Weber County protects
public data from evolving
threats with SonicWall
Next-Generation Firewalls
Customer profile
Company
Industry
Country
Employees
Website
County replaces Cisco stateful firewall infrastructure to gain greater insight
into application traffic, while lowering costs and optimizing resources.
Weber County
Government
United States
1,200
www.co.weber.ut.us
Business need
•
•
•
•
Increase in port scanning probes
In-house anti-spam R&D
False-positive spam management
Reduced staff productivity
Solution
• SonicWall E-Class NSA E8500 NextGeneration Firewalls in high availability
(HA) mode
• SonicWall TZ 210 Series firewalls
• SonicWall E-Class ESA E8300
• SonicWall SonicPoint wireless access points
Benefits
• Application intelligence and control
• Application flow monitor
• Gateway anti-virus, anti-spyware, intrusion
prevention and content filtering
• SonicWall GRID Network
Solutions at a glance
• Network Security
“We are doing so much more with fewer
resources. SonicWall has saved us thousands
of dollars.”
Matt Mortensen, Information Security Officer
Weber County, Utah, is located between the Great Salt Lake
and the Wasatch Mountains, with its county seat in Ogden, UT.
The county employs a staff of approximately 1,200 people in
25 departments. Weber County’s network connects multiple
building sites via fiber optics, point-to-point T1 lines, point to
point wireless, point to multi-point wireless and virtual private
networks (VPNs).
“Cisco’s proposal
was to run multiple
independent
firewalls, at a much
greater cost and
with fewer features
than SonicWall.”
Matt Mortensen
Information Security Officer
The challenge: stateful firewall
limitations and spam false positives
“Whenever property changes hands, we
have to record that transaction at the
time of closing,” said Matt Mortensen,
information security officer at Weber
County. “We need to secure data
and access for a significant number of
transactional county applications.”
The county’s network also carries
sensitive and critical information
on public safety, legal and law
enforcement proceedings, jails and
inmates, patient records, human
resources and fleet management.
Threatening the security of its network
and data, over recent years, the county
experienced a significant increase in
phishing, port scanning probes and
other Web-based traffic threats.
“In the olden days, you could rely
on a faithful stateful firewall to block
threats based on port and protocol.
This approach doesn’t cut it anymore
because so much of today’s traffic
is intelligent. I’m seeing a lot of
‘port shopping,’ where a supposedly
legitimate application that is blocked will
simply keep looking for another open
port to use,” noted Mortensen.
“This was one of the inherent weaknesses
in our prior network infrastructure.”
Weber County previously used Cisco®
ASA and PIX firewalls at the core
and perimeter of its network. The
increase in Web-based threats also
impacted employee productivity.
For example, county policy prohibits
third-party instant messaging (IM) or
2
chat applications, but had difficulty
enforcing this policy with its existing
firewalls. In addition, the county
maintained a Linux-based in-house email
security solution.
“It hit our users’ productivity to process
400 spam messages a day, as well as
correct false positives that blocked
legitimate email,” reported Mortensen.
Mortensen evaluated replacement
solutions from Cisco, Fortinet ® and
Sophos® before selecting SonicWall.
“Cisco’s proposal was to run multiple
independent firewalls, at a much greater
cost and with fewer features than
SonicWall,” asserted Mortensen. “We
chose SonicWall Email Security Series
over Sophos based on its features and
pricing.”
The solution: SonicWall TZ, E-Class
NSA and Email Security Appliances
Mortensen deployed a pair of
SonicWall E-Class Network Security
Appliance (NSA) E8500 Next-Generation
Firewalls in High Availability (HA) mode,
and activated SonicWall Gateway AntiVirus, Anti-Spyware, Intrusion Prevention,
and Application Intelligence and Control
Service, as well as SonicWall Content
Filtering Service (CFS). Mortensen has
created almost 1,000 firewall rules and
also does virus scanning at the network
edge.
To support connectivity to a public
safety network access point (NAP) that
facilitates public safety dispatching
and information exchange, Mortensen
deployed two SonicWall NSA 4500
appliances, also in paired HA mode
and SonicWall TZ 210 appliances, with
SonicWall SonicPoint wireless access
points, at nine fire stations. He added
three SonicWall NSA 3500 appliances
to segregate traffic from third-party
contractors.
For email security, Mortensen
implemented a SonicWall E-Class
Email Security Appliance (ESA) ES8300
appliance.
“In the olden days,
you could rely on
a faithful stateful
firewall to block
threats based on
port and protocol.
This approach
doesn’t cut it
anymore because
so much of today’s
traffic is intelligent.”
Matt Mortensen
Information Security Officer
The result: application-intelligent
firewall and robust email security
“SonicWall is the best thing on the
market,” declared Mortensen. “It gives
us more insight into our applications
and email, plus the ability to act on it.
We are doing so much more with fewer
resources. It has saved us thousands of
dollars.”
SonicWall application intelligence,
control and visualization functionality
enables Mortensen to enforce county
policy by blocking chat and IM.
“When it comes to bandwidth
management, I assign the lowest priority
to gaming, multimedia and social
networking traffic. If an unauthorized
peer-to-peer or chat application
attempts to switch ports, we can
still block it by application,” noted
Mortensen.
Mortensen also enforces a policy to
block outbound Social Security and
credit card numbers, and automatically
sends users policy notifications
when their email contains the word
“password.”
“SonicWall’s defense-in-depth blocks
attacks at the edge,” reported
Mortensen. “It supplements our desktop
View more case studies at www.sonicwall.com/casestudies
3
This case study is for informational purposes only. SonicWall Inc. and/or its affiliates make no warranties, express or implied, in
this case study. SonicWall and [add any other trademarks in this document here], are trademarks and registered trademarks of
SonicWall Inc. and/or its affiliates. Other trademarks are property of their respective owners.
© 2016 SonicWall Inc. ALL RIGHTS RESERVED. Reference number: 10011740
CaseStudy-Weber County-AMER-Metia-D1.pdf
anti-virus and gives us more uptime. We
have had no systemic virus outbreaks.”
The application flow monitor feature
enables Mortensen to troubleshoot in
real time.
“I can write a rule, click a check box and
see that it is working,” added Mortensen.
The ES8300 has freed the county from
maintaining its own in-house email
security signatures.
“SonicWall uses its GRID Network to
collect identified threats from around
the world and keep them from getting to
us,” asserted Mortensen. “What’s more,
it empowers our users to manage their
own junk boxes, which not only increases
user satisfaction, but takes the burden
off IT. I love it.”
Going forward, Mortensen plans
to configure the ES8300 for HIPAA
compliance, establish white lists
of high-priority applications and
evaluate SonicWall WAN Acceleration
Appliance (WXA).
“Ultimately, we have to spend money to
protect our resources,” acknowledged
Mortensen, “but SonicWall lets the
county act more efficiently with fewer
tax dollars.”