Case Studies Archive Search Case Studies

City of Raleigh Protects Web-Based Applications with F5 BIG-IP ASM

The City of Raleigh, N.C., relies on technology to support transparent operations, easy access to services, and a secure network environment. In 2007, it deployed F5 BIG-IP Local Traffic Manager Application Delivery Controllers (ADCs) to improve the availability and performance of its web-based applications and to replace the city’s existing reverse proxy solution.

To safeguard its critical web-based applications against application layer attacks, the city decided to also implement BIG-IP Application Security Manager (ASM) as a web application firewall. As a result, the city is able to provide more online services while enhancing security, reducing costs, and simplifying its infrastructure to reduce the IT administration load.

Business Challenges

Raleigh is both the capital and the second largest city in North Carolina. It also represents one point of the “Research Triangle” metropolitan area, which is home to an increasingly diverse range of research and development organizations, technology companies, and research institutes. One of the fastest growing cities in America, Raleigh earned the top spot on Forbes’ 2010 Most Wired Cities list.

”Folks here are very engaged with technology, so it is very important for our organization to be progressive in the way we deliver services to our citizens,” says Trevor Pressley, IT Security Manager for the City of Raleigh. The city looks to technology innovation to improve service delivery and organizational efficiency, help it achieve an open government environment, and accomplish both with limited expenditures of tax revenues.

To increase IT flexibility and reduce costs, the city used VMware products to virtualize the majority of its web and application servers, which host the city’s web portal as well as other critical applications such as Oracle PeopleSoft. To improve the availability and performance of these web-based applications for both internal and external users, the city deployed two BIG-IP LTM 3600 Series devices in 2007.  Because these devices provide a full proxy solution between users and application servers, the city was able to decommission its existing reverse proxy solution.

The city further addressed application security by scanning all applications at regular intervals. This took a great deal of time, however, and wasn’t as proactive as the city’s security team wanted. “Although we are a public entity, the integrity and security of the information and services we deliver to our citizens remains very critical to our organization,” says Pressley, who decided to implement a web application firewall.

“The combination of F5’s good reputation, its strategy of assessment … made it easy for us to choose BIG-IP ASM.” Trevor Pressley, IT Security Manager, City of Raleigh

Solution

Pressley discussed potential application firewall solutions with an F5 partner he had engaged to assess the city’s Payment Card Industry (PCI) credit card processing solutions. The partner recommended BIG-IP ASM because it offers the flexibility to secure web applications in traditional and virtual environments and supports many security standards, including the PCI Data Security Standards (PCI DSS).

Pressley did further research. “Before we implement any solution, we validate that the vendor is a leader in Gartner’s Magic Quadrant,” he says. “That ensures we are staying current with trends within the industry, and this vetting process provides third-party validation. It fits right in line with our strategy of implementing best-of-breed solutions to help bolster our security posture.” Since 2005, F5 has been rated a leader in Gartner’s Magic Quadrant for ADC products.

Another plus in favor of BIG-IP ASM was that it could be installed on the city’s existing BIG-IP devices. “F5 and BIG-IP LTM established a very good name within our organization; we have yet to have an outage or performance-related issues with the BIG-IP LTM boxes,” says Pressley. “So the combination of F5’s good reputation, its strategy of consolidating services on a single platform, and Gartner’s favorable assessment of F5 ADC products made it easy for us to choose BIG-IP ASM.”

The partner deployed BIG-IP ASM on the city’s existing BIG-IP LTM devices in just three days. In the process, the partner used the F5 iRules scripting language to address the top 10 application security risks designated by the Open Web Application Security Project (OWASP Top Ten). These risks include SQL injection, layer 7 denial-of-service (DoS), and cross-site scripting attacks. In the coming year, Pressley also plans to evaluate BIG-IP Global Traffic Manager (GTM) to provide disaster recovery and business continuity for its two data centers.

“With F5, our technical staff another point solution …or deploy additional hardware.” Trevor Pressley, IT Security Manager, City of Raleigh

Benefits

By deploying BIG-IP ASM to protect its key web applications, the City of Raleigh was able to make its online resources more accessible to citizens while enhancing security and regulatory compliance. It also expects to reduce costs and the administrative burden, since it can combine the advanced features of BIG-IP LTM with the web application firewall capabilities of BIG-IP ASM on a single hardware platform.

Increased access with enhanced security and compliance

With more Raleigh citizens paying their bills and accessing city services through smartphones, tablets, and laptops, the city must balance open access with security.  “As our organization moves forward with an open government approach, BIG-IP ASM gives us the confidence that security vulnerabilities, like layer 7 Do’s attacks, are mitigated without negatively affecting the business,” says Pressley.

Reduced costs

Because the F5 solution enabled replacement of the third-party reverse proxy solution, the city was able to eliminate 12 physical servers, six proxy system licenses, and approximately 12 to 16 hours a month in administrative time. In addition, because BIG-IP ASM is installed on the existing BIG-IP LTM 3600 devices, the city avoided additional hardware costs. “With F5, our technical staff doesn’t have to support another point solution, call another vendor for support, or deploy additional hardware. That simplifies the environment and helps reduce our operational costs,” says Pressley.

Simplified infrastructure

By enabling the city to consolidate multiple functions on a single device, the F5 solution has greatly simplified the city’s web environment. “Now we can go to one source—F5—to get all the information we need,” Pressley notes. “Reducing the overall complexity of our infrastructure is a big advantage for our IT staff which, like most, is being challenged to do more with less.”