the myIT blog

How smart is your firewall?

Recently I had to find a needle in a haystack for a client. A small inexpensive branch router that would be able to help me easily provide reports and insight to a network while also adequately protecting it and keeping VPN connections up AND properly groom Internet and VPN traffic and classify and prioritize it. This is all somewhat easy except for the traffic shaping part of it. First, there is shaping, then there is shaping within a tunnel.  There is also the tougher part of making the reporting simple and easy enough to look at for the non-technical user. We needed a simple "google-like" interface. This way when we push the adoption of the technology within the corporate structure on a wide scale we can "show" the the people who allocate budgets and guide their business, who might not be highly technical or CIO types. Don't take this wrong, but if your enterprise is a small healthcare or insurance company, that's what they know and they turn to firms like ours to demystify the technical part of things.

So here is what we did, we installed 4 networks, all were 3 or more hours (one way drive), from the main headquarters. Once we did that we connected them all with these smart routers and turned on PC, mobile device, anti-virus and firewall (also cloud managed) and set the PC's up with Google Apps and migrated all user email. Now once they (remote branches) were all visible to us, we connected them via VPN and setup the traffic shaping. One site has a VOIP PBX (www.sipfoundry.org) and sip trunks to a suitable ITSP. The other three sites use that same phone system back at this main PBX host site.

Why didn't we cloud host the phone system? Didn't make sense fiscally.  Hosted services for this size organization start (basic options) at 500.00 per month, and to get what they really needed with some feature sets, 750.00 or so (conference calling, etc.), based on the number of users. So putting in a system made sense because "operating' it, costs so much less than you think.

We can see the PC's, mobile devices, wireless network, Internet traffic and in general how they use the Internet connection. We also block certain traffic by category (any category you wish to specify that might lend itself to either wasting productivity or perhaps making it less likely a problematic employee can keep their eyes off unsuitable material using the company's resources). We've found by specifying non-essential categories that can cause HR  to have its hands full if used, people stay gainfully employed and also it eliminates embarrassment and potential harassment or "hostile workplace" lawsuits. 

The firewall is smart enough to track this data AND store it offsite. It also monitors the state of the network connections and informs us from the outside in if there is an extended outage. The routers are managed from a cloud portal and also eliminate any possibility that you deploy a firewall rule that locks you out of that router. VERY helpful, especially if there are multiple people managing it and someone says "uh oh".

The customer can see all of this data at any time (it's their network) and let you manage it or they can do it themselves if they have the desire to do so.

We don't find that simply "prioritizing ports" and things like that work anymore. In this instance we can prioritize SIP (voice) but NOT Facetime or iChat (not how this business communicates). It knows the difference between surfing Netflix's website AND streaming a video from Netflix. It knows Vocera, Skype, and more. It knows Rhapsody, iTunes, Dropbox, Carbonite, Pandora and dozens of other "protocols". So it's "smart" because it knows that seventh layer stuff and also still allows you to define custom stuff (ip address, networks, ports, etc.) and add something you still need to define that might not be that noticeable and continue to reflect what your existing rulesets have. Oh, did we mention you can easily do things like block peer-to-peer or Skype or iTunes or whatever too?

So in 2 days while working with wiring contractors and our staff, we rewired 4 offices, put brand new networks in and transformed a set of offices with technology. In doing so we reduced their collective communications costs from over 1,400.00 per month to around 150.00.  This is the thing that always makes me go "hmmmm". The reason we were brought in? Fix it, top to bottom. How we were able to do it? We worked smart, not hard. In order to do this we use smarter tools and spend a little money where it pays back.

In one day we were also able to determine one of the ISP's was just not offering a quality connection. So it was replaced with a more reasonably priced one (costs less) and provides better performance. There wasn't any guesswork. In this case the FIOS 25M/25M connection had horrible latency compared with the other connections both connecting back to the well peered cloud data center and several other needed sites. While the price for the service was "good" the latency (with no discernible traffic present) showed us it was going to be unsuitable for voice traffic in general and it was the, well, "weakest link" in this network.

Any network can be strong, agile, simple and affordable AND smart. You just have to make good decisions up front.