The Calgary Zoo says it is better equipped to fend off attacks from viruses, worms, Trojans and other intruders after deploying a new enterprise-wide security infrastructure.
According to Peter Cam, senior network administrator at the zoo, for several years the organization was satisfied with using a firewall it had bought from Nortel. “When we first purchased it, spam and Internet e-mail-based viruses weren’t the way (for viruses) to spread. Back then it was through floppy drives and other media rather than through the Internet.”
But that kind of protection is not adequate today, he said. “It had limited functionality….We weren’t able to stop [viruses and spam] before they got into our network. Our only prevention was the virus scanners on our machines, our PCs and servers.”
The zoo’s four-person IT department was tackling known virus problems at least once or twice a month, said Cam, adding that the random application errors or other types of computer failure the zoo was experiencing were “too frequent for a small IT department to handle.”
Meanwhile, performance and functional bottlenecks were causing frequent mail outages and preventing the zoo from implementing applications such as secure wireless access for staff and guests.
“It was spam that was causing our mail server to overload,” explained Cam. “We were totally unable to process the number of spams we had.” There were about 20,000 spam messages coming in every month, and users were spending “a massive amount of time trying to figure out what (e-mail) was good and what was not,” he said.
To top it all off, said Bob Gebert, the zoo’s manager of information systems, it was too difficult to find extra copies of the firewall boxes in case the zoo needed them.
“One time we had a failure on that firewall and we needed to get a replacement,” Gebert said. “The only place we could find one was in basement of someone’s house who used to work for Nortel — we tracked them all the way down in Salt Lake City….That’s when we realized we were in trouble.”
The zoo reviewed firewalls from SonicWall, Cisco and 3Com, and tested out SonicWall’s product for a month. “It was a very good product, darn good for the price, but it didn’t have a spam feature or good potential for VPN (virtual private networking),” Gebert said.
Then the IT team came across Sunnyvale, Calif.-based Fortinet’s FortiGate systems, an integrated set of security functions including antivirus, firewall, VPN, intrusion detection and prevention, content filtering, traffic shaping, and antispam. According to Fortinet’s Canadian country manager Graham Bushkies, the Fortinet platform is an ASIC-powered system that falls into a sub-market of firewall/VPN appliances, dubbed by Framingham, Mass.-based research firm IDC Corp. as the “unified threat management security appliance.”
These types of appliances are not meant to replace host-based antivirus products, Bushkies said, “because you still have notebooks going into LANs as well as USB devices that can transmit viruses.” However, he added, an appliance such as Fortinet’s can “stop threats right at the edge of the network,” and if someone introduces a threat from inside the network, “you can stop it from going out and infecting customers.”
After testing Fortinet’s platform for a month, the zoo chose the product because it was “taking out the intruders before it got into our systems at all,” said Gebert.
“After it was installed, our e-mail stats showed a drop of almost 60 per cent in the amount of incoming e-mail,” added Cam.
It took about half a day to get the product configured on the front end of the firewall, said Cam. He said he is happy with the fully integrated package, as well as the ease of use and ease of configuration the product offers.
About six months later, the zoo’s IT team decided that it needed additional protection for wireless access it was planning to offer for its internal staff, as well as in some of the venues it rents out to clients.
“Customers often want to get Internet access for presentations and download their PowerPoints, but we didn’t have an easy way to let them do that,” said Gebert. “They would have to bring their PC to us and we would do a viral scan, but we were hoping for the best because we were still open on the back end. So we wanted to secure both ends of the internal network, kind of put a firewall sandwich around it.”
The zoo started evaluating the FortiWiFi Wireless Series in March and formally started using it in April. Gebert said that it took about an hour, on average, to configure each of the access points.
With the Fortinet system customers can access the Internet through the firewall, both going out and coming back in, he said. “Only the people that come in that we know about can have access to it.” To protect wireless connections, the zoo uses encryptions, tries not to make wireless access availability too obvious to the general public, and uses password protection, which means passwords must be changed regularly.