Media giant Framestore achieves above and beyond with its fail-proof firewalls
A business occasionally finds itself implementing work arounds to mitigate the risks associated with ageing technology. But for Framestore, this was no longer an option due to configuration and feature options limiting scalability around increasing use of cross network resources.
Knowing the business needed to adapt, Framestore engaged Nomios to advise on the most effective firewalls to enable infrastructure-as-code, which would not only protect the business, but enable a positive impact to performance, achieve 1-click deployment and use a single source of truth.
Framestore is home to 3,000 talented artists, producers, engineers and visionaries working across six locations in film, advertising, television and immersive. Known globally for its visual effects, the company has a proud history of creating extraordinary images and scenes for some of Hollywood’s biggest pictures, as well as bringing magic to the small screens that surround us every day.
Framestore has always focused on how to use technology to create outstanding imagery. But in order for the latest innovations to be able to breathe life into the content, the IT infrastructure supporting everything behind the scenes is constantly evolving. In particular, running up against the limits of the existing firewalls was slowing development around key technology and business drivers. With maintenance contracts coming to an end, Framestore was eager and enthusiastic about making changes.
Framestore zones its content within multiple networks, locking it off so it can’t go anywhere it shouldn’t. Throughout the day thousands of rendering tasks are queued for computation – when multiplied for each frame, some tasks can require days of computation. Scheduling and dispatching of rendering tasks are handled centrally by teams and software which monitor and prioritise based on client deadlines. To reach the scheduling system, render nodes cross the firewall, but if the connection is severed, the system may have to start the job again, losing all progress.
“We’ve always had issues with failovers not being seamless – and the firewalls were failing whenever they felt like it. I’d be on the phone to support day and night in search of the root cause, and even on the occasions I managed to get an answer, the vendor couldn’t say with any certainty whether or not the issue would be resolved in the next release. It was so disruptive to the business. Because the firewalls were falling over with such regularity, production teams were forced to build leeway into estimations and we had to find workarounds to try and mitigate the impact,” said Tristan Crichton, Head of Networks at Framestore.
“Most people at Framestore know what a firewall is – but they really shouldn’t. Since our previous provider put the product in place, we’ve had multiple years struggling to maintain underperforming firewalls. Our business deserves better. We decided to approach the refresh in the right way, engaging a specialist to help us specify exactly what we needed and recommend the right product,” said Tristan.
Framestore recognised an opportunity to improve efficiency and availability which could ultimately equate to thousands of hours of rendering time. Furthermore, Framestore places a high value on its reputation for delivery and the firewalls were becoming a risk that could affect deadlines.
The DevOps mindset
While Framestore had an obvious requirement to refresh its firewalls globally, it also saw the opportunity to improve the overall service delivered to the other business functions.
In recent years, the DevOps mindset within engineering has become a big trend. Applying it to traditional networking, Framestore saw the potential to empower its users to self-serve by proposing changes to the central source of truth for review.
The outcome - Making the right choice
As with most technologies, entering into the world of firewalls is like stepping into a jungle fraught with danger. Acting as the attentive guide, helped Framestore navigate the vendor landscape to select and test the technology that was right for their environment and fit for purpose.
"The conversation with is always so easy – there are no flashy slides, no pushy selling, just a collaboration to help us achieve what our business needs. We have a very open relationship where they advise us on how we can get the most out of the vendors in terms of the best product, best price and best service. It’s never felt like anything other than a partnership.” - Tristan Crichton, Head of Networks
“We knew that we wanted to go down the route of infrastructure-ascode because it would enable us to represent the intended state of the firewalls in YAML files. This allows us to use version control tools we were familiar with and have a central source of truth. helped us to immediately discount a lot of vendors whose interfaces would have forced us to interact with the boxes in a specific way,” said Adam Kirchberger, Network Engineer.
Eventually narrowing down to a couple of options, Framestore decided that it didn’t need to pay for unnecessary functionality so opted for Juniper Networks. After taking the Framestore team to Juniper Network’s laboratory in Amsterdam, facilitated a two-month proof-of-concept that would allow the team to handle the technology, rigorously test its performance and establish the business case.
After putting the new firewalls in place, Framestore, who were already a very technically capable organisation, set out to automate the way it delivered certain services to its users.
Previously, every change was handled manually, which was a cumbersome process that risked something being missed when the same change was needed in three or four different places. The team would receive tickets and users would have to trust that their request was clear enough to attain the desired result. It was neither transparent nor efficient.
"Beforehand we were two people finding it a challenge looking after 3,000 users. But now, with automation in place, we could easily scale to 10,000,” added Tristan. “In the first four months after deploying Juniper, we received 500 change requests. By enabling visibility, people take more responsibility – they actively want to get rid of the rubbish. What we’ve achieved is beyond anything I thought we could do,” said Adam.”
When a business depends on its network to deliver mission-critical transactions, applications and services, Juniper Networks is a great choice. Constantly focused on understanding the customers’ needs, rather than forcing users to view data in a certain way, it has the capabilities to dig in and solve the hardest problems they face - problems that other technologies can’t, or simply won’t, approach.
Business outcomes for Framestore
- Nothing has happened
- “Since putting Juniper in place we’ve had no issues. We even tested the fail over in New York while rendering just to be sure and no one said anything because there was no downtime.”
- Click to deploy
- “In 30-minutes we created a firewall with 1,000 VPN tunnels to enable a remote workforce. It was literally a case of copy and paste and then one button to deploy the new environment.”
- Honest, open advice
- “The relationship with Nomios is pretty relaxed. They’re honest about the technologies and where the weaknesses lie, which is probably why we’ve been open to trying more options.”
- Posivitely impacting performance
- “We were so focused on the automation and reliability that we didn’t shout about the improved performance. But people are praising how fast the throughput is, and how they can finally do things they couldn’t before.”
- Backup and resiliency
- “Our single source of truth lies in a Gitlab repository, which means we don’t need two of everything. If one of our boxes died tomorrow, it doesn’t matter, we’d just spin up a new one.”
- A perfect partnership
- “Nomios is confident about working to our level of technical capability. And if they don’t know the answer, there’s no fluff, they actively go and find the answers we seek.”
Framestore is an interesting client because they’re so technically capable. They have a clear idea of their requirements and we know how to match that with the right technology. They’re so thorough and brutally honest, which makes for a better outcome because there’s no egos at play, it’s all about delivering the best technology to enable the business to achieve great things.
Also, because they’re so technically aware, like us, they’re excited to see the technology. They want to get their hands dirty and see it working for real, rather than presented in a shiny demo, which means we’re constantly learning from them about how the technology would really be used day-to-day.
Latest news and blog posts
Cyber readiness & XDR: Progress, challenges & opportunities
Trellix pays particularly close attention to how EDR and XDR are being implemented across the public and private sectors.
WAF F5 Networks
WAF technology needs to adapt now that apps are increasingly distributed
As workload deployments expand across diverse environments and app architectures, organisations want to be able to enforce consistent security controls across all applications, anywhere.
Frank Kyei-Manu from F5
ZTNA 1.0 vs ZTNA 2.0
ZTNA 2.0 provides a new era of secure access. It solves trust problems by removing implicit trust to help ensure organisations are properly secured.