About Us

Citrus Consulting Services is the Consulting and the Transformation Services arm of Redington Gulf.

Sunday – Thursday: 9:00AM–6:00PM (Sales), Sunday – Saturday: 24×7 / 365 (Support) E.O#3, Ground Floor, Building 01 Dubai Internet City, P.O Box 501 761 Dubai, UAE (+971) 04 516 1500
(+966) 11 462 5323
Image Alt

Palo Alto in Transit VPC Protecting Dev and Prod Resources on AWS Infrastructure

Customer Introduction

Citrus Consulting FZ LLC had been engaged by one of leading Bank of Africa to Design & Implement Palo Alto Networks Next-Generation Firewall in for both their Production and Dev sites with best practices as per industry standards to help them effectively monitor, secure extremely sensitive IT resources placed in their new AWS environment.

Along with project delivery, Citrus Consulting FZ LLC has also been the first and only choice since June,2018 for offering them Managed Support Services to effectively monitor, administer and manage their entire AWS environment of which managing Palo Alto firewall for the bank plays a major role in it.

Citrus Consulting Services implements Palo Alto in Transit VPC Protecting Dev and Prod Resources on AWS Infrastructure for leading bank in Africa.

Challenge Overview

  • Customer wished to deploy sensitive core banking resources and applications on AWS Cloud.
  • Secure deployment and management of core banking solutions and other sensitive banking solutions in their Dev and Prod environments
  • Ensure only traffic flow required to communicate as per business requirement is allowed and others are blocked.
  • Foremost requirement was the security of the data at rest and transit.
  • Ensure timely traffic and all event logs are pushed to SIEM for monitoring and threat prevention purpose.
  • Ensure resources are always available to authorized users securely and remotely.
  • All traffic from VPC’s to On-Prem and reverse should only flow through Palo Alto only and Palo Alto should inspect the traffic and forward only legitimate traffic to On-Prem and reverse through secure and encrypted site-to-site VPN’s
  • Gap Analysis for development phase.
  • Policy building, management and enabling advance security services through next gen palo alto firewall.
  • Ensure Optimum Security measures are taken and dynamic threat updates are up-to date.
  • Inside Actual IP’s behind Palo Alto to be masked for resources talking to internet.
  • Enable secure encrypted traffic flow between On-Prem and AWS.
  • Secure Infrastructure from sophisticated Ddos attacks and tcp-udp host scans attacks.
  • Enable customer with highest level of customer service and support 24×7.

Solution Overview

  • Configuration of VM series of Palo Alto Networks VM-300 Next-Generation Firewall (NGF) virtual appliances in Transit VPC design enabling traffic to both Dev and Production VPC’s.
  • Implementing Security Policies based on zero trust concept and allowing only traffic from specific source to specific destination as per business need.
  • Ensure resources in private subnet are not open to the world and malicious traffic trying to breach security are notified and blocked on Palo Alto itself.
  • Implementing dynamic updates and threat updates.
  • Attaching IDS/IPS policies to the security policies further enhancing the security of traffic.
  • Integrating syslog server with PA to push traffic, incidents, event, threat logs to syslog server which is later parsed for monitoring on Splunk SIEM.
  • Enabling wild-fire and attaching it to the internet communicating resources to inspect and mitigate the threat of zero-day attacks.
  • Ensure only specific network and application ports are allowed for business related communications.
  • Configure Global Protect Client based VPN to enable authorized users to securely connect to resources both on On-Prem and AWS.
  • Configure various Site-to-Site VPN’s in highly redundant mode between On-Prem, Branches and Palo Alto deployed on AWS.
  • Configure Ddos protection policies and zone protection profiles on Palo Alto to mitigate risks from sophisticated new generation attacks.
  • Configure device host-name and time synchronization with On-Prem so security events can be co-related accordingly.
  • Smooth transition to Manage Support services upon completion of project deployment phase for day to day 24×7 monitoring, administration, support requests and new change requests.

Benefits Delivered to Customer

  • Firewall providing secure communication with applications hosted on AWS to application hosted on on-prem and vice-versa using standard encryption level.
  • End to End configuration and troubleshooting support of cloud hosted firewall by in-house security experts.
  • Configurations in sync with the best practices of industry standards and as per ISO 27001 standards.
  • Review of each security policy and configuration to ensure it meets the pen-test standards.
  • Embedded Inline threat and IPS/IDS into core banking application
  • 24/7 threat monitoring and analysis.
  • Automated and Manual Endpoint Detection and Response to protect the critical infrastructure was implemented
  • Auto updates to ensure that minimum human efforts are required and at the same time updated latest versions.
  • Monthly and Quarterly Reporting for active and passive threats.
  • Ticket raising and strict adherence to SLA’s as agreed upon.
  • Adhering to strict timelines to ensure smooth completion of the project.
  • Achieved 100% successful alpha, beta, user-acceptance and stress test scenarios and subsequent cases.
  • Achieved 0% penetration points for the application and infrastructure.
  • Ensuring 100% business continuity for the renowned bank through 24/7 Managed Support Services by Citrus Consulting Services.

Project Info