Cisco to offer a world-class, end-to-end data, voice, video, and mobility solution for carrier networks and the digital home. With the addition of Scientific-Atlanta technologies, the Cisco IP Next Generation Network architecture offers providers an open platform for service differentiation, allowing them to move beyond digital video/iptv to develop and deliver a variety of integrated media services in the connected home. CHALLENGE As with every Cisco acquisition, the network of the organization being acquired must conform with and become integrated into the larger Cisco worldwide network. In the case of Scientific-Atlanta, this meant integrating a network that supported 7500 employees worldwide. The company s headquarters location consisted of a five-building campus with approximately 2000 employees. Another 15 sites were scattered around the globe, including a manufacturing facility in Mexico. Scientific-Atlanta s network infrastructure, including firewalls, was built on equipment from non-cisco vendors. In an effort to conform fully to Cisco IT standard architecture and design principals, plans were drawn to replace and upgrade non-cisco equipment. Among the highest priorities for replacement were the firewalls, which would no longer be supported by the supplier in less than six months. Before being acquired, Scientific-Atlanta had planned to upgrade the firewalls with the latest product version from the same equipment vendor. Once part of Cisco, Scientific Atlanta committed to replace the firewall devices with a Cisco solution. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 6

EXECUTIVE SUMMARY BACKGROUND Cisco announced its acquisition of Scientific-Atlanta of Lawrenceville, Georgia. CHALLENGE Scientific-Atlanta s network infrastructure, including firewalls, was built on equipment from non-cisco vendors. Scientific-Atlanta s firewalls would not be supported by the supplier in less than six months.. SOLUTION Cisco standardized the deployment of firewall solutions across its worldwide network, using the Cisco Firewall Services Module (FWSM) for its largest sites. RESULTS The deployment of Cisco FWSMs within the Scientific-Atlanta network has provided conformity to Cisco IT standards. From an operational standpoint, the reliability and availability of the FWSMs is far superior to the previous firewall solution. LESSSON LEARNED Due to the architectural differences between the old firewalls and the Cisco firewalls, it was necessary to convert the existing rule sets for the new firewalls. SOLUTION In 2005, Cisco standardized the deployment of firewall solutions across its worldwide network, using the Cisco Firewall Services Module (FWSM) for its largest sites. We chose the Cisco FWSM for our larger sites, which provide both Internet and VPN connectivity, says Julie Nordquist, program manager for Next-Generation Corporate Firewall project. Smaller Internet connectivity sites continue to use Cisco PIX security appliances. (Refer to http://www.cisco.com/web/about/ciscoitatwork/security/enterprise_firewall_protection.html for a case study on the evaluation and selection of Cisco FWSM for large Cisco sites.) Considering the size of the Scientific-Atlanta network and anticipated growth, we decided that Cisco FWSM was the best solution, says JJ Kim, the lead network engineer for the architecture and design of the DMZ network integration at Scientific- Atlanta. Key advantages of the Cisco FWSM include: Outstanding performance with aggregate throughput of 5 Gbps and the ability to combine up to four FWSM blades into a single Cisco Catalyst switch to support throughput of 20 Gbps, making it the fastest and highest-performing firewall available Deep-packet inspection without significant performance degradation Transparent-mode support for enhanced system integration and security Multiple-Context mode support to create multiple logical firewalls, resulting in a high return on investment Seamless integration with the rest of the network and conformity to Cisco IT standard architecture and design principles NEXT STEPS Savings in total cost of ownership Once the Multiple-context Transparent mode standard is approved, the data center firewalls at Scientific Atlanta will be converted from Single-context PLANNING AND IMPLEMENTATION Routed mode to Multi-context Transparent mode. It took many weeks of planning and design to formulate a deployment plan for the new firewalls at the headquarters campus. Cisco spent several weeks testing traffic flow, throughput, and response times. To test rule sets, the implementation team created a test subnet. Using a traffic generator, the team sent traffic based on those rules. The process was carried out for both internal and external DMZ traffic. The failover capability was also tested. At the time of the acquisition, the headquarters campus had two DMZ backbone gateways, two ISP gateways managed by separate ISPs for diverse routing, and three pairs of firewalls (active and standby) securing the Engineering Lab LAN (referred to as ENG in Figure 1 below), the corporate LAN (CORP), and the data center (DMZDC) that supports Scientific-Atlanta s e-commerce applications. Internet connectivity was provided through two redundant ISPs, an arrangement that was retained. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 6

Figure 1. Legacy Firewalls at Scientific-Atlanta In the new Cisco-based DMZ infrastructure (see Figure 2), the two backbone gateways (DMZBB) were replaced with two Cisco Catalyst 6509 Layer-3 switches. Scientific-Atlanta took over the two ISP gateways and replaced their routers with high-performance Cisco routers. Finally, the CORP and DMZDC firewalls were replaced with Cisco FWSM modules after moving the Engineering LAN inside the corporate LAN to do away with the need for a third pair of firewalls. Figure 2. Cisco FWSM Deployment at Scientific-Atlanta The two corporate firewalls are planned to be deployed as a high-availability pair and configured in Transparent mode, the Cisco IT corporate firewall standard, with an inside and an outside interface (see Figure 3). This design allows separation of security and routing. Routing will be handled by neighboring router devices, not by the Cisco All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 6

FWSM units themselves. The firewalls will be dedicated for packet inspection with an IP address assigned for management purposes only. The firewall interfaces will be Layer-2 interfaces in Transparent mode, so the firewall will be hidden in the data path from a Layer-3 perspective. Figure 3. Corporate Firewall at Scientific-Atlanta For the DMZDC firewall configuration (see Figure 4), the design team chose to deploy the high-availability pair of firewalls in Routed mode because, unlike the corporate firewall, it must support more than two interfaces. For the present, the firewall has three types of interfaces: inside, outside, and DMZ. However, Multiple-context transparent mode is being considered as a firewall standard for the data center. This mode provides the ability to partition firewalls into as many as 256 virtual firewalls, creating a very secure data path and separation of data packets. Figure 4. DMZDC Firewall at Scientific-Atlanta All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 6

RESULTS The deployment of Cisco FWSMs within the Scientific-Atlanta network has provided conformity to Cisco IT standards and seamless integration with the rest of the Cisco global network. FWSMs also offer superior performance and capacity for future growth. In addition, it has reduced the total cost of ownership for Cisco IT by increasing manageability of the firewalls at the Scientific-Atlanta campus. Because the firewalls are housed in Cisco Catalyst 6500 Series switches, additional network services can be easily deployed using the switch s service modules. This results in a higher return on investment for Cisco IT. From an operational standpoint, the reliability and availability of the FWSMs is far superior to the previous firewall solution. The failover capability of the Cisco FWSM is seamless and nearly instantaneous, says Kelly Alexander, network architect with Cisco in Atlanta. We could lose several ports in the primary module and never notice it because the transition to backup occurs so quickly. It all takes place at Layer 2 between the switches. We ve never seen a failover occur in the eight months since the FWSMs were installed. LESSONS LEARNED Cisco IT learned some important lessons that can facilitate the migration from non-cisco firewall products to Cisco FWSMs. Due to the architectural differences between the old firewalls and the Cisco firewalls, it was necessary to convert the existing rule sets for the new firewalls. The tool used to perform this conversion was not as helpful as had been expected due to the complexity of the existing rules. As a result, all rule sets had to be manually inspected and converted to the appropriate format for the Cisco FWSMs. This process was time consuming, but it presented an opportunity to review the security policy, allowing rules to be removed that were no longer relevant and keep the rule sets current. NEXT STEPS The firewalls for Scientific-Atlanta s data center are currently deployed in Routed mode. This is a short-term solution as Multiple-context Transparent mode is currently under evaluation and is expected to become a Cisco IT global standard in the near future. Once the new standard is approved, the data center firewalls at Scientific Atlanta will be converted from Single-context Routed mode to Multi-context Transparent mode. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 6

FOR MORE INFORMATION To read the entire case study or for additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT www.cisco.com/go/ciscoit NOTE This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere. CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties, therefore this disclaimer may not apply to you. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback