The URL can be used to link to this page

Home My WebLink About2024-04-09 Euless Articles TAGITM 2024: Texas Cities Describe Modernizing Networks with Fortinet By Mickey McCarter | April 3, 2024 “Internal visibility” has long been a buzzword at the annual conference of the Texas Association of Governmental Information Technology Managers, said Scott Joyce, director of information services for Euless, Texas, at TAGITM 2024. And complete visibility across the city’s network is exactly what Joyce achieved with the recent adoption of Fortinet networking. “One of the most attractive parts of Fortinet components is that they all work together as a seamless whole,” Joyce said during a TAGITM 2024 panel in San Antonio on Wednesday. “We segmented every piece of the network — every function and every department — into its own subnet and its own VLAN.” Euless replaced its core switching with a firewall cluster when it modernized its network with Fortinet, Joyce said. All internal (and external) traffic goes through the firewall. IT admins manage every part of the network through the firewall interface, and they can see every access point, every IP address and every VLAN. So far, Joyce has rolled out the network to six of 20 city government buildings and says he’s already seeing the benefits: “You see everything going on at that point. It’s very eye-opening.” Texas Cities Find Fortinet’s Price Transparency Attractive Angela Wright, CTO of Beaumont, Texas, told the panel that her city also benefited from a recent transition to Fortinet. Beaumont began with the purchase of Fortinet firewalls and grew the enterprise from there. For years, the city had been striving to modernize its network, but it was not where a municipality of its size should be, Wright said. Cost was the major obstacle. “The sole reason we even contemplated this move was cost,” Wright said, expressing frustration that vendors would often require additional licenses for specific functionalities after the purchase of networking equipment. “The costs add up,” she added. Fortinet installed a proof-of-concept network, and Beaumont ran it for 60 days. Once satisfied, “we were able to write a check for the equipment already in place,” Wright said. Joyce agreed that transparency in pricing was a big advantage with Fortinet networking. “We don’t want our initial expense to turn into a thing that we pay for four or five times over again,” he said. “You may buy a switch, and you pay X amount of money, but it doesn’t do anything. You have to buy a license, and there is a subscription,” Joyce said. But with Fortinet, “you buy a switch, and it switches. You buy a firewall, and it firewalls.” “There are subscriptions that you can buy around that, and that’s to be expected because things are constantly changing. But at the end of the day, if you buy an AP, it works,” he added. City Officials Detail Challenges with Network Modernization The two local government IT officials shared with TAGITM attendees the challenges they faced when modernizing their networks. “With the Fortinet network, to get the full benefit of it — all of the traffic, all of the switches — tunnel through the firewall,” Joyce said. “You have got to get OK with that in your mind.” Doing so elevates the importance of the firewall, and IT officials must design networks with the appropriate redundancy, he added. “It’s all controlled by the firewalls, which is good. It’s easy and robust, but in the event you have trouble there, it could take everything down,” he said. Wright cautioned that government IT administrators must know their networks and their configurations well before they begin to upgrade them. “We had some funkiness in our switching and routing. It’s been band-aided for years,” Joyce said. “Something was down, and we would fix it with intent to come back later, and no one came back later. Somebody built something else on top of it that configured something on top of that. “Ten years down the road, no one remembers that there is a static route somewhere that is going to completely break the whole world when you turn new switching on,” she added. Euless Embraces Benefits of Internal Visibility and Segmentation Joyce advised other cities to size their firewalls appropriately to ensure a firewall large enough to handle all network transactions. “We had every intention of turning on every function, up to and including deep packet inspection, and pushing out a certificate to every Windows domain client device, and decrypting the traffic on the firewall, inspecting it and re -encrypting it, and sending it out,” Joyce said. Such resource-intensive operations use up all available CPU very quickly, he added. But again, Joyce said he was pleased with the internal visibility he has obtained with Euless’s Fortinet network. By segmenting everything, for example, he was able to restrict access to control mechanisms for utilities to only those who should be allowed to operate them. “It bothered me how many computers in the city that did not need access to SCADA could technically get there,” Joyce said. “They couldn’t log in, and that’s how I could go to sleep at night. But they could still get there. That’s one of the things that we stopped with this.” The SCADA devices reside on their own network, and SCADA operators are on another network. “We built a policy across, and that’s it. No one else can get over there,” Joyce said. “We are still kind of learning what we should have been doing 10 years ago,” he added.