To keep up with its expansion, Denver-based Frontier Airlines sought to centralize its firewall needs, reports Greg Masters.
About four and a half years ago, when Frontier Airlines decided to do a server room re-design, IT security manager Steve Greenberg decided that the time was right for a re-design of the company's network, as well.
The airline, operating out of Denver International Airport with 62 aircraft and close to 6,000 employees, had been using two different firewall products in its general offices – a Cisco PIX firewall and a Microsoft ISA firewall – but wanted to consolidate the functions onto one robust product that could improve network connectivity. As the airline was experiencing rapid expansion – at that time adding several new cities to its flight routes – the firewall product also needed to be flexible enough to grow along with the company.
“We had a lot of in-house experience with the Microsoft product, not so much with the Cisco stuff,” says Greenberg. “So, we wanted to consolidate onto one product and be consistent throughout the environment. We wanted to make a little more robust product, something that would grow with us.”
After testing the Secure Firewall, formerly Sidewinder, Greenberg chose it for the implementation – despite the fact that network consultants he contracted suggested a different option. He liked the way the product stopped cross-site scripting; SQL injection attacks and directory traversals; inspected encrypted protocols; stopped botnets and zombies; and filtered traffic based on country codes.
“The product from Secure felt better. I liked it better,” he says.
And no wonder. The product comes with a pedigree. Scott Montgomery, vice president of product management of Secure Computing Corp., says the tool was originally developed for the National Security Agency (NSA) with a high degree of security in mind.
“The NSA needed to keep classified information on one side of a controlled interface, and unclassified material on the other side of a controlled interface. The resulting product became the Secure Firewall,” says Montgomery.
The appliance is used in the most sensitive, high assurance networks in the world, he adds. But, he concedes that during the product's early years, there were issues with how complex it was.
“It's one thing to make a secure product. It's entirely another thing for it to be used by the mass market without an inordinate amount of training and professional services,” he says.
The company was able to achieve its goal with the most recent release, in April 2007, called Sidewinder 7.0, now called Secure Firewall 7.0.
“That release is where we focused several years of ergonomics and usability work in creating an interface that anybody – network or security folks – could use,” says Montgomery.
Frontier Airlines' Greenberg says his airline currently has 18 Secure Firewalls in production or test, and use them for the usual corporate firewall functions. All the B2B VPNs run through the firewall now.
The result: the company is realizing serious cost savings.
“It would have been cost-prohibitive to connect our station in Costa Rica via a permanent MPLS line, so we use a Secure Firewall to connect that station via a B2B VPN,” says Greenberg.
Also, the tool allows the company to separate its internal network with the airport's network – for example, to allow display screens at the gates to work. And, the implementation of the Secure Firewall devices through the company went fine, says Greenberg.
“We went to their training. We had some help from Secure. They came out and helped setup our test network. It was not a problem. The only challenge was gathering and transferring rules from the extant servers over to the Secure Firewalls,” says Greenberg.
And there has been an evolution in the training process, as well.
“You go back to the mid-90s, every installation had to be done by our own professional services cadre,” says Secure's Montgomery. “It was a logistical nightmare, as well as costly to the customer. We developed a number of tools for installation and migration, a number of wizards. We also put the first levels of training online, so that once you had purchased a Secure Firewall and a support agreement, you had access to several administrative classes that would offer background training for any advanced training that we would do either onsite or at a Secure training facility or at a channel partner.”
Whereas the company once sought to perform all training by its own staff, things now just move too fast for that strategy, says Montgomery.
“We now enable our channel partners to be part of the solution and offer training on their own price book. We certify them to perform the same training that we would. We have a lot more feet on the street. Our new mantra is: Get the customer trained up. We assist with their first firewall, but then equip them during that first installation, or migration, to do the rest on their own.”
Greenberg says that everything is up and running at Frontier Airlines. And he adds that while one or two changes on average come through per week on the main corporate firewall, the firewall is working well.
“We're very pleased. We've gone from two different firewall brands and a VPN to one product that gives us a strong firewall and application defenses. It's working well for us,” he says.
Montgomery adds that Frontier is a good example of the kind of business that Secure Computing typically supplies.
“We're not a ubiquitous brand, like Cisco, but when people have a high assurance network, those are the places where Secure Firewall is deployed. With the amount of information on the web in the airline industry, Frontier fit that category. There's an intense amount of dollars and cents going through frontierairlines.com, so it's a great fit.”