This new case study looks at how international law firm Stephenson Harwood deployed Palo Alto Networks as part of their recent office relocation project, improving security and control of their new network infrastructure.
Established in 1875, Stephenson Harwood is a full service law firm that operates internationally, with a global network of more than 100 partners and 600 staff. Reporting worldwide revenues from 2010-11 of £107 million, Stephenson Harwood act on behalf of a number of institutions and individuals, as well as a wide range of listed and private companies.
With seven offices located across Europe and Asia, including sites in Guangzhou, Hong Kong, London, Paris, Piraeus, Shanghai and Singapore, Stephenson Harwood’s global operations encompass a broad range of geographical locations, and specialise in a range of sectors; including corporate and commercial, intellectual property rights, as well as marine and international trade. They have acted on some of the world’s largest high profile fraud and probate cases in recent years.
With a significant number of new partner and associate hires, along with anticipated expansion for the future, Stephenson Harwood relocated their London operations to larger premises in Finsbury Square to accommodate their plans for growth.
New office, new and improved technologies
Stephenson Harwood recognised the relocation of their offices as an opportunity to refresh their existing network infrastructure; to adopt new technologies that would provide superior network security, increased application visibility and control, and improved productivity levels.
“As a heavily regulated legal organisation, security is of paramount importance to us,” explains Chris Petrie, Global Director of IT at Stephenson Harwood. “We were at a point where our legacy firewalls needed upgrading; the office relocation project provided the perfect opportunity for us to replace the existing technology with a more sophisticated solution that would provide us with advanced security and control; one that could with stand new threats posed by technological advancements across the web. It wasn’t just about replacing old with new, we needed a comprehensive firewall that could do more than just keep people out of our network, and we needed complete control over what people were doing both on and offsite over the global network.”
When planning their £26 million office move, Stephenson Harwood employed IT consultancy Krome Technologies to handle the infrastructure relocation and regeneration. Stephenson Harwood, in partnership with Krome, immediately recognised that Palo Alto Networks next-generation firewall was the appropriate network security solution for their new improved infrastructure.
Application visibility is critical for both understanding and controlling the risks posed to any network. With Palo Alto Networks next-generation firewalls, Stephenson Harwood would be able to see users streaming audio and video, and monitor file sharing, collaboration, and social networks usage; just a few applications that are capable of hopping from port to port, using encryption and non-standard ports as a means of evading traditional firewalls.
Palo Alto Networks provides visibility into all applications, where they can be controlled by policy and fully inspected for threats.
Application Visibility and Control
“There were a number of applications that staff were accessing while offsite to dial into our networks, that were posing a problem for us” explains Petrie. “Applications such as Skype, and other services that provide remote access from a home to a work PC, were able to pass through our firewall, and get access to the Stephenson Harwood network, completely bypassing security measures that were in place, and all without any co-operation from IT; this was happening outside of our control. We knew we had to stop people doing what they wanted over our network.”
Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, modern applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. This renders legacy firewall technology ineffective at controlling the use of certain applications on the network.
A lack of application visibility and control introduces a range of risks, including loss of productivity, compliance issues, threat propagation and data leakage. Services like Skype, which use Voice over Internet Protocol (VoIP) and Instant Messaging (IM), pose a threat to network security, and have become popular communication tools, adopted for both private and business use alike.
As Petrie goes on to observe: “older firewalls were capable of managing the threats posed by the outside world, but they could not give us control over what people where doing from the inside. At that time Palo Alto Networks was one of the first solutions of its kind, which could provide a far more complex overview of what was happening on our network, both internally and externally.”
Securing Confidential Information
Due to the highly confidential nature of the information communicated by law firms, the channels being used across the network need to be secured and managed effectively, with Palo Alto Networks next-generation firewalls, Stephenson Harwood were able to regain control of what information was being sent across their network, from the inside, as Petrie explains:
“Palo Alto Networks allows us to disseminate what older firewalls presented as bulk categories. Where we could previously only view activity in its most basic form, such as the number of people using the web, email or FTP, we can now see in finite detail what people are doing on Stephenson Harwood’s global network. Each category is broken down so we can see exactly what websites are being accessed, what information is being communicated across our network; we can even track certain key words.”
Palo Alto Networks addresses the traffic classification limitations that plague traditional firewalls, by applying multiple classification mechanisms to the traffic stream at the firewall level, to determine the exact identity of applications traversing the network. As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorised file transfer and data patterns, or shape using QoS.
“Traditional firewalls are based on a technology that is simply not up to speed with modern applications and no longer viable for modern enterprise environments,” explains Rupert Mills, Technical Director at Krome Technologies. “A Palo Alto Networks next-generation firewall blocks at application rather than port level. It has the power to stop applications using methods such as port skipping and tunnelling to try and break through the firewall.”
Since implementing Palo Alto Networks solution, Stephenson Harwood has eliminated the use of unwanted applications on their network completely. Palo Alto Networks allows the network administrator to monitor all traffic on a private network. Stephenson Harwood is now able to monitor and centrally manage all of their global network traffic from their London headquarters.
“We are in full control of what happens on our network,” said Petrie: “Palo Alto Networks has provided us with a far more sophisticated solution than the one we had previously, it not only lets us see the threats posed externally, but also has the functionality for us to track and monitor exactly what is going on across our network in finite detail.
With Palo Alto’s centralised management ‘Panorama’ system we have visibility of our multiple networks around the world, it provides me with a snapshot of what is happening across our networks; while also giving me complete control over what people are doing at each individual site. I now have a global view of our network’s security; it’s an incredibly powerful tool.”
“An ever increasing amount of organisations are identifying the limitations of legacy security technology and are seeking a network security infrastructure that is capable of managing the vast amount of applications that employees are using on corporate networks,” said Rene Bonvanie, CMO at Palo Alto Networks. “Companies like Stevenson Harwood, with very specific business requirements, are finding the Palo Alto Networks’ next-generation firewalls help to keep close control of network activity and secure against an ever-changing threat landscape”