A Firewall for all Occasions

Swisscom Mobile turns to Stonesoft for scalable high availability firewalls

swisscom_headquarters_worblauben_200Only few industries have the challenge of coping with business developments as rapid as those in the mobile phone sector. The breakneck pace of change in core technologies is forcing these organizations to ensure the security of data and key applications around the clock while simultaneously providing unlimited access to the Internet and intranet.

Swisscom Mobile, Switzerland's #1 supplier of mobile telecommunication solutions, offers a fully comprehensive range of universal, nationwide mobile voice and data communication products and services. To master the growing demands of protecting their computers against unauthorized access, Swisscom Mobile uses a system based on a multi-layer security zone architecture. Within this architecture, the individual areas are protected by fully independently working firewalls. Of these, the main firewalls include StoneGate, a system delivered by the Finnish security expert Stonesoft.

To date, StoneGate is the sole firewall/VPN (virtual private network) on the market to allow secure connections between various Internet accesses while also taking account of both inbound and outbound traffic.

With its user friendly management system, support for high data throughput and flexible adaptability to the customer's needs, StoneGate is especially interesting for large corporates. These unique selling propositions were just some of the reasons why Swisscom Mobile decided to collaborate with Stonesoft in integrating StoneGate into its new network architecture.

umts_residential_03_300

Secure quad zone realm

Swisscom Mobile's network architecture has been configured with four security zones. its security concept breaks down the entire network environment into areas, each denoted by one of four colors. If a laptop has been released for use in the orange application zone, for example, the system ensures that it is prevented from accessing the white (unsecured), yellow (secured) or red (high security) zones. The computer can only work in the zone it has been released for, this zone being hermetically separated from the other critical network areas.

“Our new four layer security concept allows us to provide data security optimally as well as to respond faster to developments our the core technologies. Security solution scalability is therefore a make or break criterion for us. Each security level needs a firewall, regardless of whether or not the others are working."

Roy Culley, expert in Swisscom Mobile's Network Management department.

Hierarchical rule set

The StoneGate firewall is characterized by outstanding scalability thanks to the hierarchical structuring of the individual filter rules on the firewall. Firewalls use rules to check inbound and outbound data packages, the results of these checks determining whether the packages are allowed to pass or whether they are blocked.

In contrast to conventional firewalls, which bundle all the rules into a single evenly weighted list, StoneGate's data checks are hierarchically structured, thereby improving efficiency. Each data packet must first be granted access by a top level rule, before it is allowed to pass to a secondary sub-rule check where it is re-verified for conformance with individual sub-rules. All non-compliant data packets are immediately blocked by the respective segment and forwarded to another super-ordinate rule.


“Whereas we used to have around 350 rules in a single, massive rule set, StoneGate supports hierarchical structuring in which the rules are clearly broken down into main and sub-rules. This allows modifications to the rule sets to be implemented quickly and easily."

Roy Culley, expert in Swisscom Mobile's Network Management department.

Integrated high availability and load balancing

The StoneGate firewall has been designed for the operation of several network nodes in a single active cluster. Should one of these units fail, the entire data traffic is immediately rerouted to the other active units without any detrimental effect on availability. T

he integrated load balancing system ensures that complex calculations or large numbers of queries are distributed over several servers. It protects the system from a total failure in the event of a hardware defect and provides administrators with a flexible means of managing a complex security system. These are indispensable functions in extremely high bandwidth networks such as those operated by Swisscom Mobile. Dynamic load balancing and high availability are integrated into the StoneGate firewall be default.

umts_residential_02_300Management: "Unpacking the hardware's what took longest!"

Complex, segmented networks can only be managed and maintained constructively via a centralized system. To this end, Stonesoft offers the StoneGate Management Center, a uniform, central management instance that enables operationally secure remote administration through simple remote update functions, central alarm management and a wide range of reporting functions. All this enables administrators to respond faster, cut their workloads and reduce total cost of ownership (TCO).

StoneGate thus allows numerous, independently working firewalls to be managed from a single management system. At the same time, StoneGate also runs on standard hardware platforms.

According to Culley, installation was child's play:

“Unpacking the hardware and in-stalling it in the rack was what took longest. The system is installed from a CD-ROM and takes less than 5 minutes; after that, the system reads in the information it needs. "

The CD ROM based installation means that it is also easy to restore StoneGate after a crash. The installation of the management and log server can also be completed in a jiffy. StoneGate is compatible both with Microsoft and Linux.

Excellent customer service 

Roy Culley was also impressed by the technical and customer oriented service offered by Stonesoft during and after the implementation phase.

“The Stonesoft staff provided excellent service. Whenever a difficulty arose, they responded promptly and resolved the problem entirely. " 

About Swisscom Mobile

With a 62% market share of regular customers and a customer growth rate of 69% in 2005, Swisscom Mobile is the #1 address in the Swiss mobile telecommunications sector. In 2005, Swisscom Mobile reported revenues of CHF 4.168 billion and it currently regis-ters around 4.3 million NATEL® customers. Swisscom Mobile is a stock corporation owned by Swisscom AG (75%) and Vodafone Group of the UK (25%). The enterprise operates a nationwide GSM network (900/1800 MHz), which was upgraded with EDGE broadband technology in spring 2005. In February 2006, Swisscom Mobile was the country's first network operator to commission a new turbo-network, HSDPA, which, from Day 1, was around five times as fast as UMTS – roughly the same bandwidth as an ADSL connection. Swisscom Mobile also currently reaches around 90% of the country's populated area with its UMTS network. In addition to this, its also provides Internet access via wireless LAN at around 1,000 hotspots.
 

This unusual technology mix serves as the basis for a universal, mobile broadband net-work and high quality mobile phone services. Swisscom Mobile started offering UMTS based services such as live TV and video telephony in its portfolio in November 2004; another of its innovative offerings is Mobile Unlimited, a PC card that that establishes automatically and interruption free the fastest possible mobile online connection.

Incidentally, while NATEL® subscribers are optimally attainable in Switzerland, they can also be reached via over 400 mobile networks worldwide.

http://www.swisscom-mobile.com/