Channel 5'S “Jailbreak” Encourages Breakouts, As Cisco Secure PIX

C u s t o m e r P r o f i l e \ defends againstbreak-ins Channel 5’s“Jailbreak”encouragesbreakouts,asCiscoSecurePIXFirewall projects onaparwiththis.” large-project experience,having actuallymanagedfast-track Solutions, partofGECapital, becauseweknewtheyhad looked atanumberoforganizations butchoseGECapitalIT flawless projectmanagementcapabilities,”saidDavis.“We us toinstallandhandletheentirepackage-someonewith an ISP.“Wewantedacompanythatwasgoingtoworkwith database servers,andWebaswellconnectivityto project includedtheinstallationof30broadcastcameras, London inthreemonthstime.TheITrequirementsofthe farm fieldabout150milesfrom construction ofa“prison”in schedule calledforthe The Jailbreakproduction management Solutions forITproject Information Technology Channel 5tapsGECapital any problems.” handled allthetrafficwithout head. “Buttheinfrastructure said KenDavis,Channel5IT Web siteandnetworkconnectionstohandlethatamount,” “We hadexpectedabout750,000hitsadayandbuiltthe about onemillionhitsaday-10inthefirstweek! totally surprisedatthepopularityofitsWebsite.Itreceived confident thattheshowwouldbesuccessful,theywere Although theChannel5producersof“Jailbreak”were play gamesande-mailbreakoutadvicetothecontestants. “prisoners” 24hoursadayandalsogaveviewerschanceto The JailbreakWebsitebroadcaststreamingvideoofthe V T M W A I N H I O O E R

E T R T N E U.K., H E D E E

Y O O P

-100,000 S L F N H F A C O “S C T W E H H D ’ U A S E

R N

I S V B N N U P I I

E C G Channel 5ITHead Ken Davis without aPIXtoprotectit.” never dreamofputtingupaWebsite without aWebsite,andwewould we wouldneverdoarealityshow “As aresultofJailbreak’ssuccess, V O A L C O

U 5 N R E R N E S

,” D S A E W

S S L W H , P R I T A O E E E Y C S R S R

I TV E I $150,000- T S A , T H L F “T E L O J Y H R A

E I

B T I T M L U

H B W P I R R T L Internetworking Expert(CCIE) certification. Expert, Ashisalsoworkingtoward theCiscoCertified Professional VoiceSpecialist,and aProfessionalSecurity Design Professional(CCDP),a CiscoCertifiedNetwork Certified NetworkProfessional(CCNP),aCisco Jailbreak Websiteinstallation.AsidefrombeingaCisco Networking Consultant,wasthetechnicalleadon Ash KahnAmeri,aGECapitalITSolutions’Principal against break-insofallvarieties. encouraged jailbreakouts,theWebsitehadtoprotect sizeable advertisingscheduleplacingpostersintube(subway) for theshowthroughoutU.K.,”saysDavis.“Werana site. “Ourprimarypurposewastogeneratealotofpublicity From thestart,securitywasanissuewithChannel5Web GE CapitalITSolutionschoosesCiscoSecurePIXFirewalls management, andrefreshment. including planning,acquisition,implementation, and ITinfrastructureswithawiderangeofsolutions GE CapitalITSolutionsspecializesinaugmentingInternet A T E E A T S E O A

J K

I A W B A O W

E I E N S

L E T H I

E K H A O B S S E N

L W

L A F D I

A T I N C

R S E E D A T S . N T ,” L S

L T T E E I A O P C D N T

E “J B E D D R So whiletheTVshow Cisco’s PIXsystem.” strength-and whywechose strong firewall-industrial That’s whywewantedquitea attacked-hacked intoordefaced. and thatweweren’tgoingtobe sure wehadexcellentsecurity lot ofattention,weneededtobe Web sitewasgoingtoattracta and inthepress.Because stations andadsontelevision M

E B A B W A U I E K L I R R T B Y O , H R “T O U E

T R L A . A A D K H R I .” T N E G K M A E E R

Y H Y O S

U E F L P

A M E E S C .” I H O S T

O P O O L W N R E F Defending against hackers “A firewall that works at an application level has to check Ash explained to the Channel 5 production team the various every packet individually. The throughput advantages are kinds of hacker attacks they must defend against-including obvious,” says Ash. “If you’re running applications like denial of service and theft of Web site. He stated that, of all RealAudio, MPEGs and movies, you should use a PIX the alternatives, he preferred the PIX firewall because it because an application funnel would not work.” works at layer three-the network layer-rather than at layer Security policy for safety’s sake seven, the application layer. Before the equipment was installed on site, Ash formulated a “When you have a firewall that works on top of an operating security policy for the 35 vendors who wanted to access the system, it’s on another vendor’s box,” says Ash. “They have Web site. lots of security holes in them, because you’re adding layer Ash states, “They wanted access to the Web site so they could upon layer of vulnerabilities. Whereas with PIX you have a redesign portions, remove old news, and add new features. dedicated box-it’s managed at the command line and a lot This, of course, caused a security hole. The more doors you more secure. For the Channel 5 solution, we felt PIX was a open, the more vulnerable the firewall. So, the first thing we better offering than the Check had to do was formulate a Point alternative they had security policy that established considered.” When you have a firewall that works exactly who would be allowed “I explained why, when it comes on top of an operating system, it’s on access. Each vendor was allowed to security, the lower the layer, another vendor’s box. They have lots one static IP address and all 35 the fewer the security holes. vendors had to use SecureShell, a of security holes in them, because That’s why an appliance UNIX encryption algorithm.” approach is superior to an you’re adding layer upon layer of A successful premier application approach. I also told vulnerabilities. . . For the Channel 5 performance! them that because I was the solution, we felt PIX was a better On the show’s opening night, technical lead, I would prefer offering than the Check Point the Jailbreak Web site was supporting the Cisco PIX-and alternative they had considered. relatively quiet until the show they agreed.” Ash Kahn Ameri ended. It then suddenly received Throughput: another Cisco GE Capital IT Solutions in excess of one million hits. The Principal Networking Consultant strength pattern repeated itself A key issue was the throughput weekly-after the show, people of the Cisco Secure PIX would “tune in” over the Web Firewall-its ability to handle well over one million hits a day. and actually extend the show by watching streaming video on their computer. Hits would also increase when station “We had a 100 megabits per second coming from the Internet breaks advertised the show and the Web site. People also into the hosting site,” says Ash. “The PIX we used had a total looked at the site on weekday mornings at work where they capacity of 360 megabits per second, so at no point were we tended to have DSL connections. (In the U.K., most going to exceed the throughput of the PIX-we knew the PIX residential customers have dialup connections.) could handle the traffic.” According to Ash, the PIX managed the traffic flawlessly: Accounting for the PIX’s high performance is a patented “We’d see a tremendous numbers of hits all of a sudden and Cisco technology called Cut-Through Proxy that enables the it was a credit to the PIX because it handled it admirably. It PIX to examine only the first packet in a stream of data never failed once.” packets. The PIX identifies and authenticates the packet based on that first packet, then identifies the first packet of the next stream. This efficiency gives the PIX firewall excellent performance. And the winner is… Ken Davis, again: “As a result of Jailbreak’s success, we The first contestants to break out of jail were three women, would never do a reality show without a Web site, and we working together. would never dream of putting up a Web site without a PIX to protect it.” Says Ken Davis, “They were quite clever: They used some of the men’s ideas but managed to be the first mainly because To see the Cisco Secure PIX in action at the Channel 5 web they were the best at interpreting clues. The men made a site, please visit: www.channel5.co.uk/ From there you can number of mistakes and were caught. But the PIX was find the link to the Jailbreak site at www.jailbreaktv.com/ invincible-no security breaches there.” To learn more about GE Capital IT Solutions, please visit: Channel 5 was so impressed with the PIX that, with the US: www.gecitsolutions.com/ Jailbreak show now over, it is using the PIX to protect the Europe: www.gecits-eu.com/ Channel 5 corporate Web site and to support the Web site for UK: www.gecits.co.uk/ its latest reality hit, “The Mole.” The Web site has been so To learn more about the Cisco Secure PIX Firewalls and popular, that a recent survey of UK households found that other Cisco Systems Security products, please visit: the Channel 5 Web site is the most popular TV Web site in www.cisco.com/go/security/ the UK, and also the top Web site in terms of minutes spent per page. Even with these impressive traffic statistics, the PIX is up to the job!

Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters Cisco Systems, Inc. Cisco Systems Europe Cisco Systems, Inc. Cisco Systems Australia, Pty., Ltd 170 West Tasman Drive 11, Rue Camille Desmoulins 170 West Tasman Drive Level 17, 99 Walker Street San Jose, CA 95134-1706 92782 Issy Les Moulineaux San Jose, CA 95134-1706 North Sydney USA Cedex 9 USA NSW 2059 Australia www.cisco.com France www.cisco.com www.cisco.com Tel: 408 526-4000 www.cisco.com Tel: 408 526-7660 Tel: +61 2 8448 7100 800 553-NETS (6387) Tel: 33 1 58 04 60 00 Fax: 408 527-0883 Fax: +61 2 9957 4350 Fax: 408 526-4100 Fax: 33 1 58 04 61 00

Cisco Systems has more than 190 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices. Argentina • Australia • Austria • Belgium • Brazil • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE Finland • France • Germany • Greece • Hong Kong • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Singapore Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela

Copyright © 2001, Cisco Systems, Inc. All rights reserved. Printed in the USA. PIX is a trademark; and Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0007R) DA/0301