Skip Navigation LinksHome > Case Studies > Case Study [Network Firewall Upgrade]

Case Study

Network Firewall Upgrade

Jan 2013

CalPERS Future-Proofs Towards Mobility with Cutting-Edge Cisco Firewall

CheckPoint, an industry security standard for 10 years, had not kept up with CalPERS advancing technologies creating widespread interoperability problems with file and system interfacing. CalPERS adopted a complete “rip and replace” approach, implementing a complete Cisco firewall solution that resolved critical requirements as well as providing a more efficient infrastructure for future planned IT enhancements.


Print a PDF version.


The California Public Employees’ Retirement System (CalPERS) is an agency in the California executive branch that manages pension and health benefits for more than 1.6 million California public employees, retirees, and their families. The agency’s IT infrastructure supports 2500 users in 3 different locations, including an Emergency Operations Center, in addition to mobile users.

Solution Overview

BUSINESS SITUATION: CheckPoint, an industry security standard for 10 years, had not kept up with CalPERS advancing technologies, creating widespread interoperability problems in file and system interfacing. Updates would leave current & future critical needs unresolved.
SOLUTION: CalPERS adopted a complete “rip and replace” approach, implementing a complete Cisco firewall solution that resolved critical gaps as well as providing a more efficient infrastructure for future planned IT enhancements.
BENEFITS: The Cisco solution improved network performance more than twofold in each modified environment, provided real-time visibility, and allowed for significant cost reductions for future integrations.
  • CheckPoint conversion
  • Cisco ASA 5500 Series Adaptive Security Appliances (5520, 5580, 5585)
  • Email Gateway - Cisco IronPort
  • Mobility Support


CalPERS’ security solution, CheckPoint, an industry standard for 10 years, had not kept up with the constant change and upgrades of both the internal and external network systems. This created widespread interoperability problems with file and system interfacing. There was a lot of manual effort required to make changes, keep up with the new security requirements, and monitor the aging technology.

Saturated internet circuits delayed email deliveries and receipts and slowed instant messaging communications. This resulted in severe negative impacts, especially for funds management which requires real-time communications. Future IT enhancements based on business requirements were hampered by the limited capabilities of the existing system and promised high administrative costs in the implementations and ongoing management.

Upgrades of the aging firewall technology could manage 98% of the issues but would leave a critical 2% unresolved.

Additionally, nearly 50 business units would be affected by any upgrades or conversions so any direction would need to be coordinated through careful planning and cooperation with each business unit as well as the Change Control Board (CCB). Especially critical was the Pension Systems Resumption (PSR) customer online management system, or “My CalPERS”.


CalPERS IT engineering was well versed in Cisco technologies and Lead Architect Sonny Ali had already managed a successful CheckPoint-to-Cisco conversion at a previous organization. With Cisco’s assurance that the technology would resolve the critical 2%, the decision came down to specific hardware choices.

Two questions were key:

  • What hardware was needed to solve today’s problems?
  • How do you right-size that appliance or that hardware for the next five years?

Required throughput based on bandwidth utilization that occurs within the LAN was a primary determining factor. ENS-Inc consulting team members, Ben Parriott and Cisco Sales Engineer Scott Herman, were instrumental in recommending the Cisco ASA 5500 Series Adaptive Security Appliances, specifically 5580 and 5585, and, in some instances, the 5520.

Discovery data assessed against the solution design revealed the need for a complete rip-and-replace.

“We had all these wires going south, and they should have gone north.” stated Ali. “To enhance and improve, this was not just a configuration but an actual physical implementation.”

With nearly 50 business units over 3 different locations affected, critical timelines were developed and adhered to. With PSR already at a critical point, outage windows were very tight. ENS-Inc consultants worked closely with the CalPERS engineering team throughout the careful communication and coordination process with the various business units, management teams, and the CCB. Each step had to be approached in a specific order to ensure a successful outcome at completion.

Fourteen physical appliances were deployed with multiple contexts (virtual firewall within the physical appliance) during six separate overnight conversions, sometimes completing two a night. The existing older technology had different coding. Rule sets were moved over to the Cisco appliances.

Testing after every maintenance window showed major improvements without exception. The internet circuit, previously 100 mg, was increased to 200 mg on a gig interface. Network performance was improved more than twofold in every unit going from 100 mg to 1 gig, and, in some environments, to 10 gigs.

Each step, assessment, design, and implementation was thoroughly documented both for current engineering and administrative teams as well as to facilitate training of new people in the future. ENS-Inc consultants developed the documentation and then worked closely with Technical Lead Linda McClendon, Sonny Ali, and other key team members, to implement “Train the Trainer” sessions.


This project was not just a one-to-one replacement with everything running as before. Instead, network performance improved more than twofold in every single environment modified.

CalPERS went outside the scope of the original end goal to meet best practices and to future proof their IT towards mobility. As a result, benefits towards that end include:

Foundation laid for future business requirements

  • The Cisco firewall understands the protocol of Cisco OfficeExtend, empowering its future Implementation
  • Cisco Network Access Control (NAC), on the security road map for the next fiscal year, will have the capability to turn on for remote users

Significant cost and time savings for integration of future projects

  • VoIP, Mobile Access

Ease of administration and management

  • Ability to add new rules at the push of a button vs. a complex process for each rule.

Enhanced security with real-time visibility and alert notifications

“This was a slam dunk,” said Sonny Ali about meeting their business objectives. “At the end of the day, everything was stood up, done, no major outages. How was that not a win-win!”

< return to top of page >



Government Procurement Options logos