In common with many organizations, Virgin Media’s firewall estate was no longer providing optimum performance. The Check Point and Nokia firewall infrastructure was aging; some hardware had been installed for almost a decade and needed refreshing. Firewalls were also not running the most up-to-date versions of code which had a negative effect on both performance and security. Refreshing this aging firewall estate was a high priority for Colin Miles, UK Corporate Network Manager with Virgin Media. However, the project was far from straight forward.
“Because so much of our infrastructure was acquired and the original architects and documentation were long gone, we had a very limited knowledge of how the firewall rule bases had been built” explains Colin. “We knew that many of our firewall rules were probably redundant because the relevant applications had been migrated to another appliance. We wanted to migrate to new firewalls and up-to-date software but we didn’t want to waste time and money and undermine future performance by migrating legacy rules.”
Additionally, a specific cluster of firewalls in a data center were experiencing serious stability problems, which seemed to stem from the firewall rule base. “Check Point recommends a maximum rule base of around 350 rules in such an environment to retain optimum performance. “We were running double that amount” confirms Colin. “The load on CPU and memory were just too much and we were experiencing frequent failures of service.” The impact on operations and on Colin’s team was immense. “We couldn’t make any changes to the firewalls during the business day” explains Colin, “so the burden on my team was immense.”
These stability and performance issues were having such an impact on day-today. operations that the situation could not continue. Towards the end of 2008 Virgin Media turned to security partner, Nebulas Solutions Group to source a more resilient, efficient firewall infrastructure.
Nebulas knew that Virgin Media’s problems were a result of unmanageable and inefficient firewall policies. By automating firewall operations, Virgin Media would not only eliminate its current firewall challenges, but would have a more efficient, cost effective and secure process for ongoing firewall policy management.
“One of the reasons that Nebulas was awarded single security partner status was the value that they add with product analysis and testing” comments Colin. “They undertake physical technical reviews of products and let us use their lab facilities and work alongside their engineers. Nebulas Solutions’ views are based on product integrity not just whether they are resellers for a particular product.”
Using this process, Nebulas Solutions reviewed several products which could help Virgin Media tackle the unwieldy rule base and manage it more efficiently in the future. The rigorous, paper-based review showed that Tufin SecureTrack was the most suitable option and the subsequent technical trial proved highly successful. Tufin SecureTrack provided complete visibility into firewall operations via a unified user interface for efficient change tracking, risk analysis and optimization of firewall operations. It allowed Virgin Media to perform statistical analysis of the rule and object usage throughout their rule bases and clean up unused rules without disrupting business operations.
In Spring 2009, a trial Tufin T-Series appliance went into Virgin Media and immediately identified some fundamental issues. “15% of the CPU burden was being taken up by the least utilized 10% of the rule base” recalls Colin. “Just knowing this meant that we could quickly delete or amend the relevant rules and instantly resolve the stability issues.” Colin’s team deleted around 100 rules which led to significant reductions in the amount of time they spent fire fighting and hence further efficiency gains. “We could go back to making changes during the business day” states Colin, “without worrying that it would bring something down. I estimate that it’s given my team back about 30% of their day.”
Virgin Media is now planning the best way to use Tufin in the future. “After the physical refresh is complete we’ll be using it less intensively, but it will help us to keep our rule base efficient” explains Colin. “Virgin Media is an incredibly dynamic. organization: user numbers vary hugely from one year to the next, with as many as 2000 applications running on the network at any one time. Tufin can help us to track and manage this.”
As a result of this highly successful project, Virgin Media awarded Nebulas Solutions a further project to replace a Cisco firewall estate inherited as part of the acquisition of Virgin Mobile with Check Point. The project will also involve Tufin’s SecureTrack for complete analysis of the complex inherited rule bases. This will allow Virgin Media to quickly and easily migrate optimized rule bases without the misconfiguartions and security holes. In addition, this project marks a profound change in the relationship between Virgin Media and Nebulas. “We’ve worked with Nebulas Solutions for a long time, but we’ve never really utilized the full professional services package that they offer. This time we’re doing just that.”
What continues to impress Virgin Media about Nebulas is their agility and security expertise. “When I need a resource I need it now – not in a month” states Colin, Nebulas Solutions are flexible enough to be able to respond straight away and” with well thought out, strategic explanations or suggestions. I’m confident that this project will be very successful.”