|
 The Background
SHG (TUI UK) encompasses 200 tourism brands around
the world and now includes over 3,600 travel agencies,
103 aircraft, 37 incoming agencies and 290 hotels with
over 157,000 beds in 30 countries. Around 12,000
business travel professionals in over 70 countries also
look after the Group’s business customers.
SHG (TUI UK) provides its customers with holidays from
a single source – from booking in a travel agency to
flights and accommodation in the Group’s own hotels
and customer-care provided by the Group’s own tour
guides. This vertical integration strategy covers the
whole value chain in the source markets (sales markets)
and the destinations (holiday areas) and provides its
customers with high standards of quality from start to
finish.
The Challenge
Following a review at SHG (TUI UK) the requirements
were identified as being:
- The provision of a highly available, resilient and
secure remote access facility for home and distant
users in the UK (mainly in the Kingston area).
-
The provision of point-to-point VPN connections to
the French, Italian and Austrian offices.
The previous solution was a single point of failure and
relied on local database authentication on the
terminating VPN device.
Also some of the remote offices were using traditional
leased lines and even ISDN, this provided an
opportunity for large cost savings by using DSL based
technology combined with VPN security.
The deployment of a highly available remote access
service would present SHG (TUI UK) with the
opportunity to convert many of its office based workers
to home workers; the objective was to save on office
space and costs.
As part of this project another requirement was to secure the LAN network from the internet
using dual redundant firewalls. Not only would this provide a level of hardware based
redundancy but also network availability should one of the firewalls fail.
From a management perspective, the VPN deployment and perimeter security (PIX firewalls)
would be handled by the SHG (TUI UK) IT team therefore, a network management solution
was also required, this would enable the existing IT staff to understand and maintain the
new network.
The Solution
The final design was based around two 2MB Internet feeds, each having a VPN3030
terminated on the end for remote access and LAN-to-LAN VPNs. This would enable load
sharing amongst the two VPN servers for more efficient use of bandwidth. Dual PIX firewalls
were also deployed for highly available access to internet services.
SHDSL (Symmetrical High-Bit Digital Subscriber Link) technology was installed to provide
dual Internet links into the HQ.SHDSL utilizes a normal telephone line to connect to the
service provider exchange and so can be provided at a fraction of the cost of traditional
leased lines. The SHDSL links were used as the primary and secondary links for all VPN
connections; this meant that all incoming and outgoing VPN traffic used a collective
bandwidth of 4MB.Using the two SHDSL links enabled the VPN solution to be highly
available, the configuration of the two VPN3030’s was centered around each one providing
backup services to the remote offices and users in the event of the primary link failing.
The Benefits
Listed below are the features and benefits of using the VPN3030, which enabled this solution
to meet the requirements of the SHG (TUI UK) group:
- The VPN concentrator series has an in-built personal stateful firewall that is assigned
to all connected VPN clients; this is part of the concentrators central policy push
system that enabled the central site administrator to control the remote client’s
configuration. In the SHG (TUI UK) scenario, all remote home workers/users were
assigned the personal stateful firewall upon connection to the concentrator; this
provided a level of protection for the VPN client from Internet based attacks and also
protection to the corporate network.
- The group/user configuration of the concentrator allowed the administrator to
configure groups of users with common work interest so that filtering policies could
be applied to that group. Filtering was also performed at the user level for finer
access control.
- The VPN3030 has three physical interfaces, an internal, public and external interface.
This was crucial in regards to the SHG (TUI UK) requirement to integrate their MPLS
network into this solution. The third concentrator interface was used to terminate
the MPLS based network.
- One of the problems that occurred frequently with the old VPN solution was that
client sessions would randomly terminate forcing the client to have to reconnect.
Using the Cisco VPN software which uses IKE keepalives eradicated this problem.
SHG (TUI UK) noticed this immediately from client feedback.
- Bandwidth policies for relevant groups were set to control bandwidth usage. This
enabled SHG (TUI UK) to guarantee a certain amount of bandwidth to VPN users.
- The VPN Concentrator is capable of authenticating users with a number of different
mechanisms including active directly and RSA. AD was an immediate requirement for
SHG (TUI UK) with a view to moving onto RSA authentication in the future.
- The intuitive GUI management interfaces of both the PIX firewalls and VPN3030’s
allowed the SHG (TUI UK) IT staff to quickly and effectively manage the new solution
soon after the deployment was complete.
- With the new highly available PIX firewalls SHG (TUI UK) began migrating Internet
based services such as email, HTTP and HTTPS over to the PIX DMZs.
Customer Comment
"on more than one occasion Cisilion have gone beyond the call of duty and acted as a true
partner should (but rarely do). The solutions Cisilion have recommended/implemented have
been a complete success across the board in terms of financial savings, technical excellence
and ongoing management. We look forward to working with Cisilion for a long time to
come."
Fintan Galvin, Group Technical Services Manager, SHG (TUI UK).
Back to Mobility case studies
Back to case studies
|
