PA L O A LT O N E T W O R K S : C u s t o m e r P r o f i l e
Management & Training Corporation Lowers Costs,
Improves Network Security and Performance, With
Palo Alto Networks® Next-Generation Firewalls
BACKGROUND
Founded in 1981, Management & Training Corporation (MTC) is a privately-held
company headquartered in Centerville, Utah. MTC successfully operates Job Corps,
corrections, medical, and international and domestic workforce development
contracts serving disadvantaged populations. MTC’s track record of integrity,
leadership, performance, and innovation has made it the U.S. Department of
Labor’s largest Job Corps operator, and the third largest operator of private
adult correctional facilities.
PREPARING PEOPLE TO ENTER THE WORKFORCE
Management & Training Corporation (MTC) operates over 20 job centers and
manages correctional facilities for the government. Every day, its 9,400 employees
in 20 states and the District of Columbia provide job training, education and
medical services to underserved and prison populations. In addition to preparing
people to join the workforce, MTC keeps the IT networks at numerous correctional
facilities running smoothly for 1,600 users.
At its headquarters in Utah, MTC had site-to-site Virtual Private Network (VPN)
tunnels routing its Internet traffic through a redundant network, with data
replication from server to server. The company’s network consisted of Cisco 5540
Adaptive Security Appliances (ASA) firewalls, a Juniper Networks Intrusion
Prevention System (IPS), and web filtering from Websense. MTC also maintains
an off-site disaster recovery location in Boise, Idaho.
To perform their jobs, MTC staff use the Internet and common applications such
as email, financial applications, and others. High volumes of scanned documents
pertaining to inmates are transmitted over the network, and a proprietary application
for inmate scheduling is widely used. Access to social media is blocked for all
employees, except for executives or specific individuals that need access for
work purposes.
HIGH COSTS, SPOTTY PERFORMANCE, NEW THREATS
The high cost of maintaining its network, combined with the need to keep pace
with the changing threat landscape, led MTC to re-examine its network design.
“We had issues at times with unreliable VPN connectivity, and also with consistent
Active Directory user mappings for web filtering,” says Brian Goodwin, Network
Security Administrator, MTC. “The Palo Alto Networks solution has been a
solid fit for our company, and has increased our company services uptime with
regards to VPN connectivity and web filtering.”
ORGANIZATION:
Management & Training Corporation (MTC)
INDUSTRY:
Training and IT Services
CHALLENGE:
• Gain visibility into network to safely enable
application access, heighten security, improve
performance and reduce costs.
SOLUTION:
•Palo Alto Networks PA-5020 and PA-200
Series next-generation firewalls, with threat
prevention and URL filtering, for granular
visibility of threats and better control of
Internet applications.
RESULTS:
• Increased application visibility and control
•Improved security and network reliability
•Lowered capital costs $14,000 and
maintenance costs $3,000 per year
•Will achieve ROI on purchase of firewalls
in just three years
•Enabled flexible application usage policy
by user
PA L O A LT O N E T W O R K S : C u s t o m e r P r o f i l e
“The Palo Alto Networks
firewall is a really solid
product that performs very
well. The visibility is great,
the technologies are easy
to use and the customer
support is stellar.”
Brian Goodwin
Network Security Administrator
Management & Training
Corporation
The licensing fees charged by Websense added more financial burden. “Websense’s
costs were really high, and you have to pay per user whether you block or not,”
says Goodwin. “Also, people moving around and changing IP addresses caused
Websense to break all the time.” These issues, and others, led MTC to reconsider
the expense of Websense.
Additional network issues arose from the evolution of threats. “In the past, viruses
could take you down, but now botnet, spyware, and malware type stuff are main
concerns,” says Goodwin. “Our incumbent system lacked the visibility to meet
these new risks.”
ONE FIREWALL CANDIDATE GETS THE JOB
Goodwin and his team evaluated their network and decided to implement smaller
firewalls that could filter and route Internet traffic directly through their local
Internet connection, and not NAT remote site traffic through their corporate office.
MTC did its due diligence on firewall options. “We queried a lot of customers
about their experiences with Fortinet, Check Point, Juniper Networks, Cisco,
and Palo Alto Networks,” says Goodwin. “Palo Alto Networks customers all had
very favorable experiences to relay.”
Palo Alto Networks next-generation firewalls safely enable applications, users,
and content through innovative, tightly integrated technologies and services.
The firewalls determine an application’s identity and classify it across all ports.
Next, the application and user are assigned a safe enablement policy, which
applies to all users and protects the network against all type of threats from the
application­­—both known and unknown.
MTC put the Palo Alto Networks PA-5020 firewall head-to-head against Fortinet,
Juniper Networks, Websense, Check Point, and Dell SonicWALL. “The Palo Alto
Networks box gave real visibility into the network right away,” says Goodwin.
“It wasn’t the cheapest, but when you factor in all it does, and that it can handle
remote locations, it’s a good price.” The PA-5000 Series of next-generation firewalls
protects datacenters, large enterprise Internet gateways, and service provider
environments where traffic demands require predictable, high-speed next-generation
firewall and threat prevention at throughput speeds of up to 20 Gbps.
According to MTC, the other solutions couldn’t compete with the Palo Alto
Networks PA-5000 Series. “With Check Point, the licensing model was horrible,
with multiple line items that often did not make sense,” says Goodwin. “Palo
Alto Networks licensing model is very simple and easy to license devices and
software features. Check Point’s smaller branch office firewalls were very expensive
compared with the Palo Alto Networks PA-200 model. Customers of Fortinet
mentioned its price, but then they always had a ‘but’ to add, which deterred us.
Their users usually liked the products, but had some bad experiences with some
of the built-in services.”
PAGE22
PAGE
PA L O A LT O N E T W O R K S : C u s t o m e r P r o f i l e
“In one solution we get a
firewall, web filtering and
MTC estimates that Check Point and Fortinet would cost $14,000 more than Palo
Alto Networks, and Websense and Cisco were even more expensive. “Palo Alto
Networks was less in capital costs than our Websense, Juniper, and Cisco products
combined, and we’d also save $3,000 annually on maintenance,” adds Goodwin.
“Also, Palo Alto Networks active/passive configuration is very quick to converge on
the network and is very reliable.” MTC also recognized that the PA-5000 Series’
superior network visibility would deliver the enhanced security desired.
IPS, plus all our traffic
passes through one device
where we can see everything.
We definitely have a better
security model in place now,
and are on track to save
$14,000 on our previous
hardware and subscriptions,
and $3,000 per year on
maintenance and support.”
Brian Goodwin
Network Security Administrator
Management & Training
Corporation
THE NEXT-GENERATION FIREWALL GOES TO WORK
MTC purchased two PA-5020 firewalls to serve as its core firewall devices, and
deployed 16 PA-200 firewalls to date at its remote sites. This improved Internet
access performance at its remote site locations, and enabled MTC to manage
its web policies through Panorama - Palo Alto Networks central management
software. Panorama allows organizations to easily manage a distributed network
of Palo Alto Networks firewalls from one centralized location.
MTC will deploy an additional six to 10 PA-200s at the remaining sites it manages
near the end of the year. For its disaster recovery location, MTC purchased a
PA-3020 to handle its network load and throughput. The PA-200 delivers visibility
and control over applications, users, and content into enterprise branch offices.
Each Palo Alto Networks firewall comes with URL filtering, IPS, and antivirus
already built in. “We’re using the PA-5020 and the PA-200 series firewalls as
a Layer 3 firewall, router, IPS—everything,” says Goodwin. “This has really
improved our network performance across the WAN.” MTC uses the Internet
as a WAN backbone to connect to all of its business locations, and AES256 for
security encryption for VPN tunnels. “VPN configuration is very easy with Palo
Alto networks,” says Goodwin.
MTC is also testing the Palo Alto Networks VM-100 virtual firewall. The
VM-Series protects virtualized datacenters and ‘East-West’ traffic, and delivers up
to 1 Gbps firewall throughput with Palo Alto Networks App-ID enabled. “We
want to virtualize anything that makes good business and operational sense,”
says Goodwin. To more easily manage its firewalls, and for additional security,
MTC added Panorama and Wildfire from Palo Alto Networks. “All Palo Alto
firewalls in our organization are managed by Panorama,” says Goodwin. “We
are looking forward to the benefits of Panorama in terms of making more efficient
use of our time and resources in managing our firewalls.” WildFire provides
integrated protection from advanced malware and threats by proactively identifying
and blocking unknown threats commonly used in modern cyberattacks.
MTC is migrating all of its policies from BrightCloud web filtering to Palo Alto
Networks PAN-DB URL Filtering. “PAN-DB has fewer categories to deal with
in setting up web filtering policies, is more dynamic in nature, and is more accurate
in its classifications,” says Goodwin.
PAGE 3
PA L O A LT O N E T W O R K S : C u s t o m e r P r o f i l e
RAVE JOB REVIEW
MTC has achieved all of its goals in moving from Cisco to Palo Alto Networks
next-generation firewalls. “Now, with the visibility of the PA-5000 Series, we
can isolate our traffic and remediate it,” says Goodwin. “In one solution we get
a firewall, web filtering, and IPS, plus all of our traffic passes through this one
device, so you have a good handle on what’s traversing your network. We also
used to have weird tunnel issues and random connectivity problems, but now
our network is more secure and stable.”
Goodwin is confident that Palo Alto Networks has increased the security level
of MTC’s network. “We definitely have a better security model in place now
than we did with Cisco,” he says. “We have visibility and control over users and
applications, and the VPN capabilities and web filtering are solid.”
Choosing Palo Alto Networks firewalls has allowed MTC to move away from
its costly, redundant network, improve network security and further virtualize
its environment. MTC is also pleased with how easy it is to use Palo Alto
Networks solutions. “Their licensing model is awesome,” Goodwin says. “It’s so
easy to register devices and pull down codes, and the license portal is fantastic.”
Future plans at MTC include bringing the benefits of Palo Alto Networks to its
off-site disaster recovery location. “The Palo Alto Networks firewall is a really
solid product that performs very well,” says Goodwin. “The visibility is great,
the technologies are easy to use, and the customer support is very good. I highly
recommend it.”
Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Main:+1.408.753.4000
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
Sales:
+1.866.320.4788 or for any obligation to update information in this document. Palo Alto Networks
Support:+1.866.898.9087
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. PAN_CS_MTC_081513
www.paloaltonetworks.com
4301 Great America Parkway
Santa Clara, CA 95054
Download PDF
Similar pages