Complex IT landscape and special requirements at Munich Airport require a comprehensive Internet security system
The “Franz Josef Strauß” Munich Airport is currently the second largest air transport hub in Germany and processes around 39 million passengers a year. With around 30,000 employees, Munich Airport is one of the largest employers in the region and, in addition to organizing and processing passenger and freight transport in cooperation with external service providers, has numerous tasks which require IT resources and the Internet. It goes without saying that operations at an airport carry particular security demands as well as availability requirements. This especially includes use of the Internet. An increasing number of employees require access not only to internal IT systems, but also secure, highly available and performant access to the Internet. The threat of Trojans, viruses or malware and the associated risk of targeted cyber attacks and data corruption is considerable. The solution for this security challenge was initiated at the start of 2012 and implemented with the security expert McAfee.
Uncontrolled Internet access carries high risks
Munich Airport was faced with the important and challenging task of providing an increasing number of internal and external staff with secure, high-performance and highly available Internet access. On the one hand, access is required for the retrieval of everyday information as well as for hosted services, for example tracing baggage, external tendering platforms or the administration of external IT service portals. Added to this, it has become increasingly important to integrate social media systems into communication and image building processes.
Previously, Munich Airport has not had any security incidents thanks to stringent security guidelines and blocking of dangerous services or downloads. This was very difficult to reconcile with the new requirements, however. It was out of the question simply to relax the security guidelines, as the threat of malicious programs or increasingly widespread intelligent malware was too high. The aim was to install a security system that enables secure handling of client certificates, the reliable blocking of executable files as well as, in future, selective access control to social networks, where possible with centralized administration. In addition, measures were to be put in place to increase overall performance levels without incurring additional costs and to enable additional instances to be installed in a virtualized environment without additional license fees. Using the virtualized environment and flexible license model from McAfee, the airport can handle peak demands without having to install new appliances.
In May/June 2012, McAfee was able successfully to demonstrate its security strategy and corresponding Web Gateway solution in a test environment as part of a PoC (Proof of Concept) against its competitors. McAfee had already worked together with the IT personnel at Munich Airport in 2011 to plan and implement the mobile security solution, gaining valuable insight into the specific requirements posed by the airport from the point of view of a security expert.
Installation of the McAfee Web Gateway components was no small thing. While the solution can be integrated seamlessly into existing environments, the complex structure of Munich Airport and the individual requirements of different customers with dedicated security guidelines required a very precise analysis of possible weak points and potential threats. McAfee Web Gateway was installed and tested in July 2012, with production commencing in October.
Simple, central administration
Automatic malware protection by the McAfee anti-malware engine and the real-time global reputation service (McAfee GTI) are the central features of the solution. Zero-day threats, spyware and targeted attacks are stopped without signature before they can even enter the network. The procedures are based on a multilayered security approach; a combination of local and cloud-based protection. Sophisticated monitoring stops the threat: if, for example, an infected inline frame is found, it is blocked while access to the remaining web site continues to be allowed. The security solution does not permit executable code to be downloaded from the Internet at all.
“The central interface of the McAfee security solution helps us efficiently to manage both our own requirements and those of our customers and to recognize potential threats extremely quickly.”Stephan Lösl
Senior Product Manager IT security environment, Flughafen München GmbH
Monitoring of the McAfee Web Gateway involves a reasonable level of expenditure. Almost 1000 web applications and close monitoring of functions within these applications can be administered centrally. Thanks to the integration of numerous protective functions, for example web filtering and malware protection, SSL scans and content monitoring, McAfee Web Gateway can be administered easily and centrally using a single GUI. With the help of the flexible guidelines module, collective guidelines were used for all protection types, saving both time and money. The administration console enables the required applications to be administered quickly and effectively, ranging from social media tools and streaming media, through to data release and anonymization applications.
An additional challenge was presented by the integration of secure connections using SSL client certificates. It is McAfee's approach of storing these certificates centrally on the Web Gateway, which enables these connections to be checked for potentially harmful content, “meaning that we can use this technology in good faith and can allow our users to have access to these Internet applications”, reports Stephan Lösl, Senior Product Manager for the IT security environment at Munich Airport. “McAfee Web Gateway provides secure and high-performance Internet access, while allowing us to use the Internet efficiently with a view to compliance requirements - including multimedia and social media content.”
Professional services and technical support included
With the support of the McAfee Professional Service department and its consultants, Munich Airport was able to implement and roll out its web proxy solution within a relatively short period of time. Munich Airport was given a clear indication of the amount of planning required, and needed only 30 man days along with an additional 12 man days for McAfee.
“McAfee Platinum Support reflects the support and reaction times that are important to Munich Airport and, with the help of a dedicated support account manager in Munich, we are able to keep the communication lines as short as possible. Direct access to product management and development at McAfee are very closely linked, enabling bespoke modifications”, comments Stephan Lösl.
The bottom line
The security requirements of Munich Airport and its customers are considerable and varied. McAfee Web Gateway means not only that current demands can be met more or less in their entirety, but also that the requirements for secure implementation of future Internet applications are satisfied. “During implementation, but also during everyday operations, it has been evident that we have chosen the correct product with McAfee Web Gateway”, concludes Stephan Lösl.