Connection-heavy applications and growing website traffic were straining the firewalls at Human Kinetics (HK) to their limits. A platform-based solution from F5 enabled HK to consolidate 12 firewalls on 2 devices and strengthened security throughout its network, both inside and out.
Looking for information about anatomy, physiology, and the mechanics of human movement? You’ll find it at Human Kinetics (HK), an online publisher that provides print, online, and multimedia materials related to kinesiology. Catering to a broad audience, including athletes, coaches, students, educators, physical fitness professionals, and nutritionists, HK’s mission is to help people everywhere lead healthy, active lives through physical activity.
Along with its own e-commerce website, HK hosts nearly 70 related educational and storefront sites. Together, the sites get a million unique visits a month. That’s an impressive feat for a company of about 300 employees. “We’re not a Fortune 500 company with unlimited funds, so when it comes to IT, ‘doing more with less’ isn’t a cliché for us, it’s a reality,” says Stuart Lyons, network security engineer at HK.
The company’s IT infrastructure has evolved somewhat sporadically in response to a 75 percent increase in traffic volume in the last 3 years and a corresponding 300 percent increase in bandwidth needs. Over time, HK had added firewalls in various locations—at the network edge, in front of web and application servers, and in the company’s core network to protect internal resources. By 2013, it was managing 12 separate firewall solutions, which were increasingly difficult to maintain and troubleshoot. Worse yet, the firewalls were still failing under the load.
As is the case for many companies, a handful of HK’s applications launch multiple connections per user session, which significantly increases traffic load. Each firewall could only handle a few hundred thousand concurrent connections per second. When those limits were exceeded, users would get dropped and whatever data they had entered—shopping cart items, for example—would be lost. In reality, HK needed to be able to handle millions of concurrent connections per second.
Since the connection-heavy apps were not going away anytime soon and traffic volume was expected to continue rising, there was no end in sight to HK’s firewall dilemma. “Continuing to segment our network and add more firewalls wasn’t a workable solution,” says Lyons. “We needed to take a completely different approach.”
Alongside these third-party layer 4 network firewalls, HK had been using BIG-IP Local Traffic Manager (LTM) and BIG-IP Application Security Manager (ASM), a layer 7 web application firewall. BIG-IP LTM provided intelligent traffic management while BIG-IP ASM protected HK’s primary website from layer 7 DDoS attacks. It also ensured HK’s compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements.
In 2013, HK contacted F5 about refreshing its existing BIG-IP devices and learned about Synthesis, F5’s architectural vision for providing layer 4–7 services for any application in any environment. Synthesis included a flexible licensing model, Good-Better-Best, which makes BIG-IP modules available in bundles at considerable cost savings over individual module prices.
“Best” licensing would give HK access to all BIG-IP modules, among them, BIG-IP Advanced Firewall Manager (AFM), a layer 4 firewall that aligns firewall policies with applications (rather than devices) and enables centralized firewall policy management. “We had heard that you could use BIG-IP devices as a network firewall, but we thought it involved a lot of custom coding,” says Lyons. “When we realized it was a BIG-IP module we could turn on just by purchasing Best licensing, we were definitely interested.”
HK tested a lab edition of BIG-IP AFM and was amazed how easy it was to configure and administer. “It was clear right away that BIG-IP AFM could do everything our existing firewalls were doing and more—and all from a single location,” says Lyons.
HK decided to upgrade its existing BIG-IP devices and chose to purchase Best licensing along with the new hardware. A big factor in HK’s decision was the single unified platform that BIG-IP provides. The solution would not only solve HK’s immediate firewall woes, it would give HK other security capabilities it needed, such as identity and access management through BIG-IP Access Policy Manager. “We also needed to refresh our SSL VPN solution as well, so with Best licensing, it became really obvious that the solution needed to be F5.”
With BIG-IP AFM, HK was able to consolidate its 12 existing firewall solutions down to two BIG-IP devices. Today, those BIG-IP devices handle all of HK’s firewall needs, and the overall infrastructure is simpler and far easier to manage. “Before, if there was a network issue, it would take several hours just to find the firewall that was causing the problem. It made troubleshooting a nightmare,” says Lyons. “Now, I can do it in a fraction of the time.”
Lyons also points out the improved visibility the F5 solution provides. “The BIG-IP devices are magnificent at logging; I can see the whole journey of a packet from the time it comes into my data center, gets processed, and goes back out again. I have a beautiful picture of how my network is working at all times, and that’s very appealing to me.”
The capacity challenges HK was experiencing with its previous firewalls are completely gone now. “When it comes to handling concurrent connections per second, we’re not even close to capacity on our BIG-IP system. We can throw anything at this box and it takes it; in fact, I think it’s bored,” jokes Lyons. The BIG-IP devices have so much available capacity that IT is adding new projects every month because they’re confident the BIG-IP systems can handle the additional traffic. He adds that 100 percent of HK’s Internet traffic and 85 percent of all corporate traffic now goes through F5.
Keeping its websites and applications 100 percent available for customers is critical to HK’s business, and with F5, website load times have improved by 2.5 seconds. Lyons cites two reasons for this change. “One, the BIG-IP devices are just really, really fast and good at what they do. And two, packets don’t have to go through three or four layers of firewalls anymore like they used to, which significantly slowed down our traffic before.” Lyons says HK employees who work remotely have also reported much faster access to resources on the corporate network.
When asked about HK’s current security posture, Lyons says it’s improved by leaps and bounds. BIG-IP AFM is a built on a full proxy architecture, so it inspects all traffic, both incoming and outgoing. And because it understands a wide range of inbound protocols, it catches far more threats than traditional firewalls. “BIG-IP also gives me deep visibility in to the network that I never had before—and I can take action on that immediately.”
Thanks to Best licensing, HK has also deployed BIG-IP Access Policy Manager, which lets HK control network access based on the user, their job function, their device, the network they’re connecting from, their location, and other parameters. “The Visual Policy Editor (VPE) in BIG-IP APM makes my job so much easier because our VPN is fairly complex, and we have many different requirements for remote users,” says Lyons. With a few simple clicks, VPE, a GUI-based tool, makes it quick and easy to configure VPN policy for external users as well, such as HK partners. “Before, it could take 4 hours to configure partner access; with VPE in BIG-IP APM, it takes less than 20 minutes.”
Secure Web Gateway Services, available as a subscription service with BIG-IP APM, helps strengthens HK’s overall security posture. “Before, we weren’t able to monitor or control outgoing traffic at all; now, we’re able to monitor our guest network, our web servers, and also ensure that our employees are using the Internet in safe and productive ways,” says Lyons.
Keeping both operating and capital expenses under control is a major concern for HK, and the new F5 solution helped the company do both. “For a company of our size, F5’s Good-Better-Best licensing was a game-changer,” says Lyons. “It was significantly less expensive for us to purchase Best than it would have been to purchase all of the BIG-IP modules individually that we’re using today.”
With F5, HK also avoided the inevitable cost of adding more one-off firewalls. And because the infrastructure is significantly simpler now, labor costs are also kept under control. “We were reaching the point where we couldn’t take on new projects because managing and maintaining our previous firewalls required so much of our time,” says Lyons. “We have time to tackle those projects now, and we don’t have to worry about adding more staff anytime soon.”
Overall, Lyons says the improvements the F5 solution have brought to HK have made his professional life abundantly better because it covers so many bases. “We consider F5 a strategic, mission-critical partner. If our BIG-IP devices were to go away, we literally couldn’t do business, it’s just that simple.”