Firm Deploys New Firewalls To Reduce Risk of Web 2.0 Apps

Haworth Inc., a maker and designer of office furniture had a problem. While the $1.65 billion manufacturer wanted its employees to embrace social networking sites such as Facebook, LinkedIn, Twitter and others, the company didn't want to accept unnecessarily the security risks that go with them.

In addition, Chad Clement, manager of information security at Haworth, realized how Web-based attacks were steadily rising -- a user that simply visits an infected Web site could jeopardize applications and data from the PC back to the data center.

According to a study conducted by the social media security watch group the Secure Enterprise 2.0 Forum, "Web 2.0 Hacking Incidents - 2009 Q1" found that Web 2.0 sites are a prime target, making up 21 percent of all reported attacks. The attacks used well-known tactics such as SQL injection, authentication abuse, Cross Site Request Forgery (CSRF), among others. The types of sites being targeted include social networks, wikis, and community blogging services.

"Traditional 'port-blocking' firewalls don't do anything to protect you against these classes of attacks," says Clement.

Yet, with more employees not only wanting to use networks such as Facebook and LinkedIn, but also applications that run on top of those platforms, Clement needed a way to control access to these sites and applications, as well as protect network traffic from more conventional network-based threats. "Our designers use Facebook for their work and to collaborate. Human resources uses social networks for finding and vetting potential employees," he says. "Because traditional firewalls just look at the port and the protocol running, they can't see what these Web applications are doing."

Because their network firewalls were coming to end-of-life, as was the contract for their URL filtering service, a perfect opportunity arose to explore other alternatives that would either replace their network firewalls, or bolster the security they provide to include Web applications and traffic.

Clement ultimately decided to displace his existing network-based firewalls with PA-4000 Series firewalls from Palo Alto Networks that provide both network layer control over traffic, but also visibility into what Web-based applications are being used by workers, along with the ability to either block their use or control who can use them and how.

As a result, Haworth is now safely enabling Web 2.0 applications for its workers. "Palo Alto Networks gives us a solution that allows us to leverage the productivity gains and efficiencies of Web 2.0 applications, while offering granular visibility and control by user, so we can make sure the applications are being used in a manner that is safe for our users and the organization," Clement says. "It's clear that Palo Alto Networks' firewalls are designed from the ground up to provide unmatched visibility and control of applications, enabling us to protect our network in ways our legacy firewalls could not. After a short evaluation of Palo Alto Networks, it was an easy decision to replace our previous firewalls."

The decision generated benefits quickly. "We turned this thing on and we saw tons of peer-to-peer traffic that we shut down, and workers using remote system access tools to log onto their systems from home and on the road," he says.

In addition to identifying blatant and dangerous policy violations, Haworth uses the PA-4000 to let workers securely access social network and other sites and also control what applications they can run and access. The firewall can currently identify more than 700 applications, no matter what port or protocol they use, or even if they're encrypted. "And the device not only gives us the ability to see if applications on the outside are infected, or attempted to be used by employees, we can also spot if any application within our perimeter is trying to 'phone home'," he says.

Previously, when employees requested the ability to run a new Web-based application or service, Clement would have to manually research whether they posed a potential threat to the network if allowed to run, then weigh those risks against business benefits and how any risk might be mitigated, before making a decision on whether the application would be safe or a threat. "I don't have to do this anymore, Palo Alto has already done the research and we can decide if it is safe enough to run," he says.

Also, because the PA-4000 can be integrated with Active Directory, Haworth can make, and enforce, application use exceptions. "While we have a corporate instant messaging system, and ban the use of other instant messaging applications, we do have one person who can use Yahoo instant messenger; all else is blocked," he says.

While Web-based attacks have been threatening networks and data centers for years now, the danger is clearly rising, as even legitimate Web sites are unknowingly being subverted into dispatching malware. "We just spotted one of those today. I just informed one of our vendors that their Web site is infected and trying to infect our systems," he says.

InformationWeek Analytics has published an independent analysis on the current state of security. Download the report here (registration required).