The City of Beaumont, California’s third fastest-growing city, partnered with Evocative for a city-wide network refresh project, which included replacing the City’s aging firewalls, switches, and endpoint protection software with new solutions from Fortinet. In addition to just replacing aging equipment, Evocative also architected and implemented several network enhancements, such as internal network segmentation to support the City in their goal of achieving Criminal Justice Information Services (CJIS) compliance.
The Security Fabric
During the network refresh, aging SonicWall firewalls and HP switches were replaced with FortiGate firewalls and FortiSwitches across eight buildings in the City of Beaumont campus. This new hardware became the backbone of the City of Beaumont’s new Security Fabric, a term coined by Fortinet to refer to the entire security solution as a single “fabric” of interworking hardware and software. All devices participating in the Fabric share telemetry data, which adds additional security intelligence and automation capabilities between all devices participating in the Fabric.
After the firewalls and switches were in place, another key component added to the City of Beaumont’s Security Fabric was FortiClient. FortiClient is an endpoint protection software from Fortinet and replaced McAfee on all city-owned and -issued devices. All FortiClients are centrally managed with FortiClient EMS (Endpoint Management Server) and provide client-side antivirus, web filtering, and application control functions.
Finally, FortiAuthenticator and FortiAnalyzer were added to the Fabric to centralize authentication and logging, respectively.
Network Enhancements
During the deployment of the Fortinet security fabric, additional improvements were made to the network, including:
Comprehensive Internal Network Segmentation
FortiGates were placed at key boundaries within the City of Beaumont campus. Within each boundary, devices were placed in different VLANs on the FortiSwitches. Within each boundary, the FortiGate performs all inter-VLAN routing, requiring traffic to be thoroughly inspected at the application layer before being routed. The benefits of segmentation include limiting potential attack vectors and minimizing “east-west” threats and malware proliferation.
SSL Deep Packet Inspect
The FortiGates were configured to perform SSL decryption on critical traffic to ensure no threats are hiding in encrypted payloads.
Centralized Multi-Factor Authentication
The FortiAuthenticator acts as a centralized authentication point for all FortiGates in the Security Fabric. When first deployed, the FortiAuthenticator was integrated with City of Beaumont’s Microsoft AD, and then AD users were tied to a FortiToken. The FortiToken, Fortinet’s secure token offering, is used to enforce multi-factor authentication for remote user VPN access, ensuring all network access is secure.
Centralized Logging, Alarming, and Reporting
The FortiAnalyzer acts as a centralized point for network administrators to monitor and respond to network threats in real-time in the Fortinet dashboard.
Results
A complete network refresh is a large undertaking, but the City of Beaumont knew the security objectives they needed to reach and what it would take to achieve those objectives. By partnering with Evocative, the City of Beaumont was able to quickly deploy the new equipment and software across the entire city campus with minimal downtime, while at the same time revamping the network design to meet the stringent security standards demanded by today’s sophisticated, and unfortunately all-too-common, cybersecurity threats.