Drawing visitors to Las Vegas, Nevada, the "Entertainment Capital of the World," is the mandate of the Las Vegas Convention and Visitors Authority (LVCVA). The organization is best-known for its high-profile advertising campaigns, but the authority does much more behind the scenes. It contracts and manages events at the 3.2 million square-foot Las Vegas Convention Center, and its various websites book more than 148,000 hotel and motel rooms across southern Nevada. The LVCVA has made Las Vegas the number one trade show destination in the U.S., creating 46,000 local jobs and pumping $4.5 billion into the economy. With so much riding on its efforts, the organization left nothing to chance, and chose WatchGuard Technologies to secure its network.
For perimeter protection and web content filtering, the LVCVA had been using SteelGate firewalls and Barracuda web filtering devices. They had redundant pairs, but the setup lacked automated failover capability and was a challenge to manage. A failure or connection loss required physically swapping cables to restore web access. As Systems Administrator Milan Marovich explains, reliable web access is the backbone of the authority's business: "Our research department gets stats and information from thirty-some domains and websites that we maintain. And in addition to our offices at the convention center, we have four others around Las Vegas, plus offices in Chicago and Washington, D.C. They all go through our network and firewall. If we go down, it's all 430 of our employees. Everything grinds to a halt."
LVCVA was a longtime BorderWare customer. After the acquisition of BorderWare by WatchGuard Technologies, looking at WatchGuard was a natural. Still, recalls Marovich, "We looked at several solutions. We liked WatchGuard's all-in-one approach, with the firewall and web filtering in the same device."
Marovich and the IT team went with two WatchGuard XTM units with WebBlocker service. At the same time, they upgraded their BorderWare MXtreme email firewalls, replacing them with two WatchGuard XCS 570 units. Both pairs run in active/passive mode for high availability, and offer the fully automated failover capability that LVCVA needed.
With the firewall and web filtering rules in the same interface, Marovich found the setup far easier to manage, and the all-WatchGuard solution also delivered significant cost savings.
"Web filtering is very important to us," declares Marovich. "Obviously if somebody gets a virus, it can cripple a network and expose us to having information stolen. But another concern is keeping users off sites where they shouldn't be going, and protecting the convention authority from a potentially embarrassing situation. We're a government entity, so everything is public record. If someone wanted to, they could get a court order and request information about the sites people are going to, and we would have to provide it. The WatchGuard device not only protects us, it also has the reporting so we can deliver that information."
The WatchGuard WebBlocker service allows Marovich to maintain different rulesets based on Active Directory group membership. "The majority of our users have access to most major sites, but we obviously block adult, weaponry, those kinds of categories," he explains. Because users in the research department maintain Twitter and Facebook pages for Las Vegas, they have separate rules that allow more liberal access to social networking sites. There are two broad types of rules: Packet filters control access by IP address, while proxy filters allow or deny based on domain names, with wildcard support so multiple servers in a domain can use a single rule. In addition, Marovich says, "We can allow the general list of shopping sites, and further fine tune through allow and block lists. You do them all in one list, and it's not like typing code. It's all graphical."
With the XCS 570 email solutions, Marovich has a system that is extremely practical to administer, with low impact on his users. "Something a lot of people don't take into account is false positives," he explains. "You can set any email firewall so tight it will block almost all of the spam but your percentage of legitimate emails that get blocked increases a lot. The authority gets around 30,000 messages a day, and we have very, very few false positives. I honestly can't remember in recent memory when the email filter was incorrectly categorizing. It's very solid."
When a message falls into a gray area, the XCS supports a user self-service system, which is important since Marovich administers the system by himself. "There are three levels of emails that come in, certainly spam, maybe spam, and not spam. The 'maybe spams' are kept on the server, and the user gets an email from the XCS unit that says you've received X amount of emails that were classified as 'maybe spam.' If they click the release button, the XCS unit delivers the mail.
"Maybe a couple times a week, a user will report that one of those 'maybe spam' messages is legitimate and requests that we tweak our rules. It puts more of the onus on the users to tell us what spam is, because some people's spam is other people's vital email. If two people get the same spam, we can set it up so it will block it for one user and deliver it to another. It's definitely a lot easier than me trying to guess what spam is, or what legitimate emails are."
"Having the firewall and web filter on one appliance is a lot easier for administration, because everything is in one location for us to access and make changes," declares Marovich. "It's a cost-saving, because we pay one price for support. And it's very stable. We haven't had any issues, or had any of the units go down since we switched over to them.
"The best compliment is when you don't hear anything from the users, because you know things are working as they should. Whatever changes we make on our end, it's transparent for them. WatchGuard has been great for us as far as ease of use and keeping our employees happy. Of course, the primary goal is to keep them safe, but keeping them happy goes hand in hand. And if they're happy, we're happy too."
Having the firewall and web filter on one appliance is a lot easier for administration, because everything is in one location for us to access and make changes. It's a cost-saving, because we pay one price for support. And it's very stable. We haven't had any issues, or had any of the units go down since we switched over to them.
Milan Marovich, Systems Administrator
Las Vegas Convention and Visitors Authority