Background

The Hotel has 300 rooms, many of which have been fitted with a standard Ethernet port. Each of these ports is permanently connected to a network switch. Hotel staff can enable or disable these ports on request.

The hotel has a 1Mb leased line Internet connection that it makes available to the guests. The hotel also has 20 computers of its own that comprise the hotel's administrative network.

The hotel has a business centre and function rooms that are regularly used for conferences. It has become increasingly important over the past few years that these areas be Internet connected.

Security and Stability Concerns

A number of incidents occurred over the past year, which has given rise to concern. It became apparent that linking these three areas (administrative network, guest rooms and business centre) together, there was a very serious risk of worms and viruses spreading unchecked across the entire network.

Recent experience has shown that guests regularly arrive with laptops already infected with viruses and worms that rapidly spread across the rest of the network. This has caused havoc with the hotels administrative systems and has lead to a serious loss of time and money.

In addition to the virus threat, it's been recognised that IT literate guests at the hotel could either deliberately or inadvertently gain access to machines on the administrative network. This could potentially lead to tampering with or the interception of private information about other guests.

Liability Concerns

After a recent worm breakout on the hotel network, several guests’ computers were infected by worms while connected to the hotel network. One regular guest lost a great deal of valuable data and threatened to sue the hotel. Although the hotel's terms and conditions disclaim liability for this, concern that they may be deemed to be liable persuaded the hotel management to compensate the guest.

The search for a solution

It was becoming increasingly evident that this problem was getting worse over time. It was decided that something had to be done.

A number of options involving firewalls from the major vendors were investigated. Unfortunately none of the solutions on offer seemed designed to tackle internal network security. They were all designed with the assumption that threats came from the outside world (i.e. the Internet), rather than from machines already inside the network.

Some solutions that initially looked promising had the disadvantage that they required that the hotel to install an additional leased line. This option was prohibitively expensive.

Ideally the hotel was looking for a solution that would allow them to segment the network, while still allowing the leased line to be shared between these segments.

The Solution

Finally a solution was discovered that surpassed all expectations. A FireRack firewall and network management system was chosen. The important properties of FireRack that lead to this decision were as follows:

• Support For Network Segmentation

  FireRack was specifically designed to police networks that are divided into many segments. Securely sharing the leased line between these segments was not a problem.

• Integrated Switch Management

  The FireRack Management Server fully supported the existing switch infrastructure of the hotel. Because this system is vendor agnostic the hotel is free to purchase additional switches from any of the five major switch vendors. Please see the switch management page for more information on this feature.

• Built-in Worm Detection and Intrusion Detection System

  The FireRack firewall has built-in worm detection and intrusion detection. In addition to detection, it is also capable of quarantining these machines at the switch. Guests machines infected with worms are rapidly detected and are automatically removed from the network within seconds.

• Easy of management

  The entire FireRack system can be controlled from and easy to use web-based control panel. Switch ports can be enabled or disabled with a simple click of the mouse.

• Integration with existing systems

  The FireRack system has been designed to interoperate with external databases and applications (XML-RPC). The integrator that deployed the FireRack was able to link the control systems with the hotel's existing billing and administration systems.

The Future

The hotel is now considering extending their guest network using wireless access points. Because FireRack can recognise and authenticate network user by the hardware address of their wireless network card, it is no longer important to rely on switch port control alone to control network access.

More Information

For further information and enquiries, please contact the staff at Netservers