The Customer
The customer is one of the largest international airports in the Asia Pacific region. Completed in the Fall of 2019, it is projected to handle 72 million passengers by 2025 and 100 million passengers by 2040. The airport features the world’s largest single-building terminal at 700,000 m2 (7,500,000 sq. ft.), spanning 47 km2 (18 sq. mi.) of land.

The Challenge
The airport is positioned as a world-class international airport, with top-notch and cutting-edge design elements and requirements. In order to fully guarantee the network security of the new airport, the rock-solid security posture of the IT network is particularly important. The IT data center for the airport is divided into multiple service networks, all serving different functions:
• The integrated access network provides various types of access, segmented by user type and role.
• The management network provides communication support for data centers, cloud management centers, etc.
• The terminal network carries and supports various business systems.
• The security network provides support for video and other surveillance systems that cover the entire airport area.
• Wireless internet services are provided to passengers through independent wireless networks.
The data center is designed for multiple and different business network requirements. Therefore, the network architecture needs to provide comprehensive security, high reliability and high availability that is in line with strict aviation and airport regulations, as well as service-level agreements.
In addition, the overall network architecture needs to fully consider securing virtualized environments, as well as providing full visibility into the east-west traffic between virtual machines (VMs) that is typically left unmonitored and therefore, unprotected. For each service network listed above, the IT team needed clear segmentation of logical security zones and access control policies to ensure the security of each network, as well as the secure posture of the entire network. Beyond this, because of a complex and virtualized environment, a key consideration for the IT team was streamlining management across all services and virtualized deployments. Having a unified management interface was a critical requirement to ensuring their overall security posture.

The Solution
The customer selected Hillstone as their vendor of choice to address all of their requirements: high availability and reliability, full visibility and control over virtualized environments, and a centralized management platform to reduce complexity and ensure seamless protection. To address security in their virtualized workloads running on VMware, the IT team relied on the micro-segmentation capabilities of Hillstone CloudHive. Hillstone CloudHive helps the customer monitor real-time traffic and application usage, providing a full view of the terminal network. It also provides the threat and security posture and interactive relationship of the assets within their Huawei Fusion Cloud. To further protect the perimeter, multiple high-end E-Series NGFW were also deployed.
• The software-based Hillstone CloudHive instances, supporting more than 1,000 CPUs, are deployed in the core zone inside of the airport terminal network, providing visibility and protection of the East-West traffic between VMs, as well as threat monitoring of the VMs themselves.
• The E-Series NGFWs are deployed in the core zone and DMZ of the data centers, in either active/standby mode or single mode, protecting the perimeter and managing access
control. With continuous development and enhancements to its micro-segmentation technology, CloudHive delivers advanced features, including policy assistant, automatic discovery of service chains, and a policy duplication detection engine. The latter uses pre-learning of network traffic to help in policy optimization of east-west traffic. All of these advanced features help the IT Team better protect
their VMs and servers. In alignment with their architecture and requirements, the customer deployed Hillstone’s enterprise-class E-Series Next Generation Firewalls (NGFW) in all of the service networks.
From the office network to the management network, the E-Series secures the customer’s critical assets with granular application control – visibility and control over apps, users and device access – and comprehensive threat detection and prevention, including anti-virus and intrusion detection and
prevention.

“Hillstone CloudHive gives us great visibility into our network assets’ traffic, application usage, and threat situation. In addition, Hillstone’s robust firewalls provide us with full-dimension protection. Hillstone’s portfolio delivers compatibility and interconnection, which allows us to achieve centralized log data analysis and unified equipment management,”

said the airport’s IT manager.

The Conclusion
As the world’s largest single-terminal airport, the customer has a no-tolerance, high standard of security requirements for its complex, virtualized, and highly regulated network. Hillstone, with a large number of successful use cases in production environments across data centers and the civil aviation segment, best addressed the needs of the airport’s IT Team.
The robustness of the solutions and the high-availability deployment deliver high reliability and peace of mind. The flexible networking topology, configuration and micro-segmentation technology serve the unique requirements of the IT Team’s hybrid network architecture. To ease complexity and streamline operations for the admins, the configuration interface provides clear logic, allowing admins to easily
configure and change policy rules on the fly or as business dictates. The Hillstone solution’s compatibility across physical, virtual and cloud deployments meet the Team’s requirement for a centralized management and data analysis platform.
With Hillstone’s CloudHive and E-Series NGFW, the airport’s IT team is able to deliver robust security from edge to cloud, serving a diverse set of users and network assets, and above all, meeting the industry’s strictest regulations.