Staring at an entanglement of network cables and power cords was enough to give Weather Channel network architect...
John Penrod a case of heartburn. The cure: a firewall sandwich, naturally.
That's what Penrod called his plan for adding capacity and efficiency to the Norfolk, Va.-based 24-hour cable television network's firewall infrastructure. Penrod was given the task of consolidating racks of servers and load balancers in order to save money and ease the load on his relatively small IT staff in managing perimeter protection for Weather Channel's corporate network.
"We were running Check Point firewalls, one active and one passive," Penrod said. "One handled all our traffic, the other was a failover. One was always operating at peak, the other was doing nothing."
Penrod had a mandate to increase the capacity to the existing firewall infrastructure and save some money at the same time. He decided he needed to drop a firewall between the network and the load balancers and began evaluating software from Foundstone, Netscreen and Entercept. He agreed on a purchase order with one, which he declined to identify. Penrod said an engineer on his staff then recommended he look at Crossbeam Systems Inc.'s X40 Total Firewall Solution.
The Crossbeam offering is a security appliance running a CheckPoint FireWall-1 engine on 10 application processing modules (APM). The X40 would enhance performance by introducing gigabit speed to the network and its blade architecture would save on floor space and trim management costs, Penrod said.
The Weather Channel firewall infrastructure features six blades, Penrod said, four firewalls and two intrusion detection systems.
"Before Crossbeam, if one of the four firewalls went down, we had no options unless we'd rebuild it," Penrod said. "With this kind of blade architecture, if one of the four firewalls goes down, we can reboot one of the IDS boxes as a firewall. It's all in one rack."
Penrod evaluated the X40 and soon canceled the previous purchase order, he said. "It just works. It allows gigabit speed into the box and it does load balancing and fault tolerance."
The X40's front end Network Processing Modules handle load balancing and distribute traffic to the APMs. The NPMs and APMs are unaddressable and do not respond to port scans, making them impervious to many forms of malicious code. Crossbeam said the initial packet examination happens here, enabling the firewall for more processing.
Penrod reports no major difficulties with the X40, and admitted that he went on faith in his engineer in evaluating the X40 and deciding to bring it in house.
One more plus is its Linux compatibility. Linux is big in the Weather Channel infrastructure and Penrod said he used open-source software tools like NFS for file sharing and Netboot for system configuration.
As integrated security appliances like Crossbeam gain more enterprise acceptance, implementers do have to consider that they could introduce a single point of failure. Penrod and his superiors recognized this fact and ordered a second Crossbeam chassis. "We did it to convince the decision makers and convince me too," Penrod said. "This way, we duplicate everything."
Penrod also pointed out that Weather Channel has lowered its total cost of ownership.
"We have lowered maintenance costs and there are no additional hardware costs," Penrod said.
The end result, Penrod said the Weather Channel has escaped the rash of Internet attacks over the past year since implementing the Crossbeam system.
"We have not been hit with a single thing," he said. "We are a big target."
FEEDBACK: How interested is your enterprise in integrated security appliances?
Send your feedback to the SearchSecurity.com news team.
Dig Deeper on Application Firewall Security